Security Advisory Moderate: httpd security update

Advisory: RHSA-2014:0369-1
Type: Security Advisory
Severity: Moderate
Issued on: 2014-04-03
Last updated on: 2014-04-03
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2013-6438
CVE-2014-0098

Details

Updated httpd packages that fix two security issues are now available for
Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.

It was found that the mod_dav module did not correctly strip leading white
space from certain elements in a parsed XML. In certain httpd
configurations that use the mod_dav module (for example when using the
mod_dav_svn module), a remote attacker could send a specially crafted DAV
request that would cause the httpd child process to crash or, possibly,
allow the attacker to execute arbitrary code with the privileges of the
"apache" user. (CVE-2013-6438)

A buffer over-read flaw was found in the httpd mod_log_config module.
In configurations where cookie logging is enabled (on Red Hat Enterprise
Linux it is disabled by default), a remote attacker could use this flaw to
crash the httpd child process via an HTTP request with a malformed cookie
header. (CVE-2014-0098)

All httpd users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, the httpd daemon will be restarted automatically.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
httpd-2.2.3-85.el5_10.src.rpm
File outdated by:  RHBA-2014:1232
    MD5: eb6e2a2f05059ccd31bc26eaac2b4b13
SHA-256: 446aae04fdadb7507be909020a02878a19d0a35704036e9ef61fc50b5f691590
 
IA-32:
httpd-debuginfo-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: d39d5d8685ef371962c933f9b471e1a1
SHA-256: 91763ce05abe23df2c914d00b5c454d93d1b67f0f0fac3741f98b142b52fc702
httpd-devel-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: 4c23855964f3dd32e5f4651a2a5cd66d
SHA-256: 9c7f062ea0e6eb977bd791f815bc39041f1cdb2cab8578827695e1a1a8637893
httpd-manual-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: 04ae4eda4ba58b3e3a37e6513c9a6245
SHA-256: 57a29235c0a5df2c4b9d7dbffe821626d68076666c06332de9eeae8a09f9a7d8
 
x86_64:
httpd-debuginfo-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: d39d5d8685ef371962c933f9b471e1a1
SHA-256: 91763ce05abe23df2c914d00b5c454d93d1b67f0f0fac3741f98b142b52fc702
httpd-debuginfo-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 1f1b8fe930fa479fd2285ff1caf90f86
SHA-256: dd7913ff85ef45444d0a8eb22d6566b8592be62a3b3268810a3dacb515e01ddf
httpd-devel-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: 4c23855964f3dd32e5f4651a2a5cd66d
SHA-256: 9c7f062ea0e6eb977bd791f815bc39041f1cdb2cab8578827695e1a1a8637893
httpd-devel-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 75e60dfa89549e704e16cd6d3ed8d3f0
SHA-256: 06487a4e30597cd23c205d2e3a0128f63d8dc958682ad59888c2caba728e144d
httpd-manual-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 7ea4e932360c456c89bf92e87d04a689
SHA-256: f7d1389c45a83065fb9edbb5dde7853aeb67404c6109a263faa0e91e6c254037
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
httpd-2.2.3-85.el5_10.src.rpm
File outdated by:  RHBA-2014:1232
    MD5: eb6e2a2f05059ccd31bc26eaac2b4b13
SHA-256: 446aae04fdadb7507be909020a02878a19d0a35704036e9ef61fc50b5f691590
 
IA-32:
httpd-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: 6447d62752092652a29e0c4c47353e0f
SHA-256: ceb8567ecbcb2633628a3252abd1fe6806496e01a32c6edd6aa4904e74ea9297
httpd-debuginfo-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: d39d5d8685ef371962c933f9b471e1a1
SHA-256: 91763ce05abe23df2c914d00b5c454d93d1b67f0f0fac3741f98b142b52fc702
httpd-devel-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: 4c23855964f3dd32e5f4651a2a5cd66d
SHA-256: 9c7f062ea0e6eb977bd791f815bc39041f1cdb2cab8578827695e1a1a8637893
httpd-manual-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: 04ae4eda4ba58b3e3a37e6513c9a6245
SHA-256: 57a29235c0a5df2c4b9d7dbffe821626d68076666c06332de9eeae8a09f9a7d8
mod_ssl-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: b4f1bb63d7587cb3743a677950439c25
SHA-256: cd275bd572b44f4c29d2117a2088c3b302444c16647c2a09f5980593938330d2
 
