Red Hat Product Errata RHSA-2006:0619 - Security Advisory
Issued:
2006-08-10
Updated:
2006-08-10

RHSA-2006:0619 - Security Advisory

Synopsis

httpd security update

Type/Severity

Security Advisory: Moderate

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated Apache httpd packages that correct security issues and resolve bugs
are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

The Apache HTTP Server is a popular Web server available for free.

A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header. (CVE-2006-3918)

While a web browser cannot be forced to send an arbitrary Expect
header by a third-party attacker, it was recently discovered that
certain versions of the Flash plugin can manipulate request headers.
If users running such versions can be persuaded to load a web page
with a malicious Flash applet, a cross-site scripting attack against
the server may be possible.

On Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in
the handling of malformed Expect headers, the page produced by the
cross-site scripting attack will only be returned after a timeout expires
(2-5 minutes by default) if not first canceled by the user.

Users of httpd should update to these erratum packages, which contain a
backported patch to correct these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Affected Products

  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Server 3 x86_64
  • Red Hat Enterprise Linux Server 3 ia64
  • Red Hat Enterprise Linux Server 3 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Workstation 3 x86_64
  • Red Hat Enterprise Linux Workstation 3 ia64
  • Red Hat Enterprise Linux Workstation 3 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux Desktop 3 x86_64
  • Red Hat Enterprise Linux Desktop 3 i386
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems 3 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

