红帽产品勘误 RHSA-2010:0168 - Security Advisory
发布:
2010-03-25
已更新:
2010-03-25

RHSA-2010:0168 - Security Advisory

概述

Moderate: httpd security and enhancement update

类型/严重性

Security Advisory: Moderate

Red Hat Lightspeed patch analysis

识别并修复受此公告影响的系统。

查看受影响的系统

标题

Updated httpd packages that fix two security issues and add an enhancement
are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

描述

The Apache HTTP Server is a popular web server.

It was discovered that mod_proxy_ajp incorrectly returned an "Internal
Server Error" response when processing certain malformed requests, which
caused the back-end server to be marked as failed in configurations where
mod_proxy is used in load balancer mode. A remote attacker could cause
mod_proxy to not send requests to back-end AJP (Apache JServ Protocol)
servers for the retry timeout period (60 seconds by default) by sending
specially-crafted requests. (CVE-2010-0408)

A use-after-free flaw was discovered in the way the Apache HTTP Server
handled request headers in subrequests. In configurations where subrequests
are used, a multithreaded MPM (Multi-Processing Module) could possibly leak
information from other requests in request replies. (CVE-2010-0434)

This update also adds the following enhancement:

  • with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl

will refuse to renegotiate a TLS/SSL connection with an unpatched client
that does not support RFC 5746. This update adds the
"SSLInsecureRenegotiation" configuration directive. If this directive is
enabled, mod_ssl will renegotiate insecurely with unpatched clients.
(BZ#567980)

Refer to the following Red Hat Knowledgebase article for more details about
the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues and add this enhancement. After
installing the updated packages, the httpd daemon must be restarted for the
update to take effect.

解决方案

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

受影响的产品

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

修复

  • BZ - 567980 - [RFE] mod_ssl: Add SSLInsecureRenegotiation directive [rhel-5]
  • BZ - 569905 - CVE-2010-0408 httpd: mod_proxy_ajp remote temporary DoS
  • BZ - 570171 - CVE-2010-0434 httpd: request header information leak

Red Hat Enterprise Linux Server 5

SRPM
httpd-2.2.3-31.el5_4.4.src.rpm SHA-256: 92cde62e2da71f2ca01050637b6416c3b70063dc32a9d8ff53cd241a87ea5e9d
x86_64
httpd-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: 4c20b441040ae60166a64e9c61744f4f03c729fef7258eba0563c4b2041536c7
httpd-devel-2.2.3-31.el5_4.4.i386.rpm SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-devel-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: c417b1600481ed29e51110c07c38f32dfb06a3c3db0d64da56daf5d67bb258f9
httpd-manual-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: d1bb36ac4c7e6a4e2a269a0fccf5d938acfd2e7a4bf5094f9061aa5e2c5469c0
mod_ssl-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: 8613980046ef3ff41d71e3f72ac1330bb25d62619954ecbc377e7838e35e5eac
ia64
httpd-2.2.3-31.el5_4.4.ia64.rpm SHA-256: fc28afc7d619c66ecd8ed3290cbf99384ea08c66fe14645909e26c0b66d6d0fc
httpd-devel-2.2.3-31.el5_4.4.ia64.rpm SHA-256: 4c6837f419a927d428e3e4102f303a0cf96dae711231232b80544d47903aed8c
httpd-manual-2.2.3-31.el5_4.4.ia64.rpm SHA-256: 8b624ac98ed39c95a6e6a930c4e9b2d39671beac5726d49b7cb053a64651c87a
mod_ssl-2.2.3-31.el5_4.4.ia64.rpm SHA-256: 4c70e0dce30edd693cec4714071a0042eb6571d6e539394e08ad2c24e4be1c45
i386
httpd-2.2.3-31.el5_4.4.i386.rpm SHA-256: ecc1d64adc67d596472fa9aefd17253daae8bf4549f4eb661506b42ec6296ddd
httpd-devel-2.2.3-31.el5_4.4.i386.rpm SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-manual-2.2.3-31.el5_4.4.i386.rpm SHA-256: f57f01e91a767c06bcad97f994e1b231a536f01a8091d1d0eb9b64d48b028e81
mod_ssl-2.2.3-31.el5_4.4.i386.rpm SHA-256: 0a62ac0ad49cce0a4266ad2d07304c0f757ef3e9872745106d10471f57998b01

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Workstation 5

SRPM
httpd-2.2.3-31.el5_4.4.src.rpm SHA-256: 92cde62e2da71f2ca01050637b6416c3b70063dc32a9d8ff53cd241a87ea5e9d
x86_64
httpd-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: 4c20b441040ae60166a64e9c61744f4f03c729fef7258eba0563c4b2041536c7
httpd-devel-2.2.3-31.el5_4.4.i386.rpm SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-devel-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: c417b1600481ed29e51110c07c38f32dfb06a3c3db0d64da56daf5d67bb258f9
httpd-manual-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: d1bb36ac4c7e6a4e2a269a0fccf5d938acfd2e7a4bf5094f9061aa5e2c5469c0
mod_ssl-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: 8613980046ef3ff41d71e3f72ac1330bb25d62619954ecbc377e7838e35e5eac
i386
httpd-2.2.3-31.el5_4.4.i386.rpm SHA-256: ecc1d64adc67d596472fa9aefd17253daae8bf4549f4eb661506b42ec6296ddd
httpd-devel-2.2.3-31.el5_4.4.i386.rpm SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-manual-2.2.3-31.el5_4.4.i386.rpm SHA-256: f57f01e91a767c06bcad97f994e1b231a536f01a8091d1d0eb9b64d48b028e81
mod_ssl-2.2.3-31.el5_4.4.i386.rpm SHA-256: 0a62ac0ad49cce0a4266ad2d07304c0f757ef3e9872745106d10471f57998b01