IA-64:
httpd-2.2.3-85.el5_10.ia64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 37235afe1e4524331f4c1e5f49545afa
SHA-256: 717106bfeccf10fd7211ada5fea622bf5107ac48cb2a8eee51975773e0ff3353
httpd-debuginfo-2.2.3-85.el5_10.ia64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 90b717c1f6011535687d716e0af69b17
SHA-256: 71ed7959f01f85a0a3f1131b792eed89bd3cc8a75865ff4f6b24f5560958e5c6
httpd-devel-2.2.3-85.el5_10.ia64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 1862821242a774ef842ff1dfe4ad8d46
SHA-256: ff50bfd17b8ce73f385716144f2caa98d536b99dedfae9f5063b94f3f0b5f114
httpd-manual-2.2.3-85.el5_10.ia64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 503a606223c278f894f3bdeec5369b83
SHA-256: 892789699fa184a40b5b3cd27eedef42fc03bd02417daab0e113c16630dd8d0b
mod_ssl-2.2.3-85.el5_10.ia64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 2da0190028320e35a88a03d3f50ff667
SHA-256: aa73cdba043eea1ee37621985c2adfb8359932c2569b59c869ea27be2962cb5a
 
PPC:
httpd-2.2.3-85.el5_10.ppc.rpm
File outdated by:  RHBA-2014:1232
    MD5: 9821af03de35309ef4503862285cddc6
SHA-256: 015c26a84cdf20b8d8c3879bba3d74c56ef41f00cd4f17d287001d515c57ec48
httpd-debuginfo-2.2.3-85.el5_10.ppc.rpm
File outdated by:  RHBA-2014:1232
    MD5: 8b78b5005975faeed0a40eca1f3b3e9d
SHA-256: 5e2233a416968f3f50028ec526625cb15c8187cea80729235de46b7a3d4778e7
httpd-debuginfo-2.2.3-85.el5_10.ppc64.rpm
File outdated by:  RHBA-2014:1232
    MD5: b8ec9c75c779a9c743f0a682bc211d27
SHA-256: 61dc5a8dd71c964defdd183b60904263ffb35f9ac55d2e212a39bf91c031a0ff
httpd-devel-2.2.3-85.el5_10.ppc.rpm
File outdated by:  RHBA-2014:1232
    MD5: d06d0edc426a03a82c05a36bb63dde43
SHA-256: be9073a1b044aaa295a04058b5c6ec8171ac9c696633e30988c07ec104e51f66
httpd-devel-2.2.3-85.el5_10.ppc64.rpm
File outdated by:  RHBA-2014:1232
    MD5: acb9ea313177b24d747da6438bcad3cd
SHA-256: 5b380447cd302dd4cc21815ce6ddd81a9499843507b06b7198145e461c2d3695
httpd-manual-2.2.3-85.el5_10.ppc.rpm
File outdated by:  RHBA-2014:1232
    MD5: 18c50a27fa8da57992e6d1617c5ad7ff
SHA-256: c9e5d4b379fe666464747817940f7a6e9350db2ed08b97c597b0d371c78f37ed
mod_ssl-2.2.3-85.el5_10.ppc.rpm
File outdated by:  RHBA-2014:1232
    MD5: 044406db82f319f5b5c9af289b342867
SHA-256: 1172b1280d947cfefd11fe84d538699c79ea6663fba7de52cd27257f967e4b13
 
