Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2009:1579 - Security Advisory
Issued:
2009-11-11
Updated:
2009-11-11

RHSA-2009:1579 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: httpd security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated httpd packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 3 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

The Apache HTTP Server is a popular Web server.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handle session renegotiation. A man-in-the-middle
attacker could use this flaw to prefix arbitrary plain text to a client's
session (for example, an HTTPS connection to a website). This could force
the server to process an attacker's request as if authenticated using the
victim's credentials. This update partially mitigates this flaw for SSL
sessions to HTTP servers using mod_ssl by rejecting client-requested
renegotiation. (CVE-2009-3555)

Note: This update does not fully resolve the issue for HTTPS servers. An
attack is still possible in configurations that require a server-initiated
renegotiation. Refer to the following Knowledgebase article for further
information: http://kbase.redhat.com/faq/docs/DOC-20491

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp
module. A malicious FTP server to which requests are being proxied could
use this flaw to crash an httpd child process via a malformed reply to the
EPSV or PASV commands, resulting in a limited denial of service.
(CVE-2009-3094)

A second flaw was found in the Apache mod_proxy_ftp module. In a reverse
proxy configuration, a remote attacker could use this flaw to bypass
intended access restrictions by creating a carefully-crafted HTTP
Authorization header, allowing the attacker to send arbitrary commands to
the FTP server. (CVE-2009-3095)

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 3 x86_64
  • Red Hat Enterprise Linux Server 3 ia64
  • Red Hat Enterprise Linux Server 3 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 3 x86_64
  • Red Hat Enterprise Linux Workstation 3 ia64
  • Red Hat Enterprise Linux Workstation 3 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Desktop 3 x86_64
  • Red Hat Enterprise Linux Desktop 3 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux for Power, big endian 3 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 521619 - CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply
  • BZ - 522209 - CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header
  • BZ - 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation

CVEs

  • CVE-2009-3094
  • CVE-2009-3095
  • CVE-2009-3555

References

  • http://www.redhat.com/security/updates/classification/#moderate
  • http://kbase.redhat.com/faq/docs/DOC-20491
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
httpd-2.2.3-31.el5_4.2.src.rpm SHA-256: 4b6815b7963fb1b86ff7dff5273fa958e41a4f0c8862fa2cc0b9d06ccd3e04b4
x86_64
httpd-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: 633c1f9346fe9612f33afa52e8af8a323f211495422bdf59b3c037b53c285b54
httpd-devel-2.2.3-31.el5_4.2.i386.rpm SHA-256: a60509090e0f5249f4f532cc5f8729e7695460c0f5b259f14a66d339b1e4ec48
httpd-devel-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: c94c4abcfdf6798cfc6e400eba1ea2e97ef7323074207347d50313e43d6d71a6
httpd-manual-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: de36965fb277cb16f31894c2611ae31affd98167f6e24523ee119689676e3e17
mod_ssl-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: c0f3f404fa0b02f90c41268a5fc66d5c3aae16b855719ca94f1b174301f89ae8
ia64
httpd-2.2.3-31.el5_4.2.ia64.rpm SHA-256: 70c1ad4f2fda2c124ae16b69f6ff8a740641bef92650111864397f42d44a93ea
httpd-devel-2.2.3-31.el5_4.2.ia64.rpm SHA-256: 417d48925c7c3ef89fbfad18cc620429dc4ac54ae92c9203daea81ed7b8fe5bb
httpd-manual-2.2.3-31.el5_4.2.ia64.rpm SHA-256: 1a04863e98435eaa0cd77e9a31e1758957bc1c51c44497b439e0385491a0adbc
mod_ssl-2.2.3-31.el5_4.2.ia64.rpm SHA-256: 524a3952a3c192b9c6709125e2aacfbbb6a89466706557f687a7cf895fb815e1
i386
httpd-2.2.3-31.el5_4.2.i386.rpm SHA-256: 3df08c4af8ddf8f5731248107455181d11104e84dcae560e3cb60665cb607a87
httpd-devel-2.2.3-31.el5_4.2.i386.rpm SHA-256: a60509090e0f5249f4f532cc5f8729e7695460c0f5b259f14a66d339b1e4ec48
httpd-manual-2.2.3-31.el5_4.2.i386.rpm SHA-256: 43de7347df46bf151ebea023de6d47f2aadecdd8025fe524651d661e1c1754cb
mod_ssl-2.2.3-31.el5_4.2.i386.rpm SHA-256: f563ab1c93c9ae39a46fbb0d0ede60a04c1954b5cea00539320f0b2637cff317

