Product SiteDocumentation Site

1.81.  httpd

1.81.1.  RHSA-2009:1148: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1148
Updated httpd packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
The Apache HTTP Server is a popular Web server.
A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. (CVE-2009-1890)
A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)
All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

1.81.2.  RHSA-2009:1075: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1075
Updated httpd packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The Apache HTTP Server is a popular and freely-available Web server.
A flaw was found in the handling of compression structures between mod_ssl and OpenSSL. If too many connections were opened in a short period of time, all system memory and swap space would be consumed by httpd, negatively impacting other processes, or causing a system crash. (CVE-2008-1678)
Note: The CVE-2008-1678 issue did not affect Red Hat Enterprise Linux 5 prior to 5.3. The problem was introduced via the RHBA-2009:0181 errata in Red Hat Enterprise Linux 5.3, which upgraded OpenSSL to the newer 0.9.8e version.
A flaw was found in the handling of the "Options" and "AllowOverride" directives. In configurations using the "AllowOverride" directive with certain "Options=" arguments, local users were not restricted from executing commands from a Server-Side