s390x:
httpd-2.2.3-85.el5_10.s390x.rpm
File outdated by:  RHBA-2014:1232
    MD5: cc2c4a5c570233c008458ae92e28db76
SHA-256: fec55aad8083b1e8af2fe5ff0046d6eb192401129a3e0d427d513103cf988571
httpd-debuginfo-2.2.3-85.el5_10.s390.rpm
File outdated by:  RHBA-2014:1232
    MD5: fa7b67a2c193b51c4320a8767108e04d
SHA-256: 4b73145bb9b5eee4284b354f10b8f37a302e5a93e1386cef76fee278becbd40d
httpd-debuginfo-2.2.3-85.el5_10.s390x.rpm
File outdated by:  RHBA-2014:1232
    MD5: fbe05cf45d775ed46a9994c3fa4bf3be
SHA-256: a37b706a2d9035e613c8c81a78c071d15243de8725dabe83f36c0729ab3c1f47
httpd-devel-2.2.3-85.el5_10.s390.rpm
File outdated by:  RHBA-2014:1232
    MD5: ae657da5d0115ed5ad3a4c6f48649872
SHA-256: 4698c47833eef4b411db6246452fec21270ae9028a350190b132bde5c1166672
httpd-devel-2.2.3-85.el5_10.s390x.rpm
File outdated by:  RHBA-2014:1232
    MD5: 09876911215179434332080b1379b052
SHA-256: 6380b09ba5bb4f224c0502a554340408e1fd9988f7cf267f3a2576cfce44e45f
httpd-manual-2.2.3-85.el5_10.s390x.rpm
File outdated by:  RHBA-2014:1232
    MD5: 50309ab024444ffbc711a1535dbcc1cc
SHA-256: 58c17aac9ab087a91e81bfd40075c20d33086ff982b34a2009c5d8ec6d473dc6
mod_ssl-2.2.3-85.el5_10.s390x.rpm
File outdated by:  RHBA-2014:1232
    MD5: 8a4602fb5223a2c449b0642d7b682f29
SHA-256: 953844a098352efe580211a38b9bfd343cd20adf2f11f5fb087ecbe432f146b2
 
x86_64:
httpd-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: a54788ea7e47254a2879b27cc1a81bdf
SHA-256: dfb2d9cd561d072bf4e7be0121dcf00c4e4e331327649ea5e63cd5084e0d1f9f
httpd-debuginfo-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: d39d5d8685ef371962c933f9b471e1a1
SHA-256: 91763ce05abe23df2c914d00b5c454d93d1b67f0f0fac3741f98b142b52fc702
httpd-debuginfo-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 1f1b8fe930fa479fd2285ff1caf90f86
SHA-256: dd7913ff85ef45444d0a8eb22d6566b8592be62a3b3268810a3dacb515e01ddf
httpd-devel-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: 4c23855964f3dd32e5f4651a2a5cd66d
SHA-256: 9c7f062ea0e6eb977bd791f815bc39041f1cdb2cab8578827695e1a1a8637893
httpd-devel-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 75e60dfa89549e704e16cd6d3ed8d3f0
SHA-256: 06487a4e30597cd23c205d2e3a0128f63d8dc958682ad59888c2caba728e144d
httpd-manual-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 7ea4e932360c456c89bf92e87d04a689
SHA-256: f7d1389c45a83065fb9edbb5dde7853aeb67404c6109a263faa0e91e6c254037
mod_ssl-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: d86fa5795527edd372e39838a96570e1
SHA-256: fefad44a87a39f352bf3c99a48be44d628f618d247bf8beae8bf69b2066da826
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
httpd-2.2.3-85.el5_10.src.rpm
File outdated by:  RHBA-2014:1232
    MD5: eb6e2a2f05059ccd31bc26eaac2b4b13
SHA-256: 446aae04fdadb7507be909020a02878a19d0a35704036e9ef61fc50b5f691590
 
IA-32:
httpd-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: 6447d62752092652a29e0c4c47353e0f
SHA-256: ceb8567ecbcb2633628a3252abd1fe6806496e01a32c6edd6aa4904e74ea9297
httpd-debuginfo-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: d39d5d8685ef371962c933f9b471e1a1
SHA-256: 91763ce05abe23df2c914d00b5c454d93d1b67f0f0fac3741f98b142b52fc702
mod_ssl-2.2.3-85.el5_10.i386.rpm
File outdated by:  RHBA-2014:1232
    MD5: b4f1bb63d7587cb3743a677950439c25
SHA-256: cd275bd572b44f4c29d2117a2088c3b302444c16647c2a09f5980593938330d2
 
x86_64:
httpd-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: a54788ea7e47254a2879b27cc1a81bdf
SHA-256: dfb2d9cd561d072bf4e7be0121dcf00c4e4e331327649ea5e63cd5084e0d1f9f
httpd-debuginfo-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: 1f1b8fe930fa479fd2285ff1caf90f86
SHA-256: dd7913ff85ef45444d0a8eb22d6566b8592be62a3b3268810a3dacb515e01ddf
mod_ssl-2.2.3-85.el5_10.x86_64.rpm
File outdated by:  RHBA-2014:1232
    MD5: d86fa5795527edd372e39838a96570e1
SHA-256: fefad44a87a39f352bf3c99a48be44d628f618d247bf8beae8bf69b2066da826
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1077867 - CVE-2013-6438 httpd: mod_dav denial of service via crafted DAV WRITE request
1077871 - CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/