Red Hat Enterprise Linux Server 4

SRPM
httpd-2.0.52-28.ent.src.rpm SHA-256: 81788837a1931b04735ed02a2315e87a3066e229dbe89e500b6766cf43bd0327
x86_64
httpd-2.0.52-28.ent.x86_64.rpm SHA-256: 48a7ea5c16bee5e9251781b6f66504a1145e065f628ff313b52cfbd362b41581
httpd-2.0.52-28.ent.x86_64.rpm SHA-256: 48a7ea5c16bee5e9251781b6f66504a1145e065f628ff313b52cfbd362b41581
httpd-devel-2.0.52-28.ent.x86_64.rpm SHA-256: ab476baf05b98371816a7dc5f889ebf2176a3a66e02094ffc245fde2754ee16c
httpd-devel-2.0.52-28.ent.x86_64.rpm SHA-256: ab476baf05b98371816a7dc5f889ebf2176a3a66e02094ffc245fde2754ee16c
httpd-manual-2.0.52-28.ent.x86_64.rpm SHA-256: 1e99cc24c4c08884450d7c29e64be1ac92af3f554c7497730d2826b05493c62f
httpd-manual-2.0.52-28.ent.x86_64.rpm SHA-256: 1e99cc24c4c08884450d7c29e64be1ac92af3f554c7497730d2826b05493c62f
httpd-suexec-2.0.52-28.ent.x86_64.rpm SHA-256: ac2b5c0747f78141dd7e33fef8c6bb1502726820b739bfcdaae3f0187bf2275e
httpd-suexec-2.0.52-28.ent.x86_64.rpm SHA-256: ac2b5c0747f78141dd7e33fef8c6bb1502726820b739bfcdaae3f0187bf2275e
mod_ssl-2.0.52-28.ent.x86_64.rpm SHA-256: a8c3f92251366a9ac52d2be3fe13e7292b26a12dabaa53ddaae7cabf0a3ab15c
mod_ssl-2.0.52-28.ent.x86_64.rpm SHA-256: a8c3f92251366a9ac52d2be3fe13e7292b26a12dabaa53ddaae7cabf0a3ab15c
ia64
httpd-2.0.52-28.ent.ia64.rpm SHA-256: a3abe7fc8ded7cb1df513c3c0dee7c603c0e8a9711c370ad7e38a13fb34d3a3c
httpd-2.0.52-28.ent.ia64.rpm SHA-256: a3abe7fc8ded7cb1df513c3c0dee7c603c0e8a9711c370ad7e38a13fb34d3a3c
httpd-devel-2.0.52-28.ent.ia64.rpm SHA-256: 0303dac38cce9323ea3eee93f58dce6d94f63b3250670e462dbf8f255253df94
httpd-devel-2.0.52-28.ent.ia64.rpm SHA-256: 0303dac38cce9323ea3eee93f58dce6d94f63b3250670e462dbf8f255253df94
httpd-manual-2.0.52-28.ent.ia64.rpm SHA-256: d46dd710f3e3f7f0e5a90625fbd8dfee811f96e8608c959973eaca2ea4f15228
httpd-manual-2.0.52-28.ent.ia64.rpm SHA-256: d46dd710f3e3f7f0e5a90625fbd8dfee811f96e8608c959973eaca2ea4f15228
httpd-suexec-2.0.52-28.ent.ia64.rpm SHA-256: 040f6f886a50372ceb4c12228ab84c42311ec0847e174f1304e55b7c57753a5c
httpd-suexec-2.0.52-28.ent.ia64.rpm SHA-256: 040f6f886a50372ceb4c12228ab84c42311ec0847e174f1304e55b7c57753a5c
mod_ssl-2.0.52-28.ent.ia64.rpm SHA-256: 4a5e49d74ab59872c6bf549a60eccf2be16a4e32d9f1bc4e75f1eb8ab75ae8c3
mod_ssl-2.0.52-28.ent.ia64.rpm SHA-256: 4a5e49d74ab59872c6bf549a60eccf2be16a4e32d9f1bc4e75f1eb8ab75ae8c3
i386
httpd-2.0.52-28.ent.i386.rpm SHA-256: 28ac7754fcc66706c173e6f5313df45cf7049e5b28a06c460b4fb60ee59ea962
httpd-2.0.52-28.ent.i386.rpm SHA-256: 28ac7754fcc66706c173e6f5313df45cf7049e5b28a06c460b4fb60ee59ea962
httpd-devel-2.0.52-28.ent.i386.rpm SHA-256: a6c93114c647b030f156f75094fb0ad5ccdf1f85a0788da77406b28d4ab7f4d1
httpd-devel-2.0.52-28.ent.i386.rpm SHA-256: a6c93114c647b030f156f75094fb0ad5ccdf1f85a0788da77406b28d4ab7f4d1
httpd-manual-2.0.52-28.ent.i386.rpm SHA-256: cec7c3b640b4815cd9c7d933b933b058341eb7d68b8d460d7e1e31367ebca764
httpd-manual-2.0.52-28.ent.i386.rpm SHA-256: cec7c3b640b4815cd9c7d933b933b058341eb7d68b8d460d7e1e31367ebca764
httpd-suexec-2.0.52-28.ent.i386.rpm SHA-256: c9de30c3f6abeb46168c20ba4028d8ecfb7ed55943f8c05e0fdd62569ec1a150
httpd-suexec-2.0.52-28.ent.i386.rpm SHA-256: c9de30c3f6abeb46168c20ba4028d8ecfb7ed55943f8c05e0fdd62569ec1a150
mod_ssl-2.0.52-28.ent.i386.rpm SHA-256: e4ebb1cef90934c9cf76e9e333d55ce0f5cf41badbd4632a0b2926383647dc85
mod_ssl-2.0.52-28.ent.i386.rpm SHA-256: e4ebb1cef90934c9cf76e9e333d55ce0f5cf41badbd4632a0b2926383647dc85

Red Hat Enterprise Linux Server 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Workstation 4

SRPM
httpd-2.0.52-28.ent.src.rpm SHA-256: 81788837a1931b04735ed02a2315e87a3066e229dbe89e500b6766cf43bd0327
x86_64
httpd-2.0.52-28.ent.x86_64.rpm SHA-256: 48a7ea5c16bee5e9251781b6f66504a1145e065f628ff313b52cfbd362b41581
httpd-devel-2.0.52-28.ent.x86_64.rpm SHA-256: ab476baf05b98371816a7dc5f889ebf2176a3a66e02094ffc245fde2754ee16c
httpd-manual-2.0.52-28.ent.x86_64.rpm SHA-256: 1e99cc24c4c08884450d7c29e64be1ac92af3f554c7497730d2826b05493c62f
httpd-suexec-2.0.52-28.ent.x86_64.rpm SHA-256: ac2b5c0747f78141dd7e33fef8c6bb1502726820b739bfcdaae3f0187bf2275e
mod_ssl-2.0.52-28.ent.x86_64.rpm SHA-256: a8c3f92251366a9ac52d2be3fe13e7292b26a12dabaa53ddaae7cabf0a3ab15c
ia64
httpd-2.0.52-28.ent.ia64.rpm SHA-256: a3abe7fc8ded7cb1df513c3c0dee7c603c0e8a9711c370ad7e38a13fb34d3a3c
httpd-devel-2.0.52-28.ent.ia64.rpm SHA-256: 0303dac38cce9323ea3eee93f58dce6d94f63b3250670e462dbf8f255253df94
httpd-manual-2.0.52-28.ent.ia64.rpm SHA-256: d46dd710f3e3f7f0e5a90625fbd8dfee811f96e8608c959973eaca2ea4f15228
httpd-suexec-2.0.52-28.ent.ia64.rpm SHA-256: 040f6f886a50372ceb4c12228ab84c42311ec0847e174f1304e55b7c57753a5c
mod_ssl-2.0.52-28.ent.ia64.rpm SHA-256: 4a5e49d74ab59872c6bf549a60eccf2be16a4e32d9f1bc4e75f1eb8ab75ae8c3
i386
httpd-2.0.52-28.ent.i386.rpm SHA-256: 28ac7754fcc66706c173e6f5313df45cf7049e5b28a06c460b4fb60ee59ea962
httpd-devel-2.0.52-28.ent.i386.rpm SHA-256: a6c93114c647b030f156f75094fb0ad5ccdf1f85a0788da77406b28d4ab7f4d1
httpd-manual-2.0.52-28.ent.i386.rpm SHA-256: cec7c3b640b4815cd9c7d933b933b058341eb7d68b8d460d7e1e31367ebca764
httpd-suexec-2.0.52-28.ent.i386.rpm SHA-256: c9de30c3f6abeb46168c20ba4028d8ecfb7ed55943f8c05e0fdd62569ec1a150
mod_ssl-2.0.52-28.ent.i386.rpm SHA-256: e4ebb1cef90934c9cf76e9e333d55ce0f5cf41badbd4632a0b2926383647dc85

Red Hat Enterprise Linux Workstation 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Desktop 4

SRPM
httpd-2.0.52-28.ent.src.rpm SHA-256: 81788837a1931b04735ed02a2315e87a3066e229dbe89e500b6766cf43bd0327
x86_64
httpd-2.0.52-28.ent.x86_64.rpm SHA-256: 48a7ea5c16bee5e9251781b6f66504a1145e065f628ff313b52cfbd362b41581
httpd-devel-2.0.52-28.ent.x86_64.rpm SHA-256: ab476baf05b98371816a7dc5f889ebf2176a3a66e02094ffc245fde2754ee16c
httpd-manual-2.0.52-28.ent.x86_64.rpm SHA-256: 1e99cc24c4c08884450d7c29e64be1ac92af3f554c7497730d2826b05493c62f
httpd-suexec-2.0.52-28.ent.x86_64.rpm SHA-256: ac2b5c0747f78141dd7e33fef8c6bb1502726820b739bfcdaae3f0187bf2275e
mod_ssl-2.0.52-28.ent.x86_64.rpm SHA-256: a8c3f92251366a9ac52d2be3fe13e7292b26a12dabaa53ddaae7cabf0a3ab15c
i386
httpd-2.0.52-28.ent.i386.rpm SHA-256: 28ac7754fcc66706c173e6f5313df45cf7049e5b28a06c460b4fb60ee59ea962
httpd-devel-2.0.52-28.ent.i386.rpm SHA-256: a6c93114c647b030f156f75094fb0ad5ccdf1f85a0788da77406b28d4ab7f4d1
httpd-manual-2.0.52-28.ent.i386.rpm SHA-256: cec7c3b640b4815cd9c7d933b933b058341eb7d68b8d460d7e1e31367ebca764
httpd-suexec-2.0.52-28.ent.i386.rpm SHA-256: c9de30c3f6abeb46168c20ba4028d8ecfb7ed55943f8c05e0fdd62569ec1a150
mod_ssl-2.0.52-28.ent.i386.rpm SHA-256: e4ebb1cef90934c9cf76e9e333d55ce0f5cf41badbd4632a0b2926383647dc85

Red Hat Enterprise Linux Desktop 3

SRPM
x86_64
i386

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
httpd-2.0.52-28.ent.src.rpm SHA-256: 81788837a1931b04735ed02a2315e87a3066e229dbe89e500b6766cf43bd0327
s390x
httpd-2.0.52-28.ent.s390x.rpm SHA-256: 42502913bf7f8387dd9772021d51532b1120bc5acb29e88f2201049b2898ec03
httpd-devel-2.0.52-28.ent.s390x.rpm SHA-256: 5531640b963b975c9108d2167796b5c6ffbc32368c0612e9fdd77cf33836f881
httpd-manual-2.0.52-28.ent.s390x.rpm SHA-256: faae35167cfe6effdeca66eec841bd2912fa5879afee382ffabd639c0e93beb4
httpd-suexec-2.0.52-28.ent.s390x.rpm SHA-256: 5f86c4dd1084d5a43d9e1a23fd8f06a3f4db9f8215ab7943eff299a7e13160ee
mod_ssl-2.0.52-28.ent.s390x.rpm SHA-256: fd1a26089ca2da40373d4e1cc574635c012faaf8707a352aad22eb78b604b487
s390
httpd-2.0.52-28.ent.s390.rpm SHA-256: 14109405c88818292d278ff18a6b39acf7a78a53ef6c324dfb0731f823c90600
httpd-devel-2.0.52-28.ent.s390.rpm SHA-256: 4cf6356e8b64128011e51b1e8394afa8d4890ef82cb043f0154adc6cd7d86290
httpd-manual-2.0.52-28.ent.s390.rpm SHA-256: db18132850ff155a1c35e67127012aac83c8356156d6f94e18b5a8960a2527b9
httpd-suexec-2.0.52-28.ent.s390.rpm SHA-256: e7423c4d9f01efc5384e2132abb2115b74dd330bd8568ecd012c3a1ebfcbedb1
mod_ssl-2.0.52-28.ent.s390.rpm SHA-256: f994bd2c3b2aac0d98383697ffc33a78a3b893a2a08db4131e2cc6ff9ea09cf2

Red Hat Enterprise Linux for IBM z Systems 3

SRPM
s390x
s390

Red Hat Enterprise Linux for Power, big endian 4

SRPM
httpd-2.0.52-28.ent.src.rpm SHA-256: 81788837a1931b04735ed02a2315e87a3066e229dbe89e500b6766cf43bd0327
ppc
httpd-2.0.52-28.ent.ppc.rpm SHA-256: 5d1dd16c870434a736ebfc50ee6687796ef467a7bc7aff0014dabff8fa885916
httpd-devel-2.0.52-28.ent.ppc.rpm SHA-256: 59d0cb06f1cb460b95d28ad5d28da2a35c8c4cb45166ce1e044100e0cccbf7fc
httpd-manual-2.0.52-28.ent.ppc.rpm SHA-256: 760731201172ad5a30e822f2eb9d8186f3ffe840a10513db777ec17f155bfb6e
httpd-suexec-2.0.52-28.ent.ppc.rpm SHA-256: c3ca132b6f488c00fc715a3caaf7bcbf2da3a776136814fe8ab0a3afeb86fc81
mod_ssl-2.0.52-28.ent.ppc.rpm SHA-256: d5e2a7679dac8309ad3393a2c2ebd3f0035b4c09a1f884a4e31beb11e8f79559

Red Hat Enterprise Linux for Power, big endian 3

SRPM
ppc

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.