Red Hat Enterprise Linux Server 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Workstation 5

SRPM
httpd-2.2.3-31.el5_4.2.src.rpm SHA-256: 4b6815b7963fb1b86ff7dff5273fa958e41a4f0c8862fa2cc0b9d06ccd3e04b4
x86_64
httpd-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: 633c1f9346fe9612f33afa52e8af8a323f211495422bdf59b3c037b53c285b54
httpd-devel-2.2.3-31.el5_4.2.i386.rpm SHA-256: a60509090e0f5249f4f532cc5f8729e7695460c0f5b259f14a66d339b1e4ec48
httpd-devel-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: c94c4abcfdf6798cfc6e400eba1ea2e97ef7323074207347d50313e43d6d71a6
httpd-manual-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: de36965fb277cb16f31894c2611ae31affd98167f6e24523ee119689676e3e17
mod_ssl-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: c0f3f404fa0b02f90c41268a5fc66d5c3aae16b855719ca94f1b174301f89ae8
i386
httpd-2.2.3-31.el5_4.2.i386.rpm SHA-256: 3df08c4af8ddf8f5731248107455181d11104e84dcae560e3cb60665cb607a87
httpd-devel-2.2.3-31.el5_4.2.i386.rpm SHA-256: a60509090e0f5249f4f532cc5f8729e7695460c0f5b259f14a66d339b1e4ec48
httpd-manual-2.2.3-31.el5_4.2.i386.rpm SHA-256: 43de7347df46bf151ebea023de6d47f2aadecdd8025fe524651d661e1c1754cb
mod_ssl-2.2.3-31.el5_4.2.i386.rpm SHA-256: f563ab1c93c9ae39a46fbb0d0ede60a04c1954b5cea00539320f0b2637cff317

Red Hat Enterprise Linux Workstation 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Desktop 5

SRPM
httpd-2.2.3-31.el5_4.2.src.rpm SHA-256: 4b6815b7963fb1b86ff7dff5273fa958e41a4f0c8862fa2cc0b9d06ccd3e04b4
x86_64
httpd-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: 633c1f9346fe9612f33afa52e8af8a323f211495422bdf59b3c037b53c285b54
mod_ssl-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: c0f3f404fa0b02f90c41268a5fc66d5c3aae16b855719ca94f1b174301f89ae8
i386
httpd-2.2.3-31.el5_4.2.i386.rpm SHA-256: 3df08c4af8ddf8f5731248107455181d11104e84dcae560e3cb60665cb607a87
mod_ssl-2.2.3-31.el5_4.2.i386.rpm SHA-256: f563ab1c93c9ae39a46fbb0d0ede60a04c1954b5cea00539320f0b2637cff317

Red Hat Enterprise Linux Desktop 3

SRPM
x86_64
i386

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
httpd-2.2.3-31.el5_4.2.src.rpm SHA-256: 4b6815b7963fb1b86ff7dff5273fa958e41a4f0c8862fa2cc0b9d06ccd3e04b4
s390x
httpd-2.2.3-31.el5_4.2.s390x.rpm SHA-256: 0887d6796ff41af3d382428c4a0c2825c0a2ef258c3ffcd28c33ecb4bbac3161
httpd-devel-2.2.3-31.el5_4.2.s390.rpm SHA-256: ed705a311ee1d77e6d6b81f0d24bced134efea3b2d835054c12251c969d60edf
httpd-devel-2.2.3-31.el5_4.2.s390x.rpm SHA-256: 3567abb173cfa6db85fe737cf80cdc24869c3051c141b101e20abda2511c6971
httpd-manual-2.2.3-31.el5_4.2.s390x.rpm SHA-256: a3a784e9e0f132558e920e802c021ea9d20b7cf436fe07996c001dbfa0ce5684
mod_ssl-2.2.3-31.el5_4.2.s390x.rpm SHA-256: d37452511c83a6b4e728d03de9aee24fdb30289b7468bbf3fce27f64fe737854

Red Hat Enterprise Linux for IBM z Systems 3

SRPM
s390x
s390

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4

SRPM
s390x

Red Hat Enterprise Linux for Power, big endian 5

SRPM
httpd-2.2.3-31.el5_4.2.src.rpm SHA-256: 4b6815b7963fb1b86ff7dff5273fa958e41a4f0c8862fa2cc0b9d06ccd3e04b4
ppc
httpd-2.2.3-31.el5_4.2.ppc.rpm SHA-256: cb4feaa30b42fe00c7dc97cc27bac86875b2837ff2214c0970b977045e3d95cf
httpd-devel-2.2.3-31.el5_4.2.ppc.rpm SHA-256: b5b079452f86699f73fd8f25a678449f23dce7b3a303912c59ae5fb26fe1126a
httpd-devel-2.2.3-31.el5_4.2.ppc64.rpm SHA-256: ea66c92a9822a2debd29d72ef16076c973f4bc78a82defe2ae4b0fb46e03aa8a
httpd-manual-2.2.3-31.el5_4.2.ppc.rpm SHA-256: f7949b9986191cbd1ec27ad83c754a9451d3dc5758ffb18b6ba117359e6eae00
mod_ssl-2.2.3-31.el5_4.2.ppc.rpm SHA-256: 7e7dd7f55adf1f3a6f1211974b02501ba7e8bf61483ed423cac5e1e26dee98a6

Red Hat Enterprise Linux for Power, big endian 3

SRPM
ppc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4

SRPM
ppc

Red Hat Enterprise Linux Server from RHUI 5

SRPM
httpd-2.2.3-31.el5_4.2.src.rpm SHA-256: 4b6815b7963fb1b86ff7dff5273fa958e41a4f0c8862fa2cc0b9d06ccd3e04b4
x86_64
httpd-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: 633c1f9346fe9612f33afa52e8af8a323f211495422bdf59b3c037b53c285b54
httpd-devel-2.2.3-31.el5_4.2.i386.rpm SHA-256: a60509090e0f5249f4f532cc5f8729e7695460c0f5b259f14a66d339b1e4ec48
httpd-devel-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: c94c4abcfdf6798cfc6e400eba1ea2e97ef7323074207347d50313e43d6d71a6
httpd-manual-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: de36965fb277cb16f31894c2611ae31affd98167f6e24523ee119689676e3e17
mod_ssl-2.2.3-31.el5_4.2.x86_64.rpm SHA-256: c0f3f404fa0b02f90c41268a5fc66d5c3aae16b855719ca94f1b174301f89ae8
i386
httpd-2.2.3-31.el5_4.2.i386.rpm SHA-256: 3df08c4af8ddf8f5731248107455181d11104e84dcae560e3cb60665cb607a87
httpd-devel-2.2.3-31.el5_4.2.i386.rpm SHA-256: a60509090e0f5249f4f532cc5f8729e7695460c0f5b259f14a66d339b1e4ec48
httpd-manual-2.2.3-31.el5_4.2.i386.rpm SHA-256: 43de7347df46bf151ebea023de6d47f2aadecdd8025fe524651d661e1c1754cb
mod_ssl-2.2.3-31.el5_4.2.i386.rpm SHA-256: f563ab1c93c9ae39a46fbb0d0ede60a04c1954b5cea00539320f0b2637cff317

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter