Skip to navigation

Security Advisory Low: httpd security, bug fix, and enhancement update

Advisory: RHSA-2013:0130-1
Type: Security Advisory
Severity: Low
Issued on: 2013-01-08
Last updated on: 2013-01-08
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2008-0455
CVE-2008-0456
CVE-2012-2687

Details

Updated httpd packages that fix multiple security issues, various bugs,
and add enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The httpd packages contain the Apache HTTP Server (httpd), which is the
namesake project of The Apache Software Foundation.

Input sanitization flaws were found in the mod_negotiation module. A remote
attacker able to upload or create files with arbitrary names in a directory
that has the MultiViews options enabled, could use these flaws to conduct
cross-site scripting and HTTP response splitting attacks against users
visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687)

Bug fixes:

* Previously, no check was made to see if the
/etc/pki/tls/private/localhost.key file was a valid key prior to running
the "%post" script for the "mod_ssl" package. Consequently, when
/etc/pki/tls/certs/localhost.crt did not exist and "localhost.key" was
present but invalid, upgrading the Apache HTTP Server daemon (httpd) with
mod_ssl failed. The "%post" script has been fixed to test for an existing
SSL key. As a result, upgrading httpd with mod_ssl now proceeds as
expected. (BZ#752618)

* The "mod_ssl" module did not support operation under FIPS mode.
Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode
enabled, httpd failed to start. An upstream patch has been applied to
disable non-FIPS functionality if operating under FIPS mode and httpd now
starts as expected. (BZ#773473)

* Prior to this update, httpd exit status codes were not Linux Standard
Base (LSB) compliant. When the command "service httpd reload" was run and
httpd failed, the exit status code returned was "0" and not in the range 1
to 6 as expected. A patch has been applied to the init script and httpd now
returns "1" as an exit status code. (BZ#783242)

* Chunked Transfer Coding is described in RFC 2616. Previously, the
Apache server did not correctly handle a chunked encoded POST request with
a "chunk-size" or "chunk-extension" value of 32 bytes or more.
Consequently, when such a POST request was made the server did not respond.
An upstream patch has been applied and the problem no longer occurs.
(BZ#840845)

* Due to a regression, when mod_cache received a non-cacheable 304
response, the headers were served incorrectly. Consequently, compressed
data could be returned to the client without the cached headers to indicate
the data was compressed. An upstream patch has been applied to merge
response and cached headers before data from the cache is served to the
client. As a result, cached data is now correctly interpreted by the
client. (BZ#845532)

* In a proxy configuration, certain response-line strings were not handled
correctly. If a response-line without a "description" string was received
from the origin server, for a non-standard status code, such as the "450"
status code, a "500 Internal Server Error" would be returned to the client.
This bug has been fixed so that the original response line is returned to
the client. (BZ#853128)

Enhancements:

* The configuration directive "LDAPReferrals" is now supported in addition
to the previously introduced "LDAPChaseReferrals". (BZ#727342)

* The AJP support module for "mod_proxy", "mod_proxy_ajp", now supports the
"ProxyErrorOverride" directive. Consequently, it is now possible to
configure customized error pages for web applications running on a backend
server accessed via AJP. (BZ#767890)

* The "%posttrans" scriptlet which automatically restarts the httpd service
after a package upgrade can now be disabled. If the file
/etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not
restart the daemon. (BZ#833042)

* The output of "httpd -S" now includes configured alias names for each
virtual host. (BZ#833043)

* New certificate variable names are now exposed by "mod_ssl" using the
"_DN_userID" suffix, such as "SSL_CLIENT_S_DN_userID", which use the
commonly used object identifier (OID) definition of "userID", OID
0.9.2342.19200300.100.1.1. (BZ#840036)

All users of httpd are advised to upgrade to these updated packages, which
fix these issues and add these enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
httpd-2.2.3-74.el5.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: 9b3715a65bbc89750ceb73731471aec8
SHA-256: ce59717c363ee6bf76e74c4f08065f4afa9e596965d2dcf0d822cf43fdf75c1f
 
IA-32:
httpd-debuginfo-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 505a9aa76bbf042d4b8304e7d12880af
SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-devel-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 5893ccb037db4c8f331db52e168cd848
SHA-256: 7b3b69af639d43fdd5c732ea6a22fe4ba1bfe1d6ed55f0f15abade9f73179ef1
httpd-manual-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 50dc9635cfd488f9063ce980b1d129b0
SHA-256: 14b58d1ef23519f529994cc2f65d74c3330025bb9f38dde2caa14222d5a1c116
 
