Skip to navigation

Security Advisory Moderate: httpd security update

Advisory: RHSA-2013:1133-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-08-05
Last updated on: 2013-08-05
Affected Products: JBoss Enterprise Web Server v2 EL5
JBoss Enterprise Web Server v2 EL6
CVEs (cve.mitre.org): CVE-2013-1862
CVE-2013-1896

Details

Updated httpd packages that fix two security issues are now available for
Red Hat JBoss Web Server 2.0.1 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

A flaw was found in the way the mod_dav module of the Apache HTTP Server
handled merge requests. An attacker could use this flaw to send a crafted
merge request that contains URIs that are not configured for DAV, causing
the httpd child process to crash. (CVE-2013-1896)

It was found that mod_rewrite did not filter terminal escape sequences from
its log file. If mod_rewrite was configured with the RewriteLog directive,
a remote attacker could use specially-crafted HTTP requests to inject
terminal escape sequences into the mod_rewrite log file. If a victim viewed
the log file with a terminal emulator, it could result in arbitrary command
execution with the privileges of that user. (CVE-2013-1862)

Warning: Before applying the update, back up your existing Red Hat JBoss
Web Server installation (including all applications and configuration
files).

All users of Red Hat JBoss Web Server 2.0.1 should upgrade to these updated
packages, which contain backported patches to correct these issues. After
installing the updated packages, users must restart the httpd service for
the update to take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

JBoss Enterprise Web Server v2 EL5

SRPMS:
httpd-2.2.22-25.ep6.el5.src.rpm     MD5: 251554205834f23d1eaa4f5a6679dd69
SHA-256: b300fa277ebac943da5847b16a652e82c7e7d9acfb9e73d7a0147da555b0328b
 
IA-32:
httpd-2.2.22-25.ep6.el5.i386.rpm     MD5: 1c2e7ae4dcd264cd9bc0f9320e5d2b42
SHA-256: aac1f724976a37b1dd35f71e09d45c1dabe85cf9685ba06a8ac1aa2bf2dfea4f
httpd-devel-2.2.22-25.ep6.el5.i386.rpm     MD5: 182074d63bbd099682c7feea0f7df144
SHA-256: 9d44a45d87c4e23bf83c84a2c1187ca5fcce939950e0402f366b9bf065638e24
httpd-manual-2.2.22-25.ep6.el5.i386.rpm     MD5: 2ad4a0f796a2667e262c3b970addbdd3
SHA-256: 39c00dda76c5fd3856a2d357b9a458c54d133422eeb5c39120226f20a5a71fd9
httpd-tools-2.2.22-25.ep6.el5.i386.rpm     MD5: 9e2562c38ada4fa2791c69c5d7e3f484
SHA-256: 8bedab81f5a3ab5bb9ab64ed5ce1ae869470ee7f81d63a941d0d2e0907cee0e0
mod_ssl-2.2.22-25.ep6.el5.i386.rpm     MD5: 9f7808a989cbe710bda364faca8fe55b
SHA-256: 595126375969c7a8dd2f69bead86f8b6297d4bf16d3697eea6857760254374af
 
x86_64:
httpd-2.2.22-25.ep6.el5.x86_64.rpm     MD5: 3be131ed5a7e0a43cee524f8a28f2146
SHA-256: bc0582c35c6205f9a9db04b5babfd4d6e315d47e60e80842cc0550cd50a8dd41
httpd-devel-2.2.22-25.ep6.el5.x86_64.rpm     MD5: ed21569c0a08548290868850a9f1044d
SHA-256: ee0982e7b120033986e45c768ab3b94fe4ed00ae648bd35861cdd81c7fc7d4f9
httpd-manual-2.2.22-25.ep6.el5.x86_64.rpm     MD5: 293ed61886dc92caa8c83bc6580c47de
SHA-256: 35bcc120ef06e5fb35f6ccf3435af2451b19abfb135742d9c9f0464493752b48
httpd-tools-2.2.22-25.ep6.el5.x86_64.rpm     MD5: be3b54b6965456e291259f705367a5a3
SHA-256: 9c496c33fc923f06968cc583d0e01413a4518f6b863dad1d363c5a2f217c4b7f
mod_ssl-2.2.22-25.ep6.el5.x86_64.rpm     MD5: f23515b2a3de83dc33e8b2d508b706b0
SHA-256: ddda27d8c5aa91df712751ed7fe0fa06cb55ea0b0473cafc46901f2a52a5545a
 
