Red Hat Product Errata RHSA-2014:1972 - Security Advisory

Issued:: 2014-12-09
Updated:: 2014-12-09

RHSA-2014:1972 - Security Advisory

Overview
Updated Packages

Synopsis

Low: httpd24-httpd security and bug fix update

Type/Severity

Security Advisory: Low

Topic

Updated httpd24-httpd packages that fix two security issues and one bug
are now available for Red Hat Software Collections 1.

Red Hat Product Security has rated this update as having Low security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.

A NULL pointer dereference flaw was found in the way the mod_cache httpd
module handled Content-Type headers. A malicious HTTP server could cause
the httpd child process to crash when the Apache HTTP server was configured
to proxy to a server with caching enabled. (CVE-2014-3581)

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could use
Trailer headers to set additional HTTP headers after header processing was
performed by other modules. This could, for example, lead to a bypass of
header restrictions defined with mod_headers. (CVE-2013-5704)

Note: With this update, httpd has been modified to not merge HTTP Trailer
headers with other HTTP request headers. A newly introduced configuration
directive MergeTrailers can be used to re-enable the old method of
processing Trailer headers, which also re-introduces the aforementioned
flaw.

This update also fixes the following bug:

Prior to this update, the mod_proxy_wstunnel module failed to set up an
SSL connection when configured to use a back end server using the "wss:"
URL scheme, causing proxied connections to fail. In these updated packages,
SSL is used when proxying to "wss:" back end servers. (BZ#1141950)

All httpd24-httpd users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. After installing
the updated packages, the httpd24-httpd service will be restarted
automatically.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.6 x86_64
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.5 x86_64
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.4 x86_64
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
Red Hat Software Collections (for RHEL Server) from RHUI 1 for RHEL 7 x86_64
Red Hat Software Collections (for RHEL Server) from RHUI 1 for RHEL 6 x86_64

Fixes

BZ - 1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
BZ - 1141950 - Request to resolve upstream bug 55320
BZ - 1149709 - CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value

CVEs

References

https://access.redhat.com/security/updates/classification/#low

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
httpd24-httpd-2.4.6-25.el7.src.rpm	SHA-256: 724f639aaac6cef7430edb7f4d813584ae32b5ddf2a498bc95697fe59d939744
x86_64
httpd24-httpd-2.4.6-25.el7.x86_64.rpm	SHA-256: 5f9398f202205478a28a5e37f170e00e416c3b095f980e24f405fe4c549a35d9
httpd24-httpd-debuginfo-2.4.6-25.el7.x86_64.rpm	SHA-256: ecc32cd3bceee383ae20b987b5b1e8f9d752fd274cbbf58117f1791222df70b3
httpd24-httpd-devel-2.4.6-25.el7.x86_64.rpm	SHA-256: 081069f5c4ad575e6a384ee89c6175b0d87602902873976497cdadf5f50caa35
httpd24-httpd-manual-2.4.6-25.el7.noarch.rpm	SHA-256: 7479a6f95ed1f12c3b183eedad5def5916335a0eccecb77eb8b582223e5e0efc
httpd24-httpd-tools-2.4.6-25.el7.x86_64.rpm	SHA-256: 3cb193dbd5838411249b50af663785df710f1780939e0b1289c7c3d5bd6fb467
httpd24-mod_ldap-2.4.6-25.el7.x86_64.rpm	SHA-256: 0f8ab71c2f1e1f27b6675fd4b120e408017ec543acb4602e29b4b9600438b422
httpd24-mod_proxy_html-2.4.6-25.el7.x86_64.rpm	SHA-256: fa7d93a059b1f12a491d1243a4afb4e1db02c4d239bdd89a265ebe03e45b183f
httpd24-mod_session-2.4.6-25.el7.x86_64.rpm	SHA-256: fa8875bad8fad8b7ad4319213bdbb121364f6e5588b99c401fbd4a6cd7a3d272
httpd24-mod_ssl-2.4.6-25.el7.x86_64.rpm	SHA-256: 98feb0361e2f6eed00f0fe617c5093b85b1da8b5b365b6795846f0b2d3ca7ecf