x86_64:
httpd-debuginfo-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 505a9aa76bbf042d4b8304e7d12880af
SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-debuginfo-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 027f3f7a8d44f9d1831113e2ce8c07b2
SHA-256: 4057a5d4c7a83f0b813c961dc0866b709d6878f9bc7153d87f4bbec2617ae29b
httpd-devel-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 5893ccb037db4c8f331db52e168cd848
SHA-256: 7b3b69af639d43fdd5c732ea6a22fe4ba1bfe1d6ed55f0f15abade9f73179ef1
httpd-devel-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 463ade9d58d323d2ce1e5e69696d374a
SHA-256: 1aa5983c730735ea8930ae511aaeb0b10a7445c5807771f5fbfb4445c525cd3e
httpd-manual-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 189360aead922b19408480c9120bf625
SHA-256: 57bf68d5ba4131ca6e2f62170489b2d8ceb59e599dec5607f2cb9dd85aadbaa6
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
httpd-2.2.3-74.el5.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: 9b3715a65bbc89750ceb73731471aec8
SHA-256: ce59717c363ee6bf76e74c4f08065f4afa9e596965d2dcf0d822cf43fdf75c1f
 
IA-32:
httpd-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: a132aeea6cfc1d366b82f413e446a5c8
SHA-256: 1c7b7b44c60db15211d6d94a4b10a4253e57460f17cb16620bbb4328634c74a2
httpd-debuginfo-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 505a9aa76bbf042d4b8304e7d12880af
SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-devel-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 5893ccb037db4c8f331db52e168cd848
SHA-256: 7b3b69af639d43fdd5c732ea6a22fe4ba1bfe1d6ed55f0f15abade9f73179ef1
httpd-manual-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 50dc9635cfd488f9063ce980b1d129b0
SHA-256: 14b58d1ef23519f529994cc2f65d74c3330025bb9f38dde2caa14222d5a1c116
mod_ssl-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: b93df038911cfbd9836c25dc5da9bf5b
SHA-256: 6cfe0cf81a45329e6701afcb7c1ddc78f75c37b6312af477b506c93d02fdc516
 
IA-64:
httpd-2.2.3-74.el5.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: cfe8f13841dd1918d4b1274a0c833d62
SHA-256: 671af3675be088146ca0eb6cf9922f58678a92c2bbb885647bf6b8b80dee40a8
httpd-debuginfo-2.2.3-74.el5.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: c42145927e39a3b13d281db12a6cdaf6
SHA-256: 086cefec1ac65a8130455d0e81491c426b8da71d6b5ecd8cc420b3b378f33d0d
httpd-devel-2.2.3-74.el5.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: a737e3828c1c289d8cc112ce7bd6f0d9
SHA-256: e4d38fe923cdaf3f4be53ad2d3421b955739abf72b074321358f890114093298
httpd-manual-2.2.3-74.el5.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 7454a40d8983c12c2966b240b114efcc
SHA-256: caea64f4b7f6ebd14137ae9248461791c18af47fd81e0695b436fec7c10f4283
mod_ssl-2.2.3-74.el5.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: e0136935aa043f9745619f2b42c1fe08
SHA-256: ff98edc66fa6a5dfb742c6baaf24d0679c02407e81101eb4d83bab87e0bad09b
 
PPC:
httpd-2.2.3-74.el5.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 6c7cb7754812b8961b36f6cd0e05e43b
SHA-256: d7c33fba2a40d2ad48f53edf5b4ddaa8fc95daa73a1d7b80908bee0be0a63831
httpd-debuginfo-2.2.3-74.el5.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 8ea58a3725f7125f3f34fba5237e2d8e
SHA-256: 73a27d6bf6835989f0000f5a167a276e26178a4fcb4361ddcaad4122c8ebbb94
httpd-debuginfo-2.2.3-74.el5.ppc64.rpm
File outdated by:  RHSA-2014:0369
    MD5: a3dd0a7d30cb2ec91ce25f6680eeb25e
SHA-256: 1f2af7807f9c9d51e429eb88e6c1f7a2fb9c3dc1b6986286e8731a100b48b477
httpd-devel-2.2.3-74.el5.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 22f29d685da77e458865ed95b97a77ea
SHA-256: 37351f6a134ac2dfdb535e201f119f258103941a979209943dab3cab9b251073
httpd-devel-2.2.3-74.el5.ppc64.rpm
File outdated by:  RHSA-2014:0369
    MD5: a5c3e5495fed0b8f93c0b9523f394cfa
SHA-256: 4bf5c97e8293b19a6b6b45f7546f2dab5b48eb04ff7161f79e95e64df221d959
httpd-manual-2.2.3-74.el5.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 0ac66727c67ef6c179318ab9239515e8
SHA-256: 8de0df21985e12926052d7647754626692d19f632d754ce9e8311ccbb4869f43
mod_ssl-2.2.3-74.el5.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 1c8f201e758f036ae9f016e1d41935f8
SHA-256: a036445aca320711da0e0bdf60da48a5557c5a4a6055b8e786cdea8b73c7db33
 