JBoss Enterprise Web Server v2 EL6

SRPMS:
httpd-2.2.22-25.ep6.el6.src.rpm     MD5: 525ae5d77d7a5f03b520b32bed59d55c
SHA-256: ff37fb92b4bdf0a3c03346ec82f89d6a085a833bcb0afe2ad4d2813f093aa6ed
 
IA-32:
httpd-2.2.22-25.ep6.el6.i386.rpm     MD5: db15cfd337857c3712d3b8066c135e1c
SHA-256: d8ec99a8eb24525e0cf5c56276a747b8a32d8467cb137f272b86eb9a76c437c6
httpd-devel-2.2.22-25.ep6.el6.i386.rpm     MD5: d735a382ad055ef56984632680feca75
SHA-256: 3528fb6bbe63c34522cf145b81abf657aacb6c0a21dc34a759213122b6938a06
httpd-manual-2.2.22-25.ep6.el6.i386.rpm     MD5: 2f84530dfe9ea4e3418b8a6846a6b53b
SHA-256: 96c32fa9bc0f66710b3b1debff1a89b758c350b078b3b03a8f602e553a84496a
httpd-tools-2.2.22-25.ep6.el6.i386.rpm     MD5: 07e441ee2532323d181f5976e168a7d6
SHA-256: 3ee8a8bd9ad7aacbc936c54364d3d7e48559de8176d38edf8e3e6b72a3b4f80f
mod_ssl-2.2.22-25.ep6.el6.i386.rpm     MD5: 1b80b3b5cb917c08a13ed9d244a384e0
SHA-256: d09bd5473e44a33a8fd3d946bf75e57f65bd20868591658a8da142e3c5ddd388
 
x86_64:
httpd-2.2.22-25.ep6.el6.x86_64.rpm     MD5: d49966a82ed2b0ecdf40ca0cb7328d67
SHA-256: 3f0a94cd8eb5ddebc4294d1f8f32904756c3da6965862788f1da9987b4c73323
httpd-devel-2.2.22-25.ep6.el6.x86_64.rpm     MD5: 2073ae585af32ea78602f2b0ec069a45
SHA-256: 7d19d371efa25a6104a5f532730654914252c16722b9892cf849f5f7e6b767dd
httpd-manual-2.2.22-25.ep6.el6.x86_64.rpm     MD5: 669457ac2bfbc4e9ce599b230a5675cb
SHA-256: e8c1194ab5581f3e9997ab4ce1deef0752f846669c1c78c62a2f390708f90d24
httpd-tools-2.2.22-25.ep6.el6.x86_64.rpm     MD5: 50476cf4e88b92f801d30d0946487ad7
SHA-256: 432bde5c64560e7d8cd095cbf5420b222f7aabce8ca415877d19b860951ea7f3
mod_ssl-2.2.22-25.ep6.el6.x86_64.rpm     MD5: a0cd4069faed987cac3e492c66621fe2
SHA-256: 26f2a5d2a4e3900abfc4958a77172b2571da9706395e2d5504f21a0f7344ae22
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

953729 - CVE-2013-1862 httpd: mod_rewrite allows terminal escape sequences to be written to the log file
983549 - CVE-2013-1896 httpd: mod_dav DoS (httpd child process crash) via a URI MERGE request with source URI not handled by mod_dav


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/