Skip to navigation

Security Advisory Important: httpd security update

Advisory: RHSA-2011:1369-1
Type: Security Advisory
Severity: Important
Issued on: 2011-10-13
Last updated on: 2011-10-13
Affected Products: Red Hat Application Stack v2
CVEs (cve.mitre.org): CVE-2011-3192

Details

Updated httpd packages that fix one security issue are now available for
Red Hat Application Stack v2.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The Apache HTTP Server is a popular web server.

A flaw was found in the way the Apache HTTP Server handled Range HTTP
headers. A remote attacker could use this flaw to cause httpd to use an
excessive amount of memory and CPU time via HTTP requests with a
specially-crafted Range header. (CVE-2011-3192)

All httpd users should upgrade to these updated packages, which contain a
backported patch to correct this issue. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Application Stack v2

SRPMS:
httpd-2.2.13-3.el5s2.src.rpm     MD5: f4e3b4a8775a50f94105e5cfd57ca8ce
SHA-256: c04a1ba1b91c8ff5184d0d2c1dce061960926caad6a8ccfea8cbf5aa2edf3c70
 
IA-32:
httpd-2.2.13-3.el5s2.i386.rpm     MD5: 7b3ec9e1d87ffc155166eb48188df049
SHA-256: 8aa71fda30114ff092772d862b005e88f63b2b01b91999511eb7ee71704ecfde
httpd-devel-2.2.13-3.el5s2.i386.rpm     MD5: 770d25ad195841aac8f2b8aaa9390a1e
SHA-256: e6e020eff17c249957d2332e8f02ffde1c07a30f8772d2343169d0de3f04054e
httpd-manual-2.2.13-3.el5s2.i386.rpm     MD5: 34657e529cf532056102db0b5a5bc9d0
SHA-256: d51e6aea0d1df39d7c5e5716459b1fd956bbbe9ba49fc40d5f79a1ba39a6d05c
mod_ssl-2.2.13-3.el5s2.i386.rpm     MD5: 493afb87767ba222d26297badad7db31
SHA-256: 582fdf9c23f8d4b9eb7d1d3fdbc3213e108211d55b5c0725b7233b7f61ac9dd6
 
x86_64:
httpd-2.2.13-3.el5s2.x86_64.rpm     MD5: 48e8b18ce001644b2d514fec63bd86da
SHA-256: d96148d104619318854e65912a6b1cf857db8b693ea2201ae550fc866984673b
httpd-devel-2.2.13-3.el5s2.i386.rpm     MD5: 770d25ad195841aac8f2b8aaa9390a1e
SHA-256: e6e020eff17c249957d2332e8f02ffde1c07a30f8772d2343169d0de3f04054e
httpd-devel-2.2.13-3.el5s2.x86_64.rpm     MD5: 9b09efc1e7ae6668e43be2df598b9e9d
SHA-256: 6535e9ae538aa7f4c33ab3188adc4aba4c3d42c7dd0297203ed35af6f9067243
httpd-manual-2.2.13-3.el5s2.x86_64.rpm     MD5: 2647b9b8ec218b297135b12e9197a3b1
SHA-256: 96a2de98af8ec786bbcec761936efc7a8c01f10e9e1943fa9e5bc9e7d961f7d4
mod_ssl-2.2.13-3.el5s2.x86_64.rpm     MD5: e373d4c86c9d27834523cedbf6df50dd
SHA-256: a067475718ffb82474cc585f7002e85cf11266d4914a1c5fef5bf62cd1aa55b3
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

732928 - CVE-2011-3192 httpd: multiple ranges DoS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/