Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2013:0130 - Security Advisory
Issued:
2013-01-08
Updated:
2013-01-08

RHSA-2013:0130 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Low: httpd security, bug fix, and enhancement update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated httpd packages that fix multiple security issues, various bugs,
and add enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

The httpd packages contain the Apache HTTP Server (httpd), which is the
namesake project of The Apache Software Foundation.

Input sanitization flaws were found in the mod_negotiation module. A remote
attacker able to upload or create files with arbitrary names in a directory
that has the MultiViews options enabled, could use these flaws to conduct
cross-site scripting and HTTP response splitting attacks against users
visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687)

Bug fixes:

  • Previously, no check was made to see if the

/etc/pki/tls/private/localhost.key file was a valid key prior to running
the "%post" script for the "mod_ssl" package. Consequently, when
/etc/pki/tls/certs/localhost.crt did not exist and "localhost.key" was
present but invalid, upgrading the Apache HTTP Server daemon (httpd) with
mod_ssl failed. The "%post" script has been fixed to test for an existing
SSL key. As a result, upgrading httpd with mod_ssl now proceeds as
expected. (BZ#752618)

  • The "mod_ssl" module did not support operation under FIPS mode.

Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode
enabled, httpd failed to start. An upstream patch has been applied to
disable non-FIPS functionality if operating under FIPS mode and httpd now
starts as expected. (BZ#773473)

  • Prior to this update, httpd exit status codes were not Linux Standard

Base (LSB) compliant. When the command "service httpd reload" was run and
httpd failed, the exit status code returned was "0" and not in the range 1
to 6 as expected. A patch has been applied to the init script and httpd now
returns "1" as an exit status code. (BZ#783242)

  • Chunked Transfer Coding is described in RFC 2616. Previously, the

Apache server did not correctly handle a chunked encoded POST request with
a "chunk-size" or "chunk-extension" value of 32 bytes or more.
Consequently, when such a POST request was made the server did not respond.
An upstream patch has been applied and the problem no longer occurs.
(BZ#840845)

  • Due to a regression, when mod_cache received a non-cacheable 304

response, the headers were served incorrectly. Consequently, compressed
data could be returned to the client without the cached headers to indicate
the data was compressed. An upstream patch has been applied to merge
response and cached headers before data from the cache is served to the
client. As a result, cached data is now correctly interpreted by the
client. (BZ#845532)

  • In a proxy configuration, certain response-line strings were not handled

correctly. If a response-line without a "description" string was received
from the origin server, for a non-standard status code, such as the "450"
status code, a "500 Internal Server Error" would be returned to the client.
This bug has been fixed so that the original response line is returned to
the client. (BZ#853128)

Enhancements:

  • The configuration directive "LDAPReferrals" is now supported in addition

to the previously introduced "LDAPChaseReferrals". (BZ#727342)

  • The AJP support module for "mod_proxy", "mod_proxy_ajp", now supports the

"ProxyErrorOverride" directive. Consequently, it is now possible to
configure customized error pages for web applications running on a backend
server accessed via AJP. (BZ#767890)

  • The "%posttrans" scriptlet which automatically restarts the httpd service

after a package upgrade can now be disabled. If the file
/etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not
restart the daemon. (BZ#833042)

  • The output of "httpd -S" now includes configured alias names for each

virtual host. (BZ#833043)

  • New certificate variable names are now exposed by "mod_ssl" using the

"_DN_userID" suffix, such as "SSL_CLIENT_S_DN_userID", which use the
commonly used object identifier (OID) definition of "userID", OID
0.9.2342.19200300.100.1.1. (BZ#840036)

All users of httpd are advised to upgrade to these updated packages, which
fix these issues and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 727342 - LDAPChaseReferrals should be LDAPReferrals
  • BZ - 752618 - mod_ssl post install script can cause failures
  • BZ - 767890 - The mod_proxy_ajp lacks the ErrorOverride
  • BZ - 773473 - [RHEL 5.7] Apache HTTP Server cannot start with mod_ssl when FIPS 140-2 mode enabled
  • BZ - 783242 - service httpd reload return 0 when it fails
  • BZ - 840845 - httpd fails in processing chunked requests with > 31 bytes chunk-size / -extension line
  • BZ - 845532 - mod_cache regression in httpd 2.2.3-65: non-cacheable 304 responses serve bad data
  • BZ - 850794 - CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled
  • BZ - 879292 - CVE-2008-0456 httpd: mod_negotiation CRLF injection via untrusted file names in directories with MultiViews enabled