Red Hat Enterprise Linux Desktop 5

SRPM
httpd-2.2.3-31.el5_4.4.src.rpm SHA-256: 92cde62e2da71f2ca01050637b6416c3b70063dc32a9d8ff53cd241a87ea5e9d
x86_64
httpd-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: 4c20b441040ae60166a64e9c61744f4f03c729fef7258eba0563c4b2041536c7
mod_ssl-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: 8613980046ef3ff41d71e3f72ac1330bb25d62619954ecbc377e7838e35e5eac
i386
httpd-2.2.3-31.el5_4.4.i386.rpm SHA-256: ecc1d64adc67d596472fa9aefd17253daae8bf4549f4eb661506b42ec6296ddd
mod_ssl-2.2.3-31.el5_4.4.i386.rpm SHA-256: 0a62ac0ad49cce0a4266ad2d07304c0f757ef3e9872745106d10471f57998b01

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
httpd-2.2.3-31.el5_4.4.src.rpm SHA-256: 92cde62e2da71f2ca01050637b6416c3b70063dc32a9d8ff53cd241a87ea5e9d
s390x
httpd-2.2.3-31.el5_4.4.s390x.rpm SHA-256: a7e4acbc4107eae4d9634ec118d33298d45e8cec72f7dec0f3612450ea8d725c
httpd-devel-2.2.3-31.el5_4.4.s390.rpm SHA-256: fd2e56acbf163c6f5a5d18ae319f34c4ef551f0892b44d93e48e3ca249033d71
httpd-devel-2.2.3-31.el5_4.4.s390x.rpm SHA-256: d8221f2e3c028e552612755aa8ad2c7e8233a24f194b6c87e075e28420793b02
httpd-manual-2.2.3-31.el5_4.4.s390x.rpm SHA-256: 85df8a0221847f2d94ec687e97f68a5589cc05358b0a5bbea6c74532d5da21d5
mod_ssl-2.2.3-31.el5_4.4.s390x.rpm SHA-256: 7f8a3b0aba579e121e9e7690475c171cf0f527d7bfeb39e0b75089427fe0c688

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4

SRPM
s390x

Red Hat Enterprise Linux for Power, big endian 5

SRPM
httpd-2.2.3-31.el5_4.4.src.rpm SHA-256: 92cde62e2da71f2ca01050637b6416c3b70063dc32a9d8ff53cd241a87ea5e9d
ppc
httpd-2.2.3-31.el5_4.4.ppc.rpm SHA-256: 95e9fce1f10922fb74570c213bcf81ee61b949bfc0c889673a2c53ab6c761e93
httpd-devel-2.2.3-31.el5_4.4.ppc.rpm SHA-256: a6aab08dac52c666e5864544187fd9a949445cd5043e1d5bdead2edc6bb2fdcb
httpd-devel-2.2.3-31.el5_4.4.ppc64.rpm SHA-256: 0d4a1db5bf57a9475427f22910e32edf7b4ca7cb9722bf6569a426a2eb6a5cb6
httpd-manual-2.2.3-31.el5_4.4.ppc.rpm SHA-256: 84021d035d01969061615ca7384a2ffe5eb168a029690a1b0867dfcf5d43940b
mod_ssl-2.2.3-31.el5_4.4.ppc.rpm SHA-256: d3a90a5d0f8293dbdb3796c117136a69f0c826516344e02eacff1d77cd027e06

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4

SRPM
ppc

Red Hat Enterprise Linux Server from RHUI 5

SRPM
httpd-2.2.3-31.el5_4.4.src.rpm SHA-256: 92cde62e2da71f2ca01050637b6416c3b70063dc32a9d8ff53cd241a87ea5e9d
x86_64
httpd-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: 4c20b441040ae60166a64e9c61744f4f03c729fef7258eba0563c4b2041536c7
httpd-devel-2.2.3-31.el5_4.4.i386.rpm SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-devel-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: c417b1600481ed29e51110c07c38f32dfb06a3c3db0d64da56daf5d67bb258f9
httpd-manual-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: d1bb36ac4c7e6a4e2a269a0fccf5d938acfd2e7a4bf5094f9061aa5e2c5469c0
mod_ssl-2.2.3-31.el5_4.4.x86_64.rpm SHA-256: 8613980046ef3ff41d71e3f72ac1330bb25d62619954ecbc377e7838e35e5eac
i386
httpd-2.2.3-31.el5_4.4.i386.rpm SHA-256: ecc1d64adc67d596472fa9aefd17253daae8bf4549f4eb661506b42ec6296ddd
httpd-devel-2.2.3-31.el5_4.4.i386.rpm SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-manual-2.2.3-31.el5_4.4.i386.rpm SHA-256: f57f01e91a767c06bcad97f994e1b231a536f01a8091d1d0eb9b64d48b028e81
mod_ssl-2.2.3-31.el5_4.4.i386.rpm SHA-256: 0a62ac0ad49cce0a4266ad2d07304c0f757ef3e9872745106d10471f57998b01

Red Hat 安全团队联络方式为 secalert@redhat.com。 更多联络细节请参考 https://access.redhat.com/security/team/contact/