Skip to navigation

Security Advisory Moderate: httpd security and bug fix update

Advisory: RHSA-2010:0659-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-08-30
Last updated on: 2010-08-30
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2010-1452
CVE-2010-2791

Details

Updated httpd packages that fix two security issues and multiple bugs are
now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The Apache HTTP Server is a popular web server.

A flaw was discovered in the way the mod_proxy module of the Apache HTTP
Server handled the timeouts of requests forwarded by a reverse proxy to the
back-end server. If the proxy was configured to reuse existing back-end
connections, it could return a response intended for another user under
certain timeout conditions, possibly leading to information disclosure.
(CVE-2010-2791)

A flaw was found in the way the mod_dav module of the Apache HTTP Server
handled certain requests. If a remote attacker were to send a carefully
crafted request to the server, it could cause the httpd child process to
crash. (CVE-2010-1452)

This update also fixes the following bugs:

* numerous issues in the INFLATE filter provided by mod_deflate. "Inflate
error -5 on flush" errors may have been logged. This update upgrades
mod_deflate to the newer upstream version from Apache HTTP Server 2.2.15.
(BZ#625435)

* the response would be corrupted if mod_filter applied the DEFLATE filter
to a resource requiring a subrequest with an internal redirect. (BZ#625451)

* the OID() function used in the mod_ssl "SSLRequire" directive did not
correctly evaluate extensions of an unknown type. (BZ#625452)

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
httpd-2.2.3-43.el5_5.3.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: adc787995f43d8a2c2deddeb3a72ccd5
SHA-256: b7a5e395b0c95ebc0957bdb26b0cb342432a9016195addc0dc73695a1457a679
 
IA-32:
httpd-devel-2.2.3-43.el5_5.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 21053128afef7a9ddd9a51e200f3e47d
SHA-256: b80b1025f3edbda10211dee20f70f4b64bf5f7a2dd19f4a8efe9c3662dc05a7d
httpd-manual-2.2.3-43.el5_5.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 356231443a556a5d83b0f7b5ff023bf9
SHA-256: 5e5ddb1e7771bdcb39d599bd3c03f41e2daef99bcc2d7c9c93aa105505186d18
 
x86_64:
httpd-devel-2.2.3-43.el5_5.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 21053128afef7a9ddd9a51e200f3e47d
SHA-256: b80b1025f3edbda10211dee20f70f4b64bf5f7a2dd19f4a8efe9c3662dc05a7d
httpd-devel-2.2.3-43.el5_5.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 049f7ee3a4c9de6562286bb790659d73
SHA-256: 8df88855c7c9835f3caf424e72fa69ffb1956753ff70d0af1fb9bc8b8dc2a15e
httpd-manual-2.2.3-43.el5_5.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 403d4adf9fbcfcb7c48676cf098b6348
SHA-256: 197d692a21dff2c6ba5a8d131789f2445fe3c7dea3142806ff39b7874beafe74
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
httpd-2.2.3-43.el5_5.3.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: adc787995f43d8a2c2deddeb3a72ccd5
SHA-256: b7a5e395b0c95ebc0957bdb26b0cb342432a9016195addc0dc73695a1457a679
 
IA-32:
httpd-2.2.3-43.el5_5.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: c099f71af9208c72fa3ee51777268399
SHA-256: 7ab9a08d3f3b1126bd57e4b081fea0a4b7f948aa411db07e613a20261973ec2d
httpd-devel-2.2.3-43.el5_5.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 21053128afef7a9ddd9a51e200f3e47d
SHA-256: b80b1025f3edbda10211dee20f70f4b64bf5f7a2dd19f4a8efe9c3662dc05a7d
httpd-manual-2.2.3-43.el5_5.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 356231443a556a5d83b0f7b5ff023bf9
SHA-256: 5e5ddb1e7771bdcb39d599bd3c03f41e2daef99bcc2d7c9c93aa105505186d18
mod_ssl-2.2.3-43.el5_5.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 2f0e9b78ea3f68900b65baf0ed0118e3
SHA-256: 92591cbb17db5361540ae0c8480fc977372692d8a67ce4f6dee56b3909b7e81a
 
IA-64:
httpd-2.2.3-43.el5_5.3.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 43677abf7ad51860cbef232ca2b33400
SHA-256: e01c8df5e247ff0b88e305c2350edb98c5236bf422912d999352360b99d32f89
httpd-devel-2.2.3-43.el5_5.3.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 85dfbb90699bddbe92f6ca567c76b380
SHA-256: 459868045d7c5deb2f0d41838e1e281b63dba8d9acdad605da324a2016634491
httpd-manual-2.2.3-43.el5_5.3.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: c0769f9ae4e62a980f53e49c1ebfe591
SHA-256: 0422f9206b1f1dc65e3af33ff0cf1e602dfafbd9946fc3f271062091d353b640
mod_ssl-2.2.3-43.el5_5.3.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 475bb3197aa29e25d2b36e1b931f59af
SHA-256: 65a9bc4ed9961ad566ac18d2cab2b73e89704baaeaf945e2672f0d617d3e6af4
 
