Skip to navigation

Security Advisory Important: httpd security update

Advisory: RHSA-2011:1300-1
Type: Security Advisory
Severity: Important
Issued on: 2011-09-15
Last updated on: 2011-09-15
Affected Products: Red Hat Enterprise Linux ELS (v. 3)
CVEs (cve.mitre.org): CVE-2011-3192

Details

Updated httpd packages that fix one security issue are now available for
Red Hat Enterprise Linux 3 Extended Life Cycle Support.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The Apache HTTP Server is a popular web server.

A flaw was found in the way the Apache HTTP Server handled Range HTTP
headers. A remote attacker could use this flaw to cause httpd to use an
excessive amount of memory and CPU time via HTTP requests with a
specially-crafted Range header. (CVE-2011-3192)

All httpd users should upgrade to these updated packages, which contain a
backported patch to correct this issue. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux ELS (v. 3)

SRPMS:
httpd-2.0.46-78.ent.src.rpm     MD5: fe6fd4b3d492c16ffbbc38f09aec5a01
SHA-256: f95cd6e9f3ff555f95c32fb4ac3a5199df2208e67ccc9d37eef66ca946b9b706
 
IA-32:
httpd-2.0.46-78.ent.i386.rpm     MD5: 044dd35a6c754f58d62a2a999202236c
SHA-256: dbff108759b91ad602e5d182cf37184f0ad1355409b04326d1b5e03247811af6
httpd-devel-2.0.46-78.ent.i386.rpm     MD5: 55018eaf49c5b9bbc6d33883550e2d00
SHA-256: ace35a37391fcba6f681ec61fdb0b33c9d084ca847b47fc740323e49d44893bc
mod_ssl-2.0.46-78.ent.i386.rpm     MD5: 40078cbabfcf6cd70a5e5643cdf4186f
SHA-256: d887fda3a2e1cdc2bfa0b2169ff5697cfd98a5d77041852933ee89021e43ceb6
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

732928 - CVE-2011-3192 httpd: multiple ranges DoS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/