Skip to navigation

Security Advisory Moderate: httpd security update

Advisory: RHSA-2012:0323-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-02-21
Last updated on: 2012-02-21
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2011-3607
CVE-2011-3639
CVE-2012-0031
CVE-2012-0053

Details

Updated httpd packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The Apache HTTP Server is a popular web server.

It was discovered that the fix for CVE-2011-3368 (released via
RHSA-2011:1392) did not completely address the problem. An attacker could
bypass the fix and make a reverse proxy connect to an arbitrary server not
directly accessible to the attacker by sending an HTTP version 0.9 request.
(CVE-2011-3639)

The httpd server included the full HTTP header line in the default error
page generated when receiving an excessively long or malformed header.
Malicious JavaScript running in the server's domain context could use this
flaw to gain access to httpOnly cookies. (CVE-2012-0053)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way httpd performed substitutions in regular expressions. An
attacker able to set certain httpd settings, such as a user permitted to
override the httpd configuration for a specific directory using a
".htaccess" file, could use this flaw to crash the httpd child process or,
possibly, execute arbitrary code with the privileges of the "apache" user.
(CVE-2011-3607)

A flaw was found in the way httpd handled child process status information.
A malicious program running with httpd child process privileges (such as a
PHP or CGI script) could use this flaw to cause the parent httpd process to
crash during httpd service shutdown. (CVE-2012-0031)

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon will be restarted automatically.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
httpd-2.2.3-63.el5_8.1.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: 9f56636af45b55830006b8e86b0cf023
SHA-256: 1f8328a01dd81d74a1aa4791286edcf800ec6dfef05dfb16883e63513f6c81b8
 
IA-32:
httpd-debuginfo-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: e1728a7c18a4e4103caec5c240da0e44
SHA-256: c087073a7352c73e7c4756f72eddae4aefe20012d55b39ff7f19171e8e3c8bc3
httpd-devel-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: ac1f8eabf5520555483218e26da6efd4
SHA-256: c5a38b6f00f0593bce4e9eeda0b41f656ab0bed9f6413bdde89e40501faa3108
httpd-manual-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: a7c1e922cdbd4bc2a8751f93259975aa
SHA-256: d607695f4d548eec8fea3391444984b390f051069aebef218498021492ce2e63
 
x86_64:
httpd-debuginfo-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: e1728a7c18a4e4103caec5c240da0e44
SHA-256: c087073a7352c73e7c4756f72eddae4aefe20012d55b39ff7f19171e8e3c8bc3
httpd-debuginfo-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 36df108ae2e3a49e5e3a4fc0a2fc8acc
SHA-256: 3129aa4ceb90b4e4ed913798530145592153834115577188b8fb016b7dd0f89b
httpd-devel-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: ac1f8eabf5520555483218e26da6efd4
SHA-256: c5a38b6f00f0593bce4e9eeda0b41f656ab0bed9f6413bdde89e40501faa3108
httpd-devel-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 47af8148020ba8700aa09864dadbd442
SHA-256: 8840dead0175991f64f3be3a9b39f610ffd6ec9629e416b5a471eac67d198153
httpd-manual-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: e61b8393714dd067e00482a4ee00dbdb
SHA-256: 1b07e7a4026965722acffd1e8f017d82c89beb49874596ee5144791ad0b5d9bb
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
httpd-2.2.3-63.el5_8.1.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: 9f56636af45b55830006b8e86b0cf023
SHA-256: 1f8328a01dd81d74a1aa4791286edcf800ec6dfef05dfb16883e63513f6c81b8
 
IA-32:
httpd-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 555c0e60f83f21c1b4f79690208276b7
SHA-256: b6db0220a9936bf6842f994ea2b05c9f5f0c7cfe23c50b9ae30162bf692b90e6
httpd-debuginfo-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: e1728a7c18a4e4103caec5c240da0e44
SHA-256: c087073a7352c73e7c4756f72eddae4aefe20012d55b39ff7f19171e8e3c8bc3
httpd-devel-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: ac1f8eabf5520555483218e26da6efd4
SHA-256: c5a38b6f00f0593bce4e9eeda0b41f656ab0bed9f6413bdde89e40501faa3108
httpd-manual-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: a7c1e922cdbd4bc2a8751f93259975aa
SHA-256: d607695f4d548eec8fea3391444984b390f051069aebef218498021492ce2e63
mod_ssl-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: ff09e93cdaf28cffe4aeadf8ab915b1b
SHA-256: 4599de482ca654dd4df8a1fdf5a98f43ab635102f751a036b5636fb929c9d5c9
 