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.6

SRPM
httpd24-httpd-2.4.6-22.el6.src.rpm	SHA-256: 571dce59120c3a3e887a9e384abdd52004a6ac3bedfa63fd52389604ff217159
x86_64
httpd24-httpd-2.4.6-22.el6.x86_64.rpm	SHA-256: 2928d8aaa2b8c6674a2f572cc83d539f82c6d14dc45310c5fdffae63c87350a8
httpd24-httpd-debuginfo-2.4.6-22.el6.x86_64.rpm	SHA-256: 52e0b881d44d4c8348cb99c9955267e6da884809cc618cfb29a56982a0c3055f
httpd24-httpd-devel-2.4.6-22.el6.x86_64.rpm	SHA-256: aafb451abde861c7d3ed89216f7844037cb813768d3bc45ba018a7a8d73cf213
httpd24-httpd-manual-2.4.6-22.el6.noarch.rpm	SHA-256: 8faa3f6b50923b2cc3edb88bcf622a932c44d80915cbd2f07fc49611df2cd7f8
httpd24-httpd-tools-2.4.6-22.el6.x86_64.rpm	SHA-256: 830d50f05e4a4947b4e78266127a3f9aa0ba600312e3574abce841ca41cc131c
httpd24-mod_ldap-2.4.6-22.el6.x86_64.rpm	SHA-256: f2cf9494acb250d663b2d333d62eb58d26f6f2ebf49070c8df85771c9baad8e8
httpd24-mod_proxy_html-2.4.6-22.el6.x86_64.rpm	SHA-256: e6037e524b9056436fa0c486acff1efcb631908cc1997206fc81710c88da573a
httpd24-mod_session-2.4.6-22.el6.x86_64.rpm	SHA-256: e101ccfc1f0cd821d63f455f1c36fd71d4c65c016998236ddf51a00e32df0951
httpd24-mod_ssl-2.4.6-22.el6.x86_64.rpm	SHA-256: c713845de30042dc9a3e3ea22c6f192767af2bfee16e3a2271433f3018074f92

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.5

SRPM
httpd24-httpd-2.4.6-22.el6.src.rpm	SHA-256: 571dce59120c3a3e887a9e384abdd52004a6ac3bedfa63fd52389604ff217159
x86_64
httpd24-httpd-2.4.6-22.el6.x86_64.rpm	SHA-256: 2928d8aaa2b8c6674a2f572cc83d539f82c6d14dc45310c5fdffae63c87350a8
httpd24-httpd-debuginfo-2.4.6-22.el6.x86_64.rpm	SHA-256: 52e0b881d44d4c8348cb99c9955267e6da884809cc618cfb29a56982a0c3055f
httpd24-httpd-devel-2.4.6-22.el6.x86_64.rpm	SHA-256: aafb451abde861c7d3ed89216f7844037cb813768d3bc45ba018a7a8d73cf213
httpd24-httpd-manual-2.4.6-22.el6.noarch.rpm	SHA-256: 8faa3f6b50923b2cc3edb88bcf622a932c44d80915cbd2f07fc49611df2cd7f8
httpd24-httpd-tools-2.4.6-22.el6.x86_64.rpm	SHA-256: 830d50f05e4a4947b4e78266127a3f9aa0ba600312e3574abce841ca41cc131c
httpd24-mod_ldap-2.4.6-22.el6.x86_64.rpm	SHA-256: f2cf9494acb250d663b2d333d62eb58d26f6f2ebf49070c8df85771c9baad8e8
httpd24-mod_proxy_html-2.4.6-22.el6.x86_64.rpm	SHA-256: e6037e524b9056436fa0c486acff1efcb631908cc1997206fc81710c88da573a
httpd24-mod_session-2.4.6-22.el6.x86_64.rpm	SHA-256: e101ccfc1f0cd821d63f455f1c36fd71d4c65c016998236ddf51a00e32df0951
httpd24-mod_ssl-2.4.6-22.el6.x86_64.rpm	SHA-256: c713845de30042dc9a3e3ea22c6f192767af2bfee16e3a2271433f3018074f92

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.4

SRPM
httpd24-httpd-2.4.6-22.el6.src.rpm	SHA-256: 571dce59120c3a3e887a9e384abdd52004a6ac3bedfa63fd52389604ff217159
x86_64
httpd24-httpd-2.4.6-22.el6.x86_64.rpm	SHA-256: 2928d8aaa2b8c6674a2f572cc83d539f82c6d14dc45310c5fdffae63c87350a8
httpd24-httpd-debuginfo-2.4.6-22.el6.x86_64.rpm	SHA-256: 52e0b881d44d4c8348cb99c9955267e6da884809cc618cfb29a56982a0c3055f
httpd24-httpd-devel-2.4.6-22.el6.x86_64.rpm	SHA-256: aafb451abde861c7d3ed89216f7844037cb813768d3bc45ba018a7a8d73cf213
httpd24-httpd-manual-2.4.6-22.el6.noarch.rpm	SHA-256: 8faa3f6b50923b2cc3edb88bcf622a932c44d80915cbd2f07fc49611df2cd7f8
httpd24-httpd-tools-2.4.6-22.el6.x86_64.rpm	SHA-256: 830d50f05e4a4947b4e78266127a3f9aa0ba600312e3574abce841ca41cc131c
httpd24-mod_ldap-2.4.6-22.el6.x86_64.rpm	SHA-256: f2cf9494acb250d663b2d333d62eb58d26f6f2ebf49070c8df85771c9baad8e8
httpd24-mod_proxy_html-2.4.6-22.el6.x86_64.rpm	SHA-256: e6037e524b9056436fa0c486acff1efcb631908cc1997206fc81710c88da573a
httpd24-mod_session-2.4.6-22.el6.x86_64.rpm	SHA-256: e101ccfc1f0cd821d63f455f1c36fd71d4c65c016998236ddf51a00e32df0951
httpd24-mod_ssl-2.4.6-22.el6.x86_64.rpm	SHA-256: c713845de30042dc9a3e3ea22c6f192767af2bfee16e3a2271433f3018074f92

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6

SRPM
httpd24-httpd-2.4.6-22.el6.src.rpm	SHA-256: 571dce59120c3a3e887a9e384abdd52004a6ac3bedfa63fd52389604ff217159
x86_64
httpd24-httpd-2.4.6-22.el6.x86_64.rpm	SHA-256: 2928d8aaa2b8c6674a2f572cc83d539f82c6d14dc45310c5fdffae63c87350a8
httpd24-httpd-debuginfo-2.4.6-22.el6.x86_64.rpm	SHA-256: 52e0b881d44d4c8348cb99c9955267e6da884809cc618cfb29a56982a0c3055f
httpd24-httpd-devel-2.4.6-22.el6.x86_64.rpm	SHA-256: aafb451abde861c7d3ed89216f7844037cb813768d3bc45ba018a7a8d73cf213
httpd24-httpd-manual-2.4.6-22.el6.noarch.rpm	SHA-256: 8faa3f6b50923b2cc3edb88bcf622a932c44d80915cbd2f07fc49611df2cd7f8
httpd24-httpd-tools-2.4.6-22.el6.x86_64.rpm	SHA-256: 830d50f05e4a4947b4e78266127a3f9aa0ba600312e3574abce841ca41cc131c
httpd24-mod_ldap-2.4.6-22.el6.x86_64.rpm	SHA-256: f2cf9494acb250d663b2d333d62eb58d26f6f2ebf49070c8df85771c9baad8e8
httpd24-mod_proxy_html-2.4.6-22.el6.x86_64.rpm	SHA-256: e6037e524b9056436fa0c486acff1efcb631908cc1997206fc81710c88da573a
httpd24-mod_session-2.4.6-22.el6.x86_64.rpm	SHA-256: e101ccfc1f0cd821d63f455f1c36fd71d4c65c016998236ddf51a00e32df0951
httpd24-mod_ssl-2.4.6-22.el6.x86_64.rpm	SHA-256: c713845de30042dc9a3e3ea22c6f192767af2bfee16e3a2271433f3018074f92

