RHBA-2011:1630 - Bug Fix Advisory

Topic

Updated httpd packages that fix several bugs are now available for Red Hat
Enterprise Linux 6.

Description

The Apache HTTP Server is a popular web server.

These updated httpd packages provide fixes for the following bugs:

• The Apache module "mod_proxy" implements a proxy or gateway for the Apache web

server. The "ProxyErrorOverride On" option did not work if used with
"mod_proxy_ajp", the AJP support module for mod_proxy. Consequently when
accessing a 404 URL in the "/static" context, which was proxied with AJP, the
404 page from the proxy was displayed rather than the 404 page from Apache
itself. This update corrects the code and accessing 404 URLs now works as
intended, via Apache, as defined in "ErrorDocument". (BZ#694939)

• When a backend server sends data via SSL, and is using chunked transfer

encoding, the backend splits the chunk between two different SSL blocks. Prior
to this update, when transferring data via SSL through a reverse proxy
implemented with Apache, "mod_proxy", and "mod_ssl", the end of the first SSL
block was sometimes lost and the length of the next chunk was thus invalid.
Consequently, files were sometimes corrupted during transfer via SSL. This
updates implements a backported fix to this problem and the error no longer
occurs. (BZ#700074)

• The "FilterProvider" directive of the "mod_filter" module was unable to match

against non-standard HTTP response headers. Consequently, output content data
was not filtered or processed as expected by httpd in certain configurations.
With this update, a backported patch has been applied to address this issue, and
the FilterProvider directive is now able to match against non-standard HTTP
response headers as expected. (BZ#700075)

• In situations where httpd could not allocate memory, httpd sometimes

terminated unexpectedly with a segmentation fault rather than terminating the
process with an error message. With this update, a patch has been applied to
correct this issue and httpd no longer crashes in the scenario described.
(BZ#700393)

• Server Name Indication (SNI) sends the name of the virtual domain as part of

the TLS negotiation. Prior to this enhancement, if a client sent the wrong SNI
data the client would be rejected. With this update, in configurations where SNI
is not required, "mod_ssl" can ignore the SNI hostname "hint". (BZ#714704)

• Prior to this update, httpd terminated unexpectedly on startup with a

segmentation fault when proxy client certificates were shared across multiple
virtual hosts (using the SSLProxyMachineCertificateFile directive). With this
update a patch has been applied and httpd no longer crashes in the scenario
described. (BZ# 720980)

• When the "SSLCryptoDevice" config variable in "ssl.conf" was set to an unknown

or invalid value, the httpd daemon would terminate unexpectedly with a
segmentation fault at startup. With this update the code has been corrected,
httpd no longer crashes, and httpd will issue an appropriate error message in
this scenario. (BZ#729585)

• If using mod_proxy_ftp, an httpd process could terminated unexpectedly with a

segmentation fault when tests were made on an IPv6 localhost enabled machine.
This update implements improvements to the code and the mod_proxy_ftp process no
longer crashes in the scenario described. (BZ#737960)

• When using the "mod_cache" module, by default, the "CacheMaxExpire" directive

is only applied to responses which do not specify their expiry date. Previously,
it was not possible to limit the maximum expiry time for all resources. This
update applies a patch which adapts the mod_cache module to provide support for
"hard" as a second argument of the CacheMaxExpire directive, allowing a maximum
expiry time to be enforced for all resources. (BZ#740242)

• The "mod_reqtimeout" module, when enabled, allows fine-grained timeouts to be

applied during request parsing. The mod_reqtimeout module has been backported
from upstream in this update. (BZ#676634)

All users of httpd are advised to upgrade to these updated packages, which fix
these bugs.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 676634 - update mod_reqtimeout to 2.2.17
• BZ - 694939 - mod_proxy_ajp does not honor "ProxyErrorOverride"
• BZ - 700074 - mod_proxy with SSLProxyEngine truncates files fetched with chunked encoding Summary
• BZ - 700075 - mod_filter cannot match against response headers from CGI script
• BZ - 729585 - httpd segfaults when SSLCryptoDevice set to invalid
• BZ - 740242 - Apache CacheMaxExpire directive ignored (upstream reported bug with patch)

CVEs

(none)

References

(none)