CVEs

  • CVE-2008-0455
  • CVE-2012-2687
  • CVE-2008-0456

References

  • https://access.redhat.com/security/updates/classification/#low
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
httpd-2.2.3-74.el5.src.rpm SHA-256: ce59717c363ee6bf76e74c4f08065f4afa9e596965d2dcf0d822cf43fdf75c1f
x86_64
httpd-2.2.3-74.el5.x86_64.rpm SHA-256: 43a74f0b7aadb50960442b7baf51450c8e09f3174ba1bc4ec8ed35ed6e3c9b59
httpd-debuginfo-2.2.3-74.el5.i386.rpm SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-debuginfo-2.2.3-74.el5.x86_64.rpm SHA-256: 4057a5d4c7a83f0b813c961dc0866b709d6878f9bc7153d87f4bbec2617ae29b
httpd-devel-2.2.3-74.el5.i386.rpm SHA-256: 7b3b69af639d43fdd5c732ea6a22fe4ba1bfe1d6ed55f0f15abade9f73179ef1
httpd-devel-2.2.3-74.el5.x86_64.rpm SHA-256: 1aa5983c730735ea8930ae511aaeb0b10a7445c5807771f5fbfb4445c525cd3e
httpd-manual-2.2.3-74.el5.x86_64.rpm SHA-256: 57bf68d5ba4131ca6e2f62170489b2d8ceb59e599dec5607f2cb9dd85aadbaa6
mod_ssl-2.2.3-74.el5.x86_64.rpm SHA-256: a12c6a0e76f67154db51bb8215bf51a4c482f84fed987cc3711f66eda1f9decb
ia64
httpd-2.2.3-74.el5.ia64.rpm SHA-256: 671af3675be088146ca0eb6cf9922f58678a92c2bbb885647bf6b8b80dee40a8
httpd-debuginfo-2.2.3-74.el5.ia64.rpm SHA-256: 086cefec1ac65a8130455d0e81491c426b8da71d6b5ecd8cc420b3b378f33d0d
httpd-devel-2.2.3-74.el5.ia64.rpm SHA-256: e4d38fe923cdaf3f4be53ad2d3421b955739abf72b074321358f890114093298
httpd-manual-2.2.3-74.el5.ia64.rpm SHA-256: caea64f4b7f6ebd14137ae9248461791c18af47fd81e0695b436fec7c10f4283
mod_ssl-2.2.3-74.el5.ia64.rpm SHA-256: ff98edc66fa6a5dfb742c6baaf24d0679c02407e81101eb4d83bab87e0bad09b
i386
httpd-2.2.3-74.el5.i386.rpm SHA-256: 1c7b7b44c60db15211d6d94a4b10a4253e57460f17cb16620bbb4328634c74a2
httpd-debuginfo-2.2.3-74.el5.i386.rpm SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-devel-2.2.3-74.el5.i386.rpm SHA-256: 7b3b69af639d43fdd5c732ea6a22fe4ba1bfe1d6ed55f0f15abade9f73179ef1
httpd-manual-2.2.3-74.el5.i386.rpm SHA-256: 14b58d1ef23519f529994cc2f65d74c3330025bb9f38dde2caa14222d5a1c116
mod_ssl-2.2.3-74.el5.i386.rpm SHA-256: 6cfe0cf81a45329e6701afcb7c1ddc78f75c37b6312af477b506c93d02fdc516