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
httpd24-httpd-2.4.6-25.el7.src.rpm	SHA-256: 724f639aaac6cef7430edb7f4d813584ae32b5ddf2a498bc95697fe59d939744
x86_64
httpd24-httpd-2.4.6-25.el7.x86_64.rpm	SHA-256: 5f9398f202205478a28a5e37f170e00e416c3b095f980e24f405fe4c549a35d9
httpd24-httpd-debuginfo-2.4.6-25.el7.x86_64.rpm	SHA-256: ecc32cd3bceee383ae20b987b5b1e8f9d752fd274cbbf58117f1791222df70b3
httpd24-httpd-devel-2.4.6-25.el7.x86_64.rpm	SHA-256: 081069f5c4ad575e6a384ee89c6175b0d87602902873976497cdadf5f50caa35
httpd24-httpd-manual-2.4.6-25.el7.noarch.rpm	SHA-256: 7479a6f95ed1f12c3b183eedad5def5916335a0eccecb77eb8b582223e5e0efc
httpd24-httpd-tools-2.4.6-25.el7.x86_64.rpm	SHA-256: 3cb193dbd5838411249b50af663785df710f1780939e0b1289c7c3d5bd6fb467
httpd24-mod_ldap-2.4.6-25.el7.x86_64.rpm	SHA-256: 0f8ab71c2f1e1f27b6675fd4b120e408017ec543acb4602e29b4b9600438b422
httpd24-mod_proxy_html-2.4.6-25.el7.x86_64.rpm	SHA-256: fa7d93a059b1f12a491d1243a4afb4e1db02c4d239bdd89a265ebe03e45b183f
httpd24-mod_session-2.4.6-25.el7.x86_64.rpm	SHA-256: fa8875bad8fad8b7ad4319213bdbb121364f6e5588b99c401fbd4a6cd7a3d272
httpd24-mod_ssl-2.4.6-25.el7.x86_64.rpm	SHA-256: 98feb0361e2f6eed00f0fe617c5093b85b1da8b5b365b6795846f0b2d3ca7ecf

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6

SRPM
httpd24-httpd-2.4.6-22.el6.src.rpm	SHA-256: 571dce59120c3a3e887a9e384abdd52004a6ac3bedfa63fd52389604ff217159
x86_64
httpd24-httpd-2.4.6-22.el6.x86_64.rpm	SHA-256: 2928d8aaa2b8c6674a2f572cc83d539f82c6d14dc45310c5fdffae63c87350a8
httpd24-httpd-debuginfo-2.4.6-22.el6.x86_64.rpm	SHA-256: 52e0b881d44d4c8348cb99c9955267e6da884809cc618cfb29a56982a0c3055f
httpd24-httpd-devel-2.4.6-22.el6.x86_64.rpm	SHA-256: aafb451abde861c7d3ed89216f7844037cb813768d3bc45ba018a7a8d73cf213
httpd24-httpd-manual-2.4.6-22.el6.noarch.rpm	SHA-256: 8faa3f6b50923b2cc3edb88bcf622a932c44d80915cbd2f07fc49611df2cd7f8
httpd24-httpd-tools-2.4.6-22.el6.x86_64.rpm	SHA-256: 830d50f05e4a4947b4e78266127a3f9aa0ba600312e3574abce841ca41cc131c
httpd24-mod_ldap-2.4.6-22.el6.x86_64.rpm	SHA-256: f2cf9494acb250d663b2d333d62eb58d26f6f2ebf49070c8df85771c9baad8e8
httpd24-mod_proxy_html-2.4.6-22.el6.x86_64.rpm	SHA-256: e6037e524b9056436fa0c486acff1efcb631908cc1997206fc81710c88da573a
httpd24-mod_session-2.4.6-22.el6.x86_64.rpm	SHA-256: e101ccfc1f0cd821d63f455f1c36fd71d4c65c016998236ddf51a00e32df0951
httpd24-mod_ssl-2.4.6-22.el6.x86_64.rpm	SHA-256: c713845de30042dc9a3e3ea22c6f192767af2bfee16e3a2271433f3018074f92

