Skip to navigation

Security Advisory Low: httpd security, bug fix, and enhancement update

Advisory: RHSA-2013:0512-2
Type: Security Advisory
Severity: Low
Issued on: 2013-02-21
Last updated on: 2013-02-21
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2008-0455
CVE-2012-2687
CVE-2012-4557

Details

Updated httpd packages that fix two security issues, several bugs, and add
various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The httpd packages contain the Apache HTTP Server (httpd), which is the
namesake project of The Apache Software Foundation.

An input sanitization flaw was found in the mod_negotiation Apache HTTP
Server module. A remote attacker able to upload or create files with
arbitrary names in a directory that has the MultiViews options enabled,
could use this flaw to conduct cross-site scripting attacks against users
visiting the site. (CVE-2008-0455, CVE-2012-2687)

It was discovered that mod_proxy_ajp, when used in configurations with
mod_proxy in load balancer mode, would mark a back-end server as failed
when request processing timed out, even when a previous AJP (Apache JServ
Protocol) CPing request was responded to by the back-end. A remote
attacker able to make a back-end use an excessive amount of time to
process a request could cause mod_proxy to not send requests to back-end
AJP servers for the retry timeout period or until all back-end servers
were marked as failed. (CVE-2012-4557)

These updated httpd packages include numerous bug fixes and enhancements.
Space precludes documenting all of these changes in this advisory. Users
are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked
to in the References, for information on the most significant of these
changes.

All users of httpd are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements. After installing the updated packages, the httpd daemon will
be restarted automatically.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
httpd-2.2.15-26.el6.src.rpm
File outdated by:  RHSA-2014:0370
    MD5: 5c35b07306633b1623d1f738c8105ac8
SHA-256: 7c877a78c7f45f2673e2a7be5da08e08de71315da7b34f24a1cd34cf7041e5fc
 
IA-32:
httpd-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: a5016c0fc13ce66c791781214257268f
SHA-256: e3978ed1e3758802a1a74623e42c8f05a6d76495db4ed2f3b533415bf7630fe8
httpd-debuginfo-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: bbc26e614c5e772aa7ed69b7e185552e
SHA-256: 74525d2b91feb5d828efc9a5857eb797bf2b1f8df352bf767e1d2b530fcf44ab
httpd-devel-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: fd75ca27ec3d3f868d693a1793bc8231
SHA-256: e7c2abde75e911864d076444f8030e2a74eb980c16e52fa531024b8b0cd3de76
httpd-manual-2.2.15-26.el6.noarch.rpm
File outdated by:  RHSA-2014:0370
    MD5: 83a26f4ef30d998bac7d195b2e9c6178
SHA-256: 2933890645bbec722fa5504c7e6706c847fa9fa4fdd494bccc861bcbfd795252
httpd-tools-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: 55c563819da84b50b37c8b77337e9410
SHA-256: ccd1df671153dfa7c3ce5523cb17e9668d71c84e986666a754b553e2ee215f31
mod_ssl-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: 3608ad5be9a41bd67b99728a14df3596
SHA-256: 20f840aab34a9d4f53835e02c8ca9bac77b03418481d5912996cf76e6fd96c2a
 