Red Hat Enterprise Linux Workstation 5

SRPM
httpd-2.2.3-74.el5.src.rpm SHA-256: ce59717c363ee6bf76e74c4f08065f4afa9e596965d2dcf0d822cf43fdf75c1f
x86_64
httpd-2.2.3-74.el5.x86_64.rpm SHA-256: 43a74f0b7aadb50960442b7baf51450c8e09f3174ba1bc4ec8ed35ed6e3c9b59
httpd-debuginfo-2.2.3-74.el5.i386.rpm SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-debuginfo-2.2.3-74.el5.x86_64.rpm SHA-256: 4057a5d4c7a83f0b813c961dc0866b709d6878f9bc7153d87f4bbec2617ae29b
httpd-debuginfo-2.2.3-74.el5.x86_64.rpm SHA-256: 4057a5d4c7a83f0b813c961dc0866b709d6878f9bc7153d87f4bbec2617ae29b
httpd-devel-2.2.3-74.el5.i386.rpm SHA-256: 7b3b69af639d43fdd5c732ea6a22fe4ba1bfe1d6ed55f0f15abade9f73179ef1
httpd-devel-2.2.3-74.el5.x86_64.rpm SHA-256: 1aa5983c730735ea8930ae511aaeb0b10a7445c5807771f5fbfb4445c525cd3e
httpd-manual-2.2.3-74.el5.x86_64.rpm SHA-256: 57bf68d5ba4131ca6e2f62170489b2d8ceb59e599dec5607f2cb9dd85aadbaa6
mod_ssl-2.2.3-74.el5.x86_64.rpm SHA-256: a12c6a0e76f67154db51bb8215bf51a4c482f84fed987cc3711f66eda1f9decb
i386
httpd-2.2.3-74.el5.i386.rpm SHA-256: 1c7b7b44c60db15211d6d94a4b10a4253e57460f17cb16620bbb4328634c74a2
httpd-debuginfo-2.2.3-74.el5.i386.rpm SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-debuginfo-2.2.3-74.el5.i386.rpm SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-devel-2.2.3-74.el5.i386.rpm SHA-256: 7b3b69af639d43fdd5c732ea6a22fe4ba1bfe1d6ed55f0f15abade9f73179ef1
httpd-manual-2.2.3-74.el5.i386.rpm SHA-256: 14b58d1ef23519f529994cc2f65d74c3330025bb9f38dde2caa14222d5a1c116
mod_ssl-2.2.3-74.el5.i386.rpm SHA-256: 6cfe0cf81a45329e6701afcb7c1ddc78f75c37b6312af477b506c93d02fdc516

Red Hat Enterprise Linux Desktop 5

SRPM
httpd-2.2.3-74.el5.src.rpm SHA-256: ce59717c363ee6bf76e74c4f08065f4afa9e596965d2dcf0d822cf43fdf75c1f
x86_64
httpd-2.2.3-74.el5.x86_64.rpm SHA-256: 43a74f0b7aadb50960442b7baf51450c8e09f3174ba1bc4ec8ed35ed6e3c9b59
httpd-debuginfo-2.2.3-74.el5.x86_64.rpm SHA-256: 4057a5d4c7a83f0b813c961dc0866b709d6878f9bc7153d87f4bbec2617ae29b
mod_ssl-2.2.3-74.el5.x86_64.rpm SHA-256: a12c6a0e76f67154db51bb8215bf51a4c482f84fed987cc3711f66eda1f9decb
i386
httpd-2.2.3-74.el5.i386.rpm SHA-256: 1c7b7b44c60db15211d6d94a4b10a4253e57460f17cb16620bbb4328634c74a2
httpd-debuginfo-2.2.3-74.el5.i386.rpm SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
mod_ssl-2.2.3-74.el5.i386.rpm SHA-256: 6cfe0cf81a45329e6701afcb7c1ddc78f75c37b6312af477b506c93d02fdc516

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
httpd-2.2.3-74.el5.src.rpm SHA-256: ce59717c363ee6bf76e74c4f08065f4afa9e596965d2dcf0d822cf43fdf75c1f
s390x
httpd-2.2.3-74.el5.s390x.rpm SHA-256: efdea6b6ec335b8e46fa754053e82145c606c16579af9be35a4fd99e7e0169e6
httpd-debuginfo-2.2.3-74.el5.s390.rpm SHA-256: a263d9509a19d5b6ce3d63032fafe0e010b5ef5aee63a100b4e4cef486cf44eb
httpd-debuginfo-2.2.3-74.el5.s390x.rpm SHA-256: 4fbf1723fc6af2afa73db2cecb036ee04afb7e032eea387041a9d007c24976f6
httpd-devel-2.2.3-74.el5.s390.rpm SHA-256: 707830ff896c97caa6a24ca0fedb2ef123ff1b6d9a6f9e219216c20ff7f7f983
httpd-devel-2.2.3-74.el5.s390x.rpm SHA-256: 4200162ebff84003ccc3d451ec6bc6544ca39872df377be37530b7d11736d539
httpd-manual-2.2.3-74.el5.s390x.rpm SHA-256: 5fddc0c1a7ecff4909047a7a6eb23d3278572261a3efa343db45c8722fbaec66
mod_ssl-2.2.3-74.el5.s390x.rpm SHA-256: 0e9b5f53ac7f896a1011ebb747396de04651d0298c0f3b77a689a04af32ee0eb

Red Hat Enterprise Linux for Power, big endian 5

SRPM
httpd-2.2.3-74.el5.src.rpm SHA-256: ce59717c363ee6bf76e74c4f08065f4afa9e596965d2dcf0d822cf43fdf75c1f
ppc
httpd-2.2.3-74.el5.ppc.rpm SHA-256: d7c33fba2a40d2ad48f53edf5b4ddaa8fc95daa73a1d7b80908bee0be0a63831
httpd-debuginfo-2.2.3-74.el5.ppc.rpm SHA-256: 73a27d6bf6835989f0000f5a167a276e26178a4fcb4361ddcaad4122c8ebbb94
httpd-debuginfo-2.2.3-74.el5.ppc64.rpm SHA-256: 1f2af7807f9c9d51e429eb88e6c1f7a2fb9c3dc1b6986286e8731a100b48b477
httpd-devel-2.2.3-74.el5.ppc.rpm SHA-256: 37351f6a134ac2dfdb535e201f119f258103941a979209943dab3cab9b251073
httpd-devel-2.2.3-74.el5.ppc64.rpm SHA-256: 4bf5c97e8293b19a6b6b45f7546f2dab5b48eb04ff7161f79e95e64df221d959
httpd-manual-2.2.3-74.el5.ppc.rpm SHA-256: 8de0df21985e12926052d7647754626692d19f632d754ce9e8311ccbb4869f43
mod_ssl-2.2.3-74.el5.ppc.rpm SHA-256: a036445aca320711da0e0bdf60da48a5557c5a4a6055b8e786cdea8b73c7db33

Red Hat Enterprise Linux Server from RHUI 5

SRPM
httpd-2.2.3-74.el5.src.rpm SHA-256: ce59717c363ee6bf76e74c4f08065f4afa9e596965d2dcf0d822cf43fdf75c1f
x86_64
httpd-2.2.3-74.el5.x86_64.rpm SHA-256: 43a74f0b7aadb50960442b7baf51450c8e09f3174ba1bc4ec8ed35ed6e3c9b59
httpd-debuginfo-2.2.3-74.el5.i386.rpm SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-debuginfo-2.2.3-74.el5.x86_64.rpm SHA-256: 4057a5d4c7a83f0b813c961dc0866b709d6878f9bc7153d87f4bbec2617ae29b
httpd-devel-2.2.3-74.el5.i386.rpm SHA-256: 7b3b69af639d43fdd5c732ea6a22fe4ba1bfe1d6ed55f0f15abade9f73179ef1
httpd-devel-2.2.3-74.el5.x86_64.rpm SHA-256: 1aa5983c730735ea8930ae511aaeb0b10a7445c5807771f5fbfb4445c525cd3e
httpd-manual-2.2.3-74.el5.x86_64.rpm SHA-256: 57bf68d5ba4131ca6e2f62170489b2d8ceb59e599dec5607f2cb9dd85aadbaa6
mod_ssl-2.2.3-74.el5.x86_64.rpm SHA-256: a12c6a0e76f67154db51bb8215bf51a4c482f84fed987cc3711f66eda1f9decb
i386
httpd-2.2.3-74.el5.i386.rpm SHA-256: 1c7b7b44c60db15211d6d94a4b10a4253e57460f17cb16620bbb4328634c74a2
httpd-debuginfo-2.2.3-74.el5.i386.rpm SHA-256: 07c7272e96da44bea81a099adee4a8c32fef702aeb777e602d6ea7c43d05f0a2
httpd-devel-2.2.3-74.el5.i386.rpm SHA-256: 7b3b69af639d43fdd5c732ea6a22fe4ba1bfe1d6ed55f0f15abade9f73179ef1
httpd-manual-2.2.3-74.el5.i386.rpm SHA-256: 14b58d1ef23519f529994cc2f65d74c3330025bb9f38dde2caa14222d5a1c116
mod_ssl-2.2.3-74.el5.i386.rpm SHA-256: 6cfe0cf81a45329e6701afcb7c1ddc78f75c37b6312af477b506c93d02fdc516

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility