Skip to navigation

Security Advisory Moderate: httpd and httpd22 security and enhancement update

Advisory: RHSA-2010:0396-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-05-05
Last updated on: 2010-05-05
Affected Products: JBoss Enterprise Web Server v1 EL4
JBoss Enterprise Web Server v1 EL5
CVEs (cve.mitre.org): CVE-2010-0408
CVE-2010-0434

Details

Updated httpd and httpd22 packages that fix two security issues and add one
enhancement are now available for JBoss Enterprise Web Server 1.0.1 for Red
Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The Apache HTTP Server is a popular web server.

It was discovered that mod_proxy_ajp incorrectly returned an "Internal
Server Error" response when processing certain malformed requests, which
caused the back-end server to be marked as failed in configurations where
mod_proxy is used in load balancer mode. A remote attacker could cause
mod_proxy to not send requests to back-end AJP (Apache JServ Protocol)
servers for the retry timeout period (60 seconds by default) by sending
specially-crafted requests. (CVE-2010-0408)

A use-after-free flaw was discovered in the way the Apache HTTP Server
handled request headers in subrequests. In configurations where subrequests
are used, a multithreaded MPM (Multi-Processing Module) could possibly leak
information from other requests in request replies. (CVE-2010-0434)

This update also adds the following enhancement:

* with the updated openssl packages from RHSA-2010:0162 or RHSA-2010:0163
installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an
unpatched client that does not support RFC 5746. This update adds the
"SSLInsecureRenegotiation" configuration directive. If this directive is
enabled, mod_ssl will renegotiate insecurely with unpatched clients.

Refer to the following Red Hat Knowledgebase article for more details about
the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491

All users of JBoss Enterprise Web Server 1.0.1 should upgrade to these
updated packages, which contain backported patches to correct these issues
and add this enhancement. After installing the updated packages, Red Hat
Enterprise Linux 4 users must restart the httpd22 service, and Red Hat
Enterprise Linux 5 users must restart the httpd service, for the update to
take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Web Server v1 EL4

SRPMS:
httpd22-2.2.14-11.jdk6.ep5.el4.src.rpm
File outdated by:  RHSA-2011:1329
    MD5: 7ea7a9a14937f4c1c316d00df7d97cf8
SHA-256: e34d33454fec6a7f184b9c5b702a5811341adb96c328b0d7079a6e0623a9ed92
 
IA-32:
httpd22-2.2.14-11.jdk6.ep5.el4.i386.rpm
File outdated by:  RHSA-2011:1329
    MD5: 86aa1b3f2bc93372bb47325a5a2fa2bc
SHA-256: c8ac829126f28f3d2d9bc16374c5b7e42caa1a84962b8b3ed61b8e255fe3983e
httpd22-apr-2.2.14-11.jdk6.ep5.el4.i386.rpm
File outdated by:  RHSA-2011:1329
    MD5: 96571e5dda2422d12e7388741a428f88
SHA-256: 8e9daa2c0fac69449f8426761a75ff190aa3905001428a29fd2b865a3203f375
httpd22-apr-devel-2.2.14-11.jdk6.ep5.el4.i386.rpm
File outdated by:  RHSA-2011:1329
    MD5: ead9b6ed19ccf1decd41aebb6fd74df5
SHA-256: ce55bfdad4147e3401172b781883abb077c85a535a5326e5d328c88b8d709a1f
httpd22-apr-util-2.2.14-11.jdk6.ep5.el4.i386.rpm
File outdated by:  RHSA-2011:1329
    MD5: dfe4d444e2dedd3f6bf22a0e33a15543
SHA-256: c9c80479ad84648d49ae2749aaa5f818132ac11e696a4f13f6ea960d6eb98a68
httpd22-apr-util-devel-2.2.14-11.jdk6.ep5.el4.i386.rpm
File outdated by:  RHSA-2011:1329
    MD5: a287e267f8c227d4b3e3092c028ace0b
SHA-256: 85692fa08966b9019c084f4b9608877cf7c673929a71719d7e8e4a66a7b3e52c
httpd22-devel-2.2.14-11.jdk6.ep5.el4.i386.rpm
File outdated by:  RHSA-2011:1329
    MD5: 5892231a403c6925c551bd415b9aee8d
SHA-256: 21b471af9a8d922301152fc1acaf2e89b9fec04f5e7f7b0546e665dca6253201
httpd22-manual-2.2.14-11.jdk6.ep5.el4.i386.rpm
File outdated by:  RHSA-2011:1329
    MD5: f8de7b422f839bb4bbb368487ca62e6b
SHA-256: 0884c0d4d6be98d8727eec05d28ca8aec0851a4ba07ec6d40e25d4e7fe802a83
mod_ssl22-2.2.14-11.jdk6.ep5.el4.i386.rpm
File outdated by:  RHSA-2011:1329
    MD5: d3796d12c4eab8bc6bfcc364764552fd
SHA-256: 5327edb482d9ea2fcfc03d83fc0aefb60a8b89ecdf512eb08164a561ab5a9047
 