IA-64:
httpd-2.2.3-63.el5_8.1.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: c658750bbb21da470f88eaab9db5e082
SHA-256: 7398ea26d9056ad4e65da6bbb20d0c7a71f64c81ed83ad0691a1422bc0f6e36f
httpd-debuginfo-2.2.3-63.el5_8.1.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 38b115257eb72a013b4b3e1c2836ddb2
SHA-256: b3da09ef15bd6f783188edc90be0ac4b167cb8c15b5866712f54336c18ac4044
httpd-devel-2.2.3-63.el5_8.1.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 8fee8d118eb309e2bc5b92a2212845ef
SHA-256: 13a8e7869d6ef40ad2752fb91645ec6a0848e0bebbf4db968e2bae7ee599992b
httpd-manual-2.2.3-63.el5_8.1.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 0ef39e8888947e9cd96cabe298202562
SHA-256: c6dcea93803aca38f89594916952166d4f16cdcb4fbcc1d27b1f5e683dfa0952
mod_ssl-2.2.3-63.el5_8.1.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: eb4d0270f86df9e5f74dad1b3ae1feb2
SHA-256: 3810c6e27e3edd96b75ce53e057e60076f4a51eb2dbbb0a71445ef497abb735a
 
PPC:
httpd-2.2.3-63.el5_8.1.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: ff9b58931ed89c61e996115abbe25e04
SHA-256: fed26ab180ac369868c4c924d06679c7ee2bb151de269a0e14413b8adbe098ba
httpd-debuginfo-2.2.3-63.el5_8.1.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 215a989009caf12f5c810d6c21e1c458
SHA-256: d44f9cd7629be0605e00e513426abae5936abbfd71025fc09e91cb7f6f7bd406
httpd-debuginfo-2.2.3-63.el5_8.1.ppc64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 8a2db9a9e257e453a7d4fe3933f0724a
SHA-256: de925d173fe5037f201500f66b568c51925290d07772a8c2893cf0e92e3e9832
httpd-devel-2.2.3-63.el5_8.1.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 207a87d80d92bf3a566aba140e0283da
SHA-256: 3ba9742fc9730f9579bb9a13dcc4bb9d2dbc5a6aba5a311de95c11d172281373
httpd-devel-2.2.3-63.el5_8.1.ppc64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 89c3aa789d44e11c15b6d2ebade3b20e
SHA-256: 1e8878bebcc0e65789dbfe05eb76bfa6e3f650c2c789cadbd3375435d2cf840a
httpd-manual-2.2.3-63.el5_8.1.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 6da3ecd1089c03af0b80522f34903561
SHA-256: 16eaa6a8741912d168fd6af7d625db38a3cd89972d41e749a91bec5802c70c6d
mod_ssl-2.2.3-63.el5_8.1.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: c6191620ea86e74c234b582274fee788
SHA-256: 0fc5288420e545586b1bf31c8d70116e7875d77e1d2f1c72f309eb0040c45622
 
s390x:
httpd-2.2.3-63.el5_8.1.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: b953c65aa19255838868d1b91c7516b1
SHA-256: 1ce1853ddb1c2c74d61ec229a2ee4544fc7c130ba78ed24c12c2a61b298156d1
httpd-debuginfo-2.2.3-63.el5_8.1.s390.rpm
File outdated by:  RHSA-2014:0369
    MD5: ab5ed353f22d0bc1a8f9361b7bedbda3
SHA-256: bc7add225e1153fddf8ec95fec86bf952f5c4196b361ec2223917d96d3eebe9a
httpd-debuginfo-2.2.3-63.el5_8.1.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 8c4caebe94c8825b348b568a113728fc
SHA-256: 732f1c4c7517635033e4f3ef3449f32402ebaf684e5ee829bf6eca106400c4aa
httpd-devel-2.2.3-63.el5_8.1.s390.rpm
File outdated by:  RHSA-2014:0369
    MD5: da7e73f0b43bcaa929328ec2d0539250
SHA-256: 559e0105d30074b865d04991b8f359fc4afa3bfa53eb6b49fea0c098e0b66765
httpd-devel-2.2.3-63.el5_8.1.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: cc4e90313385f8c528603e033f70a29c
SHA-256: ee593405d2eef7bd70aae7c26c327ba74044561694fba73e71ffa1a141e2db9e
httpd-manual-2.2.3-63.el5_8.1.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 91e7ca05489c08928422c99fc40aa570
SHA-256: 7d64a2a10ed66835caedcb104f0993b8060e6c3c7e39358271054f86a7f31fd6
mod_ssl-2.2.3-63.el5_8.1.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 63ca3a28d5686650ad0546c591f401d2
SHA-256: 612527ee758dc1ca79e4b30a26559d91187e83263322bd0b508f331bfbb9fa10
 