Red Hat Software Collections (for RHEL Server) from RHUI 1 for RHEL 7

SRPM
httpd24-httpd-2.4.6-25.el7.src.rpm	SHA-256: 724f639aaac6cef7430edb7f4d813584ae32b5ddf2a498bc95697fe59d939744
x86_64
httpd24-httpd-2.4.6-25.el7.x86_64.rpm	SHA-256: 5f9398f202205478a28a5e37f170e00e416c3b095f980e24f405fe4c549a35d9
httpd24-httpd-debuginfo-2.4.6-25.el7.x86_64.rpm	SHA-256: ecc32cd3bceee383ae20b987b5b1e8f9d752fd274cbbf58117f1791222df70b3
httpd24-httpd-devel-2.4.6-25.el7.x86_64.rpm	SHA-256: 081069f5c4ad575e6a384ee89c6175b0d87602902873976497cdadf5f50caa35
httpd24-httpd-manual-2.4.6-25.el7.noarch.rpm	SHA-256: 7479a6f95ed1f12c3b183eedad5def5916335a0eccecb77eb8b582223e5e0efc
httpd24-httpd-tools-2.4.6-25.el7.x86_64.rpm	SHA-256: 3cb193dbd5838411249b50af663785df710f1780939e0b1289c7c3d5bd6fb467
httpd24-mod_ldap-2.4.6-25.el7.x86_64.rpm	SHA-256: 0f8ab71c2f1e1f27b6675fd4b120e408017ec543acb4602e29b4b9600438b422
httpd24-mod_proxy_html-2.4.6-25.el7.x86_64.rpm	SHA-256: fa7d93a059b1f12a491d1243a4afb4e1db02c4d239bdd89a265ebe03e45b183f
httpd24-mod_session-2.4.6-25.el7.x86_64.rpm	SHA-256: fa8875bad8fad8b7ad4319213bdbb121364f6e5588b99c401fbd4a6cd7a3d272
httpd24-mod_ssl-2.4.6-25.el7.x86_64.rpm	SHA-256: 98feb0361e2f6eed00f0fe617c5093b85b1da8b5b365b6795846f0b2d3ca7ecf

Red Hat Software Collections (for RHEL Server) from RHUI 1 for RHEL 6

SRPM
httpd24-httpd-2.4.6-22.el6.src.rpm	SHA-256: 571dce59120c3a3e887a9e384abdd52004a6ac3bedfa63fd52389604ff217159
x86_64
httpd24-httpd-2.4.6-22.el6.x86_64.rpm	SHA-256: 2928d8aaa2b8c6674a2f572cc83d539f82c6d14dc45310c5fdffae63c87350a8
httpd24-httpd-debuginfo-2.4.6-22.el6.x86_64.rpm	SHA-256: 52e0b881d44d4c8348cb99c9955267e6da884809cc618cfb29a56982a0c3055f
httpd24-httpd-devel-2.4.6-22.el6.x86_64.rpm	SHA-256: aafb451abde861c7d3ed89216f7844037cb813768d3bc45ba018a7a8d73cf213
httpd24-httpd-manual-2.4.6-22.el6.noarch.rpm	SHA-256: 8faa3f6b50923b2cc3edb88bcf622a932c44d80915cbd2f07fc49611df2cd7f8
httpd24-httpd-tools-2.4.6-22.el6.x86_64.rpm	SHA-256: 830d50f05e4a4947b4e78266127a3f9aa0ba600312e3574abce841ca41cc131c
httpd24-mod_ldap-2.4.6-22.el6.x86_64.rpm	SHA-256: f2cf9494acb250d663b2d333d62eb58d26f6f2ebf49070c8df85771c9baad8e8
httpd24-mod_proxy_html-2.4.6-22.el6.x86_64.rpm	SHA-256: e6037e524b9056436fa0c486acff1efcb631908cc1997206fc81710c88da573a
httpd24-mod_session-2.4.6-22.el6.x86_64.rpm	SHA-256: e101ccfc1f0cd821d63f455f1c36fd71d4c65c016998236ddf51a00e32df0951
httpd24-mod_ssl-2.4.6-22.el6.x86_64.rpm	SHA-256: c713845de30042dc9a3e3ea22c6f192767af2bfee16e3a2271433f3018074f92

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories