Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The Apache HTTP Server is a popular web server.
- CVE-2011-3639, CVE-2011-4317
- It was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1391) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially-crafted URI.
- An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions. An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a ".htaccess" file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the "apache" user.
- A flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.
All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.
Updated httpd packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The Apache HTTP Server is a popular web server.
- The Apache module "mod_proxy" implements a proxy or gateway for the Apache web server. The "ProxyErrorOverride On" option did not work if used with "mod_proxy_ajp", the AJP support module for mod_proxy. Consequently when accessing a 404 URL in the "/static" context, which was proxied with AJP, the 404 page from the proxy was displayed rather than the 404 page from Apache itself. This update corrects the code and accessing 404 URLs now works as intended, via Apache, as defined in "ErrorDocument".
- When a backend server sends data via SSL, and is using chunked transfer encoding, the backend splits the chunk between two different SSL blocks. Prior to this update, when transferring data via SSL through a reverse proxy implemented with Apache, "mod_proxy", and "mod_ssl", the end of the first SSL block was sometimes lost and the length of the next chunk was thus invalid. Consequently, files were sometimes corrupted during transfer via SSL. This updates implements a backported fix to this problem and the error no longer occurs.
- The "FilterProvider" directive of the "mod_filter" module was unable to match against non-standard HTTP response headers. Consequently, output content data was not filtered or processed as expected by httpd in certain configurations. With this update, a backported patch has been applied to address this issue, and the FilterProvider directive is now able to match against non-standard HTTP response headers as expected.
- In situations where httpd could not allocate memory, httpd sometimes terminated unexpectedly with a segmentation fault rather than terminating the process with an error message. With this update, a patch has been applied to correct this issue and httpd no longer crashes in the scenario described.
- Server Name Indication (SNI) sends the name of the virtual domain as part of the TLS negotiation. Prior to this enhancement, if a client sent the wrong SNI data the client would be rejected. With this update, in configurations where SNI is not required, "mod_ssl" can ignore the SNI hostname "hint".
- BZ# 720980
- Prior to this update, httpd terminated unexpectedly on startup with a segmentation fault when proxy client certificates were shared across multiple virtual hosts (using the SSLProxyMachineCertificateFile directive). With this update a patch has been applied and httpd no longer crashes in the scenario described.
- When the "SSLCryptoDevice" config variable in "ssl.conf" was set to an unknown or invalid value, the httpd daemon would terminate unexpectedly with a segmentation fault at startup. With this update the code has been corrected, httpd no longer crashes, and httpd will issue an appropriate error message in this scenario.
- If using mod_proxy_ftp, an httpd process could terminated unexpectedly with a segmentation fault when tests were made on an IPv6 localhost enabled machine. This update implements improvements to the code and the mod_proxy_ftp process no longer crashes in the scenario described.
- When using the "mod_cache" module, by default, the "CacheMaxExpire" directive is only applied to responses which do not specify their expiry date. Previously, it was not possible to limit the maximum expiry time for all resources. This update applies a patch which adapts the mod_cache module to provide support for "hard" as a second argument of the CacheMaxExpire directive, allowing a maximum expiry time to be enforced for all resources.
- The "mod_reqtimeout" module, when enabled, allows fine-grained timeouts to be applied during request parsing. The mod_reqtimeout module has been backported from upstream in this update.
All users of httpd are advised to upgrade to these updated packages, which fix these bugs.