RHBA-2011:0130 - Bug Fix Advisory

Topic

Updated httpd packages that resolve several issues are now available.

Description

The Apache HTTP Server is a popular web server.

These updated packages provide fixes for the following bugs:

• In a reverse proxy configuration, the Date field in the response headers sent

by an upstream server was replaced by a Date header using the local time at the
proxy server. This could result in inappropriate caching of the response in
browsers or downstream caches. The Date header is no longer replaced in a
reverse proxy configuration and caching is correct. (BZ#565865)

• Due to a bug in the filter initialization process, filters configured using

the "mod_filter" module were not handled correctly if a "sub-request" took
place. For example, using the "FilterChain" directive to configure the
"DEFLATE" compression filter with a Server-Side-Include page could result in
pages which were only partially compressed. With this update filters used with
mod_filter operate correctly. (BZ#570628)

• If using a WebDAV repository, uploading new content with the "PUT" HTTP method

could remove an existing resource if an error occurred during the upload. This
was caused by a bug in failure handling. With this update the content remains in
place. (BZ#572910)

• The output of the "mod_deflate" module could have contained corrupted or empty

HTTP responses when either response compression was enabled, or when acting as a
proxy, expansion of compressed responses from upstream servers. The compressed
responses are now fixed. (BZ#593715, BZ#612211)

• If the "mod_dbd" module was used, due to a memory lifetime issue in the

module, an error message from glibc concerning "double free or corruption" could
be raised when the httpd daemon was stopped, and the daemon would terminate
unexpectedly. This update fixes the memory lifetime issues. The error message no
longer appears and the server exits normally. (BZ#633955)

• When executing "service httpd stop", a 10-seconds timeout is used before

terminating the httpd parent process in case of error. If this timeout was
insufficient, resources did not allow the parent process to terminate cleanly
and could be leaked. The "STOP_TIMEOUT" environment variable has been introduced
which can be used in the "/etc/sysconfig/httpd" configuration file to change the
timeout. This can be used to allow a longer delay and fix resource leaks if the
httpd parent is slow to terminate. (BZ#644223)

• If arguments passed to the "ab" benchmarking program triggered a memory

allocation failure, ab could terminate with a Segmentation Fault error. The
memory allocation failure is now trapped earlier, and the program exits
gracefully with an error message. (BZ#645845)

All httpd users are advised to upgrade to these updated packages, which resolve
these issues.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat
Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 572910 - "could not get next bucket brigade" while a client is doing a PUT results in data loss
• BZ - 593715 - mod_deflate does not flush output stream if handler performs flush.
• BZ - 612211 - mod_deflate/mod_proxy generating 'Inflate error -5 on flush' errors
• BZ - 644223 - Some semaphores are not cleaned during httpd shutdown
• BZ - 645845 - ab -n overflows

CVEs

(none)

References

(none)