x86_64:
httpd22-2.2.14-11.jdk6.ep5.el4.x86_64.rpm
File outdated by:  RHSA-2011:1329
    MD5: ea202c7657969c85f4cbf6f54c9e10f1
SHA-256: 2326dbdabbfc27e94391eea892226ed8e60d7f5fa22bc2bc34d91fd6725226a0
httpd22-apr-2.2.14-11.jdk6.ep5.el4.x86_64.rpm
File outdated by:  RHSA-2011:1329
    MD5: e69d1463294d9a19ca5da4d8552177d5
SHA-256: 70827295e6b29f0a89b3dd8f5e13b2b82c58d26a8b61f1225dd1ef73e4a2360f
httpd22-apr-devel-2.2.14-11.jdk6.ep5.el4.x86_64.rpm
File outdated by:  RHSA-2011:1329
    MD5: 3ef43ce15e9dc81fd9e3502a4468b03e
SHA-256: c487a04b1e6db13e09eebbf948202afa08d22458d51c3f697c310a23f7bddd6b
httpd22-apr-util-2.2.14-11.jdk6.ep5.el4.x86_64.rpm
File outdated by:  RHSA-2011:1329
    MD5: de6e964fe048882540d7c7267b97b0e8
SHA-256: c567d9e7e35a2ff904c1b868aa963af8528615d6b7b43264927b88fe5cf62220
httpd22-apr-util-devel-2.2.14-11.jdk6.ep5.el4.x86_64.rpm
File outdated by:  RHSA-2011:1329
    MD5: 685f16622394779f444ccf0d717f41a5
SHA-256: 901fa44269cc10b43d493579a56de8862e355210f71e77dded93ce499602126b
httpd22-devel-2.2.14-11.jdk6.ep5.el4.x86_64.rpm
File outdated by:  RHSA-2011:1329
    MD5: 636d45ee97cefd86044d78dd94ff07b7
SHA-256: b6912d358d0f48ee9e2ca4be4d9b31476aaa2fa9a59af269172e93ec33024a0d
httpd22-manual-2.2.14-11.jdk6.ep5.el4.x86_64.rpm
File outdated by:  RHSA-2011:1329
    MD5: c282a24390cf39ee1a6da429030c3d88
SHA-256: ee082be6d9fe29e3bf823c9cc11885962a3c7b029cc59885cd992546208f9b36
mod_ssl22-2.2.14-11.jdk6.ep5.el4.x86_64.rpm
File outdated by:  RHSA-2011:1329
    MD5: 6ef5ec36456731e75551db2f8a19a9de
SHA-256: 2779c4e36f5e86a59da7036a394a32e1baf29b0659ed1d9dfc8713cefc765e76
 
JBoss Enterprise Web Server v1 EL5

SRPMS:
httpd-2.2.14-1.2.6.jdk6.ep5.el5.src.rpm
File outdated by:  RHSA-2012:0542
    MD5: 93c4ee01b20089782e6dc24cc63027a8
SHA-256: 9fdd9564f6b8023014faa58df38eaae9f4fb800f9b75e8945ad71ec2c5175628
 
IA-32:
httpd-2.2.14-1.2.6.jdk6.ep5.el5.i386.rpm
File outdated by:  RHSA-2012:0542
    MD5: 5a4235b476d88e4dd8d655b5a36bc79c
SHA-256: 671b27901f31af49d042d72117f33abb726595aec353882488f11127064f0325
httpd-devel-2.2.14-1.2.6.jdk6.ep5.el5.i386.rpm
File outdated by:  RHSA-2012:0542
    MD5: 34695125cd22cadb3319a88547065774
SHA-256: 842a5afb4a52c44b70c594c406aa26b712b5b1d3816b2dd2858d03c03b47e319
httpd-manual-2.2.14-1.2.6.jdk6.ep5.el5.i386.rpm
File outdated by:  RHSA-2012:0542
    MD5: 4376e7a005c785a3f891afff8268163c
SHA-256: 76d6703c8f445cd270a2c3e88a2ffa71b1a935c6e79ce5430b6447370702b711
mod_ssl-2.2.14-1.2.6.jdk6.ep5.el5.i386.rpm
File outdated by:  RHSA-2012:0542
    MD5: 6f5a6aef34973dbeb4a4da88e9f8440e
SHA-256: a7c400578ba1cdb8e80955abb75f99b3aa03a2166a1f2064aac2de557a0205a0
 
x86_64:
httpd-2.2.14-1.2.6.jdk6.ep5.el5.x86_64.rpm
File outdated by:  RHSA-2012:0542
    MD5: ed72efe7bc257cfb06e29062d97a0149
SHA-256: 21459f5c9819e10e951eea7e812af6cd00729d7a3cf280cf8767c6b985ea68bd
httpd-devel-2.2.14-1.2.6.jdk6.ep5.el5.x86_64.rpm
File outdated by:  RHSA-2012:0542
    MD5: 323b0e20b88dfb4ee35b33b8ebd39033
SHA-256: 29136c870d3fc2126de8f678b0ce2b377d6aa29bd8d870449d45435661eadcf2
httpd-manual-2.2.14-1.2.6.jdk6.ep5.el5.x86_64.rpm
File outdated by:  RHSA-2012:0542
    MD5: b7951d0e89ed403b93046d7d9e13b0d4
SHA-256: a7d14c676cffde88dbfb281393c4001a6770c7682122c4d557b10efcdab335a7
mod_ssl-2.2.14-1.2.6.jdk6.ep5.el5.x86_64.rpm
File outdated by:  RHSA-2012:0542
    MD5: dcd8bb441afebe3a14e9e9d9ea8a42a6
SHA-256: 5aa773b7f850a9624709fd31b57c68a961cec259ac082a4af058363384795cc7
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

569905 - CVE-2010-0408 httpd: mod_proxy_ajp remote temporary DoS
570171 - CVE-2010-0434 httpd: request header information leak


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/