1.70. httpd

Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Apache HTTP Server is a popular web server.

It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially-crafted requests. (CVE-2010-0408)

A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434)

This update also adds the following enhancement:

* with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the "SSLInsecureRenegotiation" configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980)

Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update partially mitigates this flaw for SSL sessions to HTTP servers using mod_ssl by rejecting client-requested renegotiation. (CVE-2009-3555)

Note: This update does not fully resolve the issue for HTTPS servers. An attack is still possible in configurations that require a server-initiated renegotiation. Refer to the following Knowledgebase article for further information: http://kbase.redhat.com/faq/docs/DOC-20491

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service. (CVE-2009-3094)

A second flaw was found in the Apache mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server. (CVE-2009-3095)

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Updated httpd packages that fix bugs and add enhancements are now available.

The Apache HTTP Server is a popular and freely-available Web server.

These updated httpd packages provide fixes for the following bugs:

* the mod_authnz_ldap module did not allow other modules to handle authorization if no LDAP-specific requirements were used in the "Require" directive. (BZ#448350)

* the httpd "init" script did not work correctly if the PidFile directive was removed from httpd.conf. (BZ#505002)

* mod_ssl would fail to complete a handshake if more the 85 CAs were configured using SSLCACertificateFile and/or SSLCACertificatePath. (BZ#510515)

* the "X-Pad" header used for compatibility with old browser implementations has been removed. (BZ#526110)

* mod_proxy_ajp could fail if uploading large files. (BZ#528640)

* .NET clients using the "Expect: 100-continue" header could cause spurious responses. (BZ#533407)

* the OID() function supported in mod_ssl's SSLRequire directive could not evaluate some extension types. (BZ#552942)

The following enhancements have also been made:

* the "DiscardPathInfo" flag (or "DPI") has been added to mod_rewrite. (BZ#517500)

* the AuthLDAPRemoteUserAttribute directive has been added to mod_authnz_ldap. (BZ#520838)

* the AuthLDAPDynamicGroups directive has been added to mod_authnz_ldap, to enable support for dynamic groups. (BZ#252038)

* the mod_substitute module is now included. (BZ#539256)

All Apache users should install these updated packages which address these issues.