7.82. httpd

Updated httpd packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

Security Fixes

CVE-2008-0455, CVE-2012-2687
An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site.
It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed.

Bug Fixes

When the Apache module mod_proxy was configured, and a particular back-end URL was reverse proxied into the server two or more times, a spurious warning in the following format was given:
[warn] worker [URL] already used by another worker
The level of this message has been changed from WARNING to INFO as it is not incorrect to proxy more than one URL to the same back-end server.
The mod_cache module did not handle 206 partial HTTP responses correctly. This resulted in incorrect responses being returned to clients if a cache was configured. With this update, mod_cache no longer caches 206 responses, thus ensuring correct responses are returned.
If LDAP authentication was used with a Novell eDirectory LDAP server, mod_ldap could return 500 Internal Server Error response if the LDAP server was temporarily unavailable. This update fixes mod_ldap to retry LDAP requests if the server is unavailable, and the 500 errors will not be returned in this case.
Previously, mod_proxy_connect performed unnecessary DNS queries when ProxyRemote was configured. Consequently, in configurations with ProxyRemote, mod_proxy_connect could either fail to connect, or be slow to connect to the remote server. This update changes mod_proxy to omit DNS queries if ProxyRemote is configured. As a result, the proxy no longer fails in such configurations.
When an SSL request failed and the -v 2 option was used, the ApacheBench (ab) benchmarking tool tried to free a certificate twice. Consequently, ab terminated unexpectedly due to a double free() error. The ab tool has been fixed to free certificates only once. As a result, the ab tool no longer crashes in the scenario described.
Previously, mod_ssl presumed the private key was set after the certificate in SSLProxyMachineCertificateFile. Consequently, httpd terminated unexpectedly if the private key had been set before the certificate in SSLProxyMachineCertificateFile. This update improves mod_ssl to check if the private key is set before the certificate. As a result, mod_ssl no longer crashes in this situation and prints an error message instead.
Prior to this update, mod_proxy_ajp did not correctly handle a flush message from a Java application server if received before the HTTP response headers had been sent. Consequently, users could receive a truncated response page without the correct HTTP headers. This update fixes mod_proxy_ajp to ignore flush messages before the HTTP response headers have been sent. As a result, truncated responses are no longer sent in scenario described.
In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a description string was received from the origin server, for a non-standard status code, such as the 450 status code, a 500 Internal Server Error would be returned to the client. This bug has been fixed so that the original response line is returned to the client.
Previously, the value of ${cookie}C in the LogFormat directive's definition matched substrings of cookie. Consequently, a bad cookie could be printed if its name contained a substring of the name defined in LogFormat using the ${cookie}C string. With this update, the code is improved so that cookie names are now matched exactly. As a result, a proper cookie is returned even when there are other cookies with its substring in their name.
Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the %post script for the mod_ssl package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and localhost.key was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The %post script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected.
Previously, in a reverse proxy configuration, mod_cache did not correctly handle a 304 Not Modified response from the origin server when refreshing a cache entry. Consequently, in some cases an empty page was returned to a client requesting an entity which already existed in the cache. This update fixes handling of 304 Not Modified responses in mod_cache and as a result no empty pages will be displayed in the scenario described.
Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client.


The Apache module mod_proxy now allows changing the BalancerMember state in the web interface.
The rotatelogs program now provides a new rotatelogs -p option to execute a custom program after each log rotation.
The rotatelogs program now provides a new rotatelogs -c option to create log files for each set interval, even if empty.
The LDAPReferrals configuration directive has been added, as an alias for the existing LDAPChaseReferrals directive.
The mod_proxy and mod_ssl modules have been updated to support the concurrent use of the mod_nss (NSS) and mod_ssl (OpenSSL) modules.
An init script for the htcacheclean daemon has been added.
The failonstatus parameter has been added for balancer configuration in mod_proxy.
Previously, mod_authnz_ldap had the ability to set environment variables from received LDAP attributes, but only by LDAP authentication, not by LDAP authorization. Consequently, if the mod_authnz_ldap module was used to enable LDAP for authorization but not authentication, the AUTHORIZE_ environment variables were not populated. This update applies a patch to implement setting of AUTHORIZE_ environment variables using LDAP authorization. As a result, other methods of authentication can be used while using LDAP authorization for setting environment variables for all configured LDAP attributes.
The %posttrans scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon.
The output of httpd -S now includes configured alias names for each virtual host.
The rotatelogs program has been updated to support the -L option to create a hard link from the current log to a specified path.
New certificate variable names are now exposed by mod_ssl using the _DN_userID suffix, such as SSL_CLIENT_S_DN_userID, which uses the commonly used object identifier (OID) definition of userID, OID 0.9.2342.19200300.100.1.1.
Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a chunk-size or chunk-extension value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs.
Users of httpd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.