x86_64:
httpd-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 6ed2a7902bb406aec846b48a9cea9e94
SHA-256: 67133074bb9f85a2303667ab962908f4441514ffed640fca35d2d987d2669287
httpd-debuginfo-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: bbc26e614c5e772aa7ed69b7e185552e
SHA-256: 74525d2b91feb5d828efc9a5857eb797bf2b1f8df352bf767e1d2b530fcf44ab
httpd-debuginfo-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: b3902b272fc56a8fb18771de3f3bd2c7
SHA-256: 0c397b775d45df87f76b41eda9a1aa07165becd0cc9b5457fbc4e1ea54d68df7
httpd-devel-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: fd75ca27ec3d3f868d693a1793bc8231
SHA-256: e7c2abde75e911864d076444f8030e2a74eb980c16e52fa531024b8b0cd3de76
httpd-devel-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 6293344338d6858302c8cbcb039c02c3
SHA-256: 7f2c8bd30d2629964fd1783fd03f1abc714841213edc6c166410566db7046499
httpd-manual-2.2.15-26.el6.noarch.rpm
File outdated by:  RHSA-2014:0370
    MD5: 83a26f4ef30d998bac7d195b2e9c6178
SHA-256: 2933890645bbec722fa5504c7e6706c847fa9fa4fdd494bccc861bcbfd795252
httpd-tools-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 2fac1f4ff59783d6e80191747fb63b88
SHA-256: 5d6b0fb362f50deacb244d18b93bba75c623451dcbf7fced0d0d4d925d09b33a
mod_ssl-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: d8ca0342ebc53565b672068f53716d5d
SHA-256: 07fd83a406c54017bdf42b9265214c6023d89ec316fad53bd87727d4f9183e13
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
httpd-2.2.15-26.el6.src.rpm
File outdated by:  RHSA-2014:0370
    MD5: 5c35b07306633b1623d1f738c8105ac8
SHA-256: 7c877a78c7f45f2673e2a7be5da08e08de71315da7b34f24a1cd34cf7041e5fc
 
x86_64:
httpd-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 6ed2a7902bb406aec846b48a9cea9e94
SHA-256: 67133074bb9f85a2303667ab962908f4441514ffed640fca35d2d987d2669287
httpd-debuginfo-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: bbc26e614c5e772aa7ed69b7e185552e
SHA-256: 74525d2b91feb5d828efc9a5857eb797bf2b1f8df352bf767e1d2b530fcf44ab
httpd-debuginfo-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: b3902b272fc56a8fb18771de3f3bd2c7
SHA-256: 0c397b775d45df87f76b41eda9a1aa07165becd0cc9b5457fbc4e1ea54d68df7
httpd-devel-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: fd75ca27ec3d3f868d693a1793bc8231
SHA-256: e7c2abde75e911864d076444f8030e2a74eb980c16e52fa531024b8b0cd3de76
httpd-devel-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 6293344338d6858302c8cbcb039c02c3
SHA-256: 7f2c8bd30d2629964fd1783fd03f1abc714841213edc6c166410566db7046499
httpd-manual-2.2.15-26.el6.noarch.rpm
File outdated by:  RHSA-2014:0370
    MD5: 83a26f4ef30d998bac7d195b2e9c6178
SHA-256: 2933890645bbec722fa5504c7e6706c847fa9fa4fdd494bccc861bcbfd795252
httpd-tools-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 2fac1f4ff59783d6e80191747fb63b88
SHA-256: 5d6b0fb362f50deacb244d18b93bba75c623451dcbf7fced0d0d4d925d09b33a
mod_ssl-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: d8ca0342ebc53565b672068f53716d5d
SHA-256: 07fd83a406c54017bdf42b9265214c6023d89ec316fad53bd87727d4f9183e13
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
httpd-2.2.15-26.el6.src.rpm
File outdated by:  RHSA-2014:0370
    MD5: 5c35b07306633b1623d1f738c8105ac8
SHA-256: 7c877a78c7f45f2673e2a7be5da08e08de71315da7b34f24a1cd34cf7041e5fc
 
IA-32:
httpd-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: a5016c0fc13ce66c791781214257268f
SHA-256: e3978ed1e3758802a1a74623e42c8f05a6d76495db4ed2f3b533415bf7630fe8
httpd-debuginfo-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: bbc26e614c5e772aa7ed69b7e185552e
SHA-256: 74525d2b91feb5d828efc9a5857eb797bf2b1f8df352bf767e1d2b530fcf44ab
httpd-devel-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: fd75ca27ec3d3f868d693a1793bc8231
SHA-256: e7c2abde75e911864d076444f8030e2a74eb980c16e52fa531024b8b0cd3de76
httpd-manual-2.2.15-26.el6.noarch.rpm
File outdated by:  RHSA-2014:0370
    MD5: 83a26f4ef30d998bac7d195b2e9c6178
SHA-256: 2933890645bbec722fa5504c7e6706c847fa9fa4fdd494bccc861bcbfd795252
httpd-tools-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: 55c563819da84b50b37c8b77337e9410
SHA-256: ccd1df671153dfa7c3ce5523cb17e9668d71c84e986666a754b553e2ee215f31
mod_ssl-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: 3608ad5be9a41bd67b99728a14df3596
SHA-256: 20f840aab34a9d4f53835e02c8ca9bac77b03418481d5912996cf76e6fd96c2a
 
PPC:
httpd-2.2.15-26.el6.ppc64.rpm
File outdated by:  RHSA-2014:0370
    MD5: cd34d83ca429d19df930e7c266712c6c
SHA-256: 530b819bedb980523482e59f4775160e5291c6420ff175df63f580f3857d1ad8
httpd-debuginfo-2.2.15-26.el6.ppc.rpm
File outdated by:  RHSA-2014:0370
    MD5: e67cf60d0c1a1f30c7980280577e8a7e
SHA-256: 8b0ed06cfb6442b60bee84aa68bddd67e3956c118326e975bda89c17747f7053
httpd-debuginfo-2.2.15-26.el6.ppc64.rpm
File outdated by:  RHSA-2014:0370
    MD5: d64494094314a7036b1e49d8b8fa4396
SHA-256: d7b4f5974cb4337b191f65791c9d5037ea89b7f53681bfec618aa6011a8d5c14
httpd-devel-2.2.15-26.el6.ppc.rpm
File outdated by:  RHSA-2014:0370
    MD5: a8fadfe2aa7969214b30eeed7e7cfd76
SHA-256: 0926aad6bb563299158a9dded583a486c654a583b5368cbcdabbe323df95d11e
httpd-devel-2.2.15-26.el6.ppc64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 71938ce66b863e593a9258cd326b562b
SHA-256: 7e0b7ff0cf8ca5b0827ff316da2800bba5b14b1dc01d3b5d5bf0f304e986d551
httpd-manual-2.2.15-26.el6.noarch.rpm
File outdated by:  RHSA-2014:0370
    MD5: 83a26f4ef30d998bac7d195b2e9c6178
SHA-256: 2933890645bbec722fa5504c7e6706c847fa9fa4fdd494bccc861bcbfd795252
httpd-tools-2.2.15-26.el6.ppc64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 4460a9f8107ae830d3319b760bdfb4a2
SHA-256: 282e23438c09b9aa3b2f993d85365b9e99b3af89d5c6611a11959c43b2a995bc
mod_ssl-2.2.15-26.el6.ppc64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 30e0b78ca337e7cc432834637d0bc7bb
SHA-256: 8db0cc0a174885e8f7d2d68814622777869f59390a298a045b91bb29d7c8a143
 
s390x:
httpd-2.2.15-26.el6.s390x.rpm
File outdated by:  RHSA-2014:0370
    MD5: 7793b6b5df81b3b8e92656355d81c7b8
SHA-256: dee5fc091ff03f3864befbeba355c261653f4281d514d97424cdd14eb1c91c38
httpd-debuginfo-2.2.15-26.el6.s390.rpm
File outdated by:  RHSA-2014:0370
    MD5: 3831f3ea66133f98cb45988a6b86a1fd
SHA-256: 54ffa10450f9e81a6583243e76edad7263e2123444d4655369b79b1ac4eac094
httpd-debuginfo-2.2.15-26.el6.s390x.rpm
File outdated by:  RHSA-2014:0370
    MD5: 307847a0082b8155f22cc2798f9eede1
SHA-256: bf417f33cfea53f53dec08e75bd207042cb588f6bf7d20cd0e1ac6b249084d7e
httpd-devel-2.2.15-26.el6.s390.rpm
File outdated by:  RHSA-2014:0370
    MD5: 808bf0b8a115f660a728aa77f7d99d00
SHA-256: 55ad66b9b93de21874de6452e728aa631d2a9a47265e038ba07218a2d56791d3
httpd-devel-2.2.15-26.el6.s390x.rpm
File outdated by:  RHSA-2014:0370
    MD5: c88ec00911b8e91fb9be25af41600924
SHA-256: 464043c72417d68a24ac5a181b25ff73bcd12a3b4767669d05588fed091bfe68
httpd-manual-2.2.15-26.el6.noarch.rpm
File outdated by:  RHSA-2014:0370
    MD5: 83a26f4ef30d998bac7d195b2e9c6178
SHA-256: 2933890645bbec722fa5504c7e6706c847fa9fa4fdd494bccc861bcbfd795252
httpd-tools-2.2.15-26.el6.s390x.rpm
File outdated by:  RHSA-2014:0370
    MD5: 1efdeb517fa6c4cbf58e8818476aeccd
SHA-256: 7493586ca9f93584518ed489726937e780fe76b170f53505c1c43b30e4538f8e
mod_ssl-2.2.15-26.el6.s390x.rpm
File outdated by:  RHSA-2014:0370
    MD5: e8ece428a46f8294d74ea9224c4f9810
SHA-256: f7633403460384880a954a11a5574f48201a469ce78ff32aaa01e59878c34e07
 
x86_64:
httpd-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 6ed2a7902bb406aec846b48a9cea9e94
SHA-256: 67133074bb9f85a2303667ab962908f4441514ffed640fca35d2d987d2669287
httpd-debuginfo-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: bbc26e614c5e772aa7ed69b7e185552e
SHA-256: 74525d2b91feb5d828efc9a5857eb797bf2b1f8df352bf767e1d2b530fcf44ab
httpd-debuginfo-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: b3902b272fc56a8fb18771de3f3bd2c7
SHA-256: 0c397b775d45df87f76b41eda9a1aa07165becd0cc9b5457fbc4e1ea54d68df7
httpd-devel-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: fd75ca27ec3d3f868d693a1793bc8231
SHA-256: e7c2abde75e911864d076444f8030e2a74eb980c16e52fa531024b8b0cd3de76
httpd-devel-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 6293344338d6858302c8cbcb039c02c3
SHA-256: 7f2c8bd30d2629964fd1783fd03f1abc714841213edc6c166410566db7046499
httpd-manual-2.2.15-26.el6.noarch.rpm
File outdated by:  RHSA-2014:0370
    MD5: 83a26f4ef30d998bac7d195b2e9c6178
SHA-256: 2933890645bbec722fa5504c7e6706c847fa9fa4fdd494bccc861bcbfd795252
httpd-tools-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 2fac1f4ff59783d6e80191747fb63b88
SHA-256: 5d6b0fb362f50deacb244d18b93bba75c623451dcbf7fced0d0d4d925d09b33a
mod_ssl-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: d8ca0342ebc53565b672068f53716d5d
SHA-256: 07fd83a406c54017bdf42b9265214c6023d89ec316fad53bd87727d4f9183e13
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
httpd-2.2.15-26.el6.src.rpm
File outdated by:  RHSA-2014:0370
    MD5: 5c35b07306633b1623d1f738c8105ac8
SHA-256: 7c877a78c7f45f2673e2a7be5da08e08de71315da7b34f24a1cd34cf7041e5fc
 