PPC:
httpd-2.2.3-43.el5_5.3.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: df5f15d189513cd019426ea8547eb8c2
SHA-256: f714663bd9e5743bbc02e02f3e4992350a51277ec0ec768da8c77fe04aa8db56
httpd-devel-2.2.3-43.el5_5.3.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 4664620008dfcc9975df1adce6c90f1a
SHA-256: dcdff6bce190995af299ebb48433c8fb0fb0e3dea9ae6141e09c18aeacd5b3be
httpd-devel-2.2.3-43.el5_5.3.ppc64.rpm
File outdated by:  RHSA-2014:0369
    MD5: fb01f6b43600cc71e7755f1900e0160f
SHA-256: 89fe3ceac8686084cb7c082ed95d4aceb6aa66f0747abaad6ef23647de4d29cd
httpd-manual-2.2.3-43.el5_5.3.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: a8ef361fd4eb256129447f2d22dab470
SHA-256: 80df51526836359ef7c90e0de6b36a0ef4ae2b28c8db68b7035804056afe32f3
mod_ssl-2.2.3-43.el5_5.3.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: d66fd1b279e5162d40385234585930e1
SHA-256: c45ecdba1a4dbfa8c7dbe9c2ccff5b04a6f52a5336f5791a5d85d7a30e68f402
 
s390x:
httpd-2.2.3-43.el5_5.3.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: ddfd009ae85a19a1499591a9731961d5
SHA-256: a137f53bedb558a5db2768ad4093846e5549f0d8c16684a603c6f9d5f4d61029
httpd-devel-2.2.3-43.el5_5.3.s390.rpm
File outdated by:  RHSA-2014:0369
    MD5: 3d36383f8806ee59c7e33e6e718163bf
SHA-256: 59b5282d954218384cbccb64ac042c62501d3289f0aa35006e8cd75fd2494e8e
httpd-devel-2.2.3-43.el5_5.3.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 78dcede66c275d605cf4f183be3b44cd
SHA-256: b0adc3b9e772d517b3804902b9a2f079605c956776d2c0d7f546902be512d27d
httpd-manual-2.2.3-43.el5_5.3.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 43759f0fd3e45fac3624b0b144fb0977
SHA-256: 9835ec751e1434bd3ee0107d85ee69f4b5d6759b5a39851c76dd0661e71ed53c
mod_ssl-2.2.3-43.el5_5.3.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 8e6e5700e23927855638cb677d6095c5
SHA-256: 95b4ec82094f1bad06ff17839912f6e03dba23732ef93f4ead6828c784df6592
 
x86_64:
httpd-2.2.3-43.el5_5.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: b2f6358904e84215ee1e4f909cf23536
SHA-256: 8966924e36671ffa4a316ee1d3f7dcb31a1645ac0cdb2aeb7d7b2d3001921e1f
httpd-devel-2.2.3-43.el5_5.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 21053128afef7a9ddd9a51e200f3e47d
SHA-256: b80b1025f3edbda10211dee20f70f4b64bf5f7a2dd19f4a8efe9c3662dc05a7d
httpd-devel-2.2.3-43.el5_5.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 049f7ee3a4c9de6562286bb790659d73
SHA-256: 8df88855c7c9835f3caf424e72fa69ffb1956753ff70d0af1fb9bc8b8dc2a15e
httpd-manual-2.2.3-43.el5_5.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 403d4adf9fbcfcb7c48676cf098b6348
SHA-256: 197d692a21dff2c6ba5a8d131789f2445fe3c7dea3142806ff39b7874beafe74
mod_ssl-2.2.3-43.el5_5.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 4f80a56db7a86c3388aa23abdf0311d1
SHA-256: 8a6cede35a7f0084ad5e1c8c2a2fdb9eb240e2020215408030bb797c7d3479a4
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
httpd-2.2.3-43.el5_5.3.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: adc787995f43d8a2c2deddeb3a72ccd5
SHA-256: b7a5e395b0c95ebc0957bdb26b0cb342432a9016195addc0dc73695a1457a679
 
IA-32:
httpd-2.2.3-43.el5_5.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: c099f71af9208c72fa3ee51777268399
SHA-256: 7ab9a08d3f3b1126bd57e4b081fea0a4b7f948aa411db07e613a20261973ec2d
mod_ssl-2.2.3-43.el5_5.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 2f0e9b78ea3f68900b65baf0ed0118e3
SHA-256: 92591cbb17db5361540ae0c8480fc977372692d8a67ce4f6dee56b3909b7e81a
 
x86_64:
httpd-2.2.3-43.el5_5.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: b2f6358904e84215ee1e4f909cf23536
SHA-256: 8966924e36671ffa4a316ee1d3f7dcb31a1645ac0cdb2aeb7d7b2d3001921e1f
mod_ssl-2.2.3-43.el5_5.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 4f80a56db7a86c3388aa23abdf0311d1
SHA-256: 8a6cede35a7f0084ad5e1c8c2a2fdb9eb240e2020215408030bb797c7d3479a4
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

617523 - CVE-2010-2791 httpd: Reverse proxy sends wrong responses after time-outs
618189 - CVE-2010-1452 httpd mod_cache, mod_dav: DoS (httpd child process crash) by parsing URI structure with missing path segments
625435 - mod_deflate/mod_proxy generating 'Inflate error -5 on flush' errors
625451 - [APACHE BUG] filter handling issues with subrequests and internal redirects
625452 - mod_ssl: Further fix for SSLRequire OID() function


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/