x86_64:
httpd-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 36ad79f5bd1115e9e60da444579ee409
SHA-256: bfcc0b476f567ea60c793f3d5a819b36b6287f85cce0fb3cdf074632735afa31
httpd-debuginfo-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: e1728a7c18a4e4103caec5c240da0e44
SHA-256: c087073a7352c73e7c4756f72eddae4aefe20012d55b39ff7f19171e8e3c8bc3
httpd-debuginfo-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 36df108ae2e3a49e5e3a4fc0a2fc8acc
SHA-256: 3129aa4ceb90b4e4ed913798530145592153834115577188b8fb016b7dd0f89b
httpd-devel-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: ac1f8eabf5520555483218e26da6efd4
SHA-256: c5a38b6f00f0593bce4e9eeda0b41f656ab0bed9f6413bdde89e40501faa3108
httpd-devel-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 47af8148020ba8700aa09864dadbd442
SHA-256: 8840dead0175991f64f3be3a9b39f610ffd6ec9629e416b5a471eac67d198153
httpd-manual-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: e61b8393714dd067e00482a4ee00dbdb
SHA-256: 1b07e7a4026965722acffd1e8f017d82c89beb49874596ee5144791ad0b5d9bb
mod_ssl-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 7e98f60891119c13667c6632c9c8186d
SHA-256: eb39747dcde2a4380404c24371a923f06d4b3b12bbe80c273597c74dcf5449ca
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
httpd-2.2.3-63.el5_8.1.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: 9f56636af45b55830006b8e86b0cf023
SHA-256: 1f8328a01dd81d74a1aa4791286edcf800ec6dfef05dfb16883e63513f6c81b8
 
IA-32:
httpd-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 555c0e60f83f21c1b4f79690208276b7
SHA-256: b6db0220a9936bf6842f994ea2b05c9f5f0c7cfe23c50b9ae30162bf692b90e6
httpd-debuginfo-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: e1728a7c18a4e4103caec5c240da0e44
SHA-256: c087073a7352c73e7c4756f72eddae4aefe20012d55b39ff7f19171e8e3c8bc3
mod_ssl-2.2.3-63.el5_8.1.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: ff09e93cdaf28cffe4aeadf8ab915b1b
SHA-256: 4599de482ca654dd4df8a1fdf5a98f43ab635102f751a036b5636fb929c9d5c9
 
x86_64:
httpd-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 36ad79f5bd1115e9e60da444579ee409
SHA-256: bfcc0b476f567ea60c793f3d5a819b36b6287f85cce0fb3cdf074632735afa31
httpd-debuginfo-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 36df108ae2e3a49e5e3a4fc0a2fc8acc
SHA-256: 3129aa4ceb90b4e4ed913798530145592153834115577188b8fb016b7dd0f89b
mod_ssl-2.2.3-63.el5_8.1.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 7e98f60891119c13667c6632c9c8186d
SHA-256: eb39747dcde2a4380404c24371a923f06d4b3b12bbe80c273597c74dcf5449ca
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

752080 - CVE-2011-3639 httpd: http 0.9 request bypass of the reverse proxy vulnerability CVE-2011-3368 fix
769844 - CVE-2011-3607 httpd: ap_pregsub Integer overflow to buffer overflow
773744 - CVE-2012-0031 httpd: possible crash on shutdown due to flaw in scoreboard handling
785069 - CVE-2012-0053 httpd: cookie exposure due to error responses


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/