IA-32:
httpd-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: a5016c0fc13ce66c791781214257268f
SHA-256: e3978ed1e3758802a1a74623e42c8f05a6d76495db4ed2f3b533415bf7630fe8
httpd-debuginfo-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: bbc26e614c5e772aa7ed69b7e185552e
SHA-256: 74525d2b91feb5d828efc9a5857eb797bf2b1f8df352bf767e1d2b530fcf44ab
httpd-devel-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: fd75ca27ec3d3f868d693a1793bc8231
SHA-256: e7c2abde75e911864d076444f8030e2a74eb980c16e52fa531024b8b0cd3de76
httpd-manual-2.2.15-26.el6.noarch.rpm
File outdated by:  RHSA-2014:0370
    MD5: 83a26f4ef30d998bac7d195b2e9c6178
SHA-256: 2933890645bbec722fa5504c7e6706c847fa9fa4fdd494bccc861bcbfd795252
httpd-tools-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: 55c563819da84b50b37c8b77337e9410
SHA-256: ccd1df671153dfa7c3ce5523cb17e9668d71c84e986666a754b553e2ee215f31
mod_ssl-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: 3608ad5be9a41bd67b99728a14df3596
SHA-256: 20f840aab34a9d4f53835e02c8ca9bac77b03418481d5912996cf76e6fd96c2a
 
x86_64:
httpd-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 6ed2a7902bb406aec846b48a9cea9e94
SHA-256: 67133074bb9f85a2303667ab962908f4441514ffed640fca35d2d987d2669287
httpd-debuginfo-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: bbc26e614c5e772aa7ed69b7e185552e
SHA-256: 74525d2b91feb5d828efc9a5857eb797bf2b1f8df352bf767e1d2b530fcf44ab
httpd-debuginfo-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: b3902b272fc56a8fb18771de3f3bd2c7
SHA-256: 0c397b775d45df87f76b41eda9a1aa07165becd0cc9b5457fbc4e1ea54d68df7
httpd-devel-2.2.15-26.el6.i686.rpm
File outdated by:  RHSA-2014:0370
    MD5: fd75ca27ec3d3f868d693a1793bc8231
SHA-256: e7c2abde75e911864d076444f8030e2a74eb980c16e52fa531024b8b0cd3de76
httpd-devel-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 6293344338d6858302c8cbcb039c02c3
SHA-256: 7f2c8bd30d2629964fd1783fd03f1abc714841213edc6c166410566db7046499
httpd-manual-2.2.15-26.el6.noarch.rpm
File outdated by:  RHSA-2014:0370
    MD5: 83a26f4ef30d998bac7d195b2e9c6178
SHA-256: 2933890645bbec722fa5504c7e6706c847fa9fa4fdd494bccc861bcbfd795252
httpd-tools-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: 2fac1f4ff59783d6e80191747fb63b88
SHA-256: 5d6b0fb362f50deacb244d18b93bba75c623451dcbf7fced0d0d4d925d09b33a
mod_ssl-2.2.15-26.el6.x86_64.rpm
File outdated by:  RHSA-2014:0370
    MD5: d8ca0342ebc53565b672068f53716d5d
SHA-256: 07fd83a406c54017bdf42b9265214c6023d89ec316fad53bd87727d4f9183e13
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

757735 - [RFE] httpd's rotatelogs needs a way to rotate files into a custom location
757739 - [RFE] rotatelogs needs to create files even if they are empty
805720 - Only a single interface is available for SSL
805810 - init script for htcacheclean is missing
828896 - mod_authnz_ldap unable to set environment variables for authorize only
829689 - mod_ldap: fix occasional 500 Internal Server Error
842376 - httpd fails in processing chunked requests with > 31 bytes chunk-size / -extension line
848954 - Putting private key first in SSLProxyMachineCertificateFile causes segfault
850794 - CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled
867745 - mod_ssl post install script can cause failures
868283 - mod_cache regression in httpd 2.2.3-65: non-cacheable 304 responses serve bad data
871685 - CVE-2012-4557 httpd: mod_proxy_ajp worker moved to error state when timeout exceeded
876923 - "if" condition always true - detected by Coverity


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/