s390x:
httpd-2.2.3-74.el5.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: efe995b5118718abaa020ab88d67a2dd
SHA-256: efdea6b6ec335b8e46fa754053e82145c606c16579af9be35a4fd99e7e0169e6
httpd-debuginfo-2.2.3-74.el5.s390.rpm
File outdated by:  RHSA-2014:0369
    MD5: e8f2605c664068bbcf51aa488a94ef68
SHA-256: a263d9509a19d5b6ce3d63032fafe0e010b5ef5aee63a100b4e4cef486cf44eb
httpd-debuginfo-2.2.3-74.el5.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 16410571100d811923acecd210217064
SHA-256: 4fbf1723fc6af2afa73db2cecb036ee04afb7e032eea387041a9d007c24976f6
httpd-devel-2.2.3-74.el5.s390.rpm
File outdated by:  RHSA-2014:0369
    MD5: d7341a7685dbc966c833bb9c57ab5992
SHA-256: 707830ff896c97caa6a24ca0fedb2ef123ff1b6d9a6f9e219216c20ff7f7f983
httpd-devel-2.2.3-74.el5.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: c25d8592d3b67ee6b5adeea3e160af14
SHA-256: 4200162ebff84003ccc3d451ec6bc6544ca39872df377be37530b7d11736d539
httpd-manual-2.2.3-74.el5.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 84788a5c52c38dd00eb1da424ff5dd64
SHA-256: 5fddc0c1a7ecff4909047a7a6eb23d3278572261a3efa343db45c8722fbaec66
mod_ssl-2.2.3-74.el5.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: dd1e5ded8503de38d2fbd539af0845cc
SHA-256: 0e9b5f53ac7f896a1011ebb747396de04651d0298c0f3b77a689a04af32ee0eb
 
x86_64:
httpd-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: a831606737a6651511610bb8931144a8
SHA-256: 43a74f0b7aadb50960442b7baf51450c8e09f3174ba1bc4ec8ed35ed6e3c9b59
httpd-debuginfo-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 505a9aa76bbf042d4b8304e7d12880af
SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-debuginfo-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 027f3f7a8d44f9d1831113e2ce8c07b2
SHA-256: 4057a5d4c7a83f0b813c961dc0866b709d6878f9bc7153d87f4bbec2617ae29b
httpd-devel-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 5893ccb037db4c8f331db52e168cd848
SHA-256: 7b3b69af639d43fdd5c732ea6a22fe4ba1bfe1d6ed55f0f15abade9f73179ef1
httpd-devel-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 463ade9d58d323d2ce1e5e69696d374a
SHA-256: 1aa5983c730735ea8930ae511aaeb0b10a7445c5807771f5fbfb4445c525cd3e
httpd-manual-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 189360aead922b19408480c9120bf625
SHA-256: 57bf68d5ba4131ca6e2f62170489b2d8ceb59e599dec5607f2cb9dd85aadbaa6
mod_ssl-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 74c6bfb5b148d704a34d56486a18efa1
SHA-256: a12c6a0e76f67154db51bb8215bf51a4c482f84fed987cc3711f66eda1f9decb
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
httpd-2.2.3-74.el5.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: 9b3715a65bbc89750ceb73731471aec8
SHA-256: ce59717c363ee6bf76e74c4f08065f4afa9e596965d2dcf0d822cf43fdf75c1f
 
IA-32:
httpd-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: a132aeea6cfc1d366b82f413e446a5c8
SHA-256: 1c7b7b44c60db15211d6d94a4b10a4253e57460f17cb16620bbb4328634c74a2
httpd-debuginfo-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 505a9aa76bbf042d4b8304e7d12880af
SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
mod_ssl-2.2.3-74.el5.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: b93df038911cfbd9836c25dc5da9bf5b
SHA-256: 6cfe0cf81a45329e6701afcb7c1ddc78f75c37b6312af477b506c93d02fdc516
 
x86_64:
httpd-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: a831606737a6651511610bb8931144a8
SHA-256: 43a74f0b7aadb50960442b7baf51450c8e09f3174ba1bc4ec8ed35ed6e3c9b59
httpd-debuginfo-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 027f3f7a8d44f9d1831113e2ce8c07b2
SHA-256: 4057a5d4c7a83f0b813c961dc0866b709d6878f9bc7153d87f4bbec2617ae29b
mod_ssl-2.2.3-74.el5.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 74c6bfb5b148d704a34d56486a18efa1
SHA-256: a12c6a0e76f67154db51bb8215bf51a4c482f84fed987cc3711f66eda1f9decb
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

727342 - LDAPChaseReferrals should be LDAPReferrals
752618 - mod_ssl post install script can cause failures
767890 - The mod_proxy_ajp lacks the ErrorOverride
773473 - [RHEL 5.7] Apache HTTP Server cannot start with mod_ssl when FIPS 140-2 mode enabled
783242 - service httpd reload return 0 when it fails
840845 - httpd fails in processing chunked requests with > 31 bytes chunk-size / -extension line
845532 - mod_cache regression in httpd 2.2.3-65: non-cacheable 304 responses serve bad data
850794 - CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled
879292 - CVE-2008-0456 httpd: mod_negotiation CRLF injection via untrusted file names in directories with MultiViews enabled


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/