Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.37. httpd

Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The Apache HTTP Server is a popular web server.

Security Fixes

CVE-2012-4558
Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session.
CVE-2013-1862
It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user.
CVE-2012-3499
Cross-site scripting (XSS) flaws were found in the mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially-crafted Host header.
All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.
Updated httpd packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
The Apache HTTP Server is a popular web server.

Security Fix

CVE-2013-1896
A flaw was found in the way the mod_dav module of the Apache HTTP Server handled merge requests. An attacker could use this flaw to send a crafted merge request that contains URIs that are not configured for DAV, causing the httpd child process to crash.
All httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon will be restarted automatically.
Updated httpd packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Bug Fix

BZ#974162
Due to a bug in the mod_mem_cache module, child processes sometimes terminated unexpectedly with a segmentation fault while using the threaded "worker" Multi-Processing Modules (MPM) (/usr/sbin/httpd.worker). This update fixes mod_mem_cache to repair thread-safety issues, and crashes no longer occur in the described scenario.
Users of httpd are advised to upgrade to these updated packages, which fix this bug. After installing the updated packages, the httpd daemon will be restarted automatically.