RHBA-2009:1380 - Bug Fix Advisory

Topic

Updated httpd packages that fix various bugs are now available.

Description

The Apache HTTP Server is a popular and freely-available Web server.

These updated httpd packages provide fixes for the following bugs:

• Apache's mod_mime_magic module attempts to determine the MIME type of

files using heuristic tests. However, the "magic" file used by the
mod_mime_magic module was unable to detect PNG images correctly as being of
MIME type "image/png", which this update corrects. (BZ#240844)

• when using a reverse-proxy configuration with the mod_nss module being

used in place of the usual mod_ssl module, the mod_proxy module failed to
pass the hostname, which resulted in this error message: "Requested domain
name does not match the server's certificate". The hostname is now passed
correctly so that secure HTTP (https) connections no longer fail due to
this error. (BZ#479410)

• the "mod_ssl" module placed a hard-coded 128K limit on the amount of

request body data which would be buffered if an SSL renegotiation was
required in a Location or Directory context. This could occur if a POST
request was made to a Directory or Location which required client
certificate authentication. The limit on the amount of data to buffer is
now configurable using the "SSLRenegBufferSize" directive. (BZ#479806)

• when configuring a reverse proxy using an .htaccess file (instead of

httpd.conf) by using a "RewriteRule" to proxy requests using the "[P]"
flag, space characters in URIs would not be correctly escaped in remote
server requests, resulting in "404 Not Found" response codes. This has been
fixed so that .htaccess-configured reverse proxies perform proper
character-escaping. (BZ#480604)

• if an error occurred when invoking a CGI script, the "500 Internal Server

Error" error document was not generated. (BZ#480932)

• the mod_speling module attempts to correct misspellings of URLs. When the

"AcceptPathInfo" directive was not enabled, then mod_speling did not handle
and correct misspelled directory names. This has been fixed so that
directory names are always handled, and possibly corrected, by the
mod_speling module, regardless of the value that "AcceptPathInfo" is set
to. (BZ#485524)

• if request body data was buffered when an SSL renegotiation was required

in a Location or Directory context, then the buffered data was discarded if
an internal redirect occurred. (BZ#488886)

• the httpd init script did not reference the process ID stored by a

running daemon, and invocations could affect other httpd processes running
on the system. (BZ#491135)

• during a graceful restart, a spurious "Bad file descriptor" error message

was sometimes logged. The error, though harmless, occurred because the
socket on which the server called the accept() function was immediately
closed in child processes upon receipt of the graceful restart signal. This
error message is no longer logged. (BZ#233955)

• during a graceful restart, the following spurious error messages were

logged by the mod_rewrite module if the "RewriteLog" directive was
configured: "apr_global_mutex_lock(rewrite_log_lock) failed". (BZ#493023)

• Apache's mod_ext_filter module sometimes logged this spurious error

message if an input filter was configured and an error response was sent:
"Bad file descriptor: apr_file_close(child input)". (BZ#479463)

• the "%p" format option in the "CustomLog" directive, used to log a port

number in a request, did not respect the "remote" and "local" specifiers.
(BZ#493070)

• the httpd package inappropriately obsoleted the "mod_jk" package; it no

longer does so. (BZ#493592)

• an invalid HTTP status code--such as 70007--was logged to the access log if

a timeout or other input error occurred while reading the request body
during processing of a CGI script. (BZ#498170)

• a security issue fix (CVE-2009-1195) in Server-Side Include (SSI)

Options-handling inadvertently broke backwards-compatibility with the
mod_perl module. (BZ#502998)

Users are advised to upgrade to these updated packages, which resolve these
issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 233955 - Bad file descriptor: apr_socket_accept
• BZ - 240844 - /etc/httpd/conf/magic is too simple (PNG is missing)
• BZ - 479463 - Bad file descriptor: apr_file_close(child input)
• BZ - 479806 - Can't do POST larger than 128K to ssl sites
• BZ - 480932 - mod_cgi: error pages have wrong headers
• BZ - 485524 - mod_speling not correcting directory names in a URI
• BZ - 488886 - mod_rewrite+mod_ssl+SSLVerifyClient = no POST variables
• BZ - 491135 - Fix /etc/init.d/httpd to use the pid file of the server to restart instead of blowing all httpds away
• BZ - 491763 - HTTPS+SSLVerifyClient require in <Directory>+big POST = Apache error
• BZ - 493023 - mod_rewrite: apr_global_mutex_lock(rewrite_log_lock) failed
• BZ - 493070 - mod_log_config: format options for %p (locale, remote) broken
• BZ - 493592 - The httpd package shouldn't obsolete mod_jk
• BZ - 498170 - httpd incorrectly returns lower level return code (70007 status code is not RFC)
• BZ - 502998 - Backwards compatibility for CVE-2009-1195 change

CVEs

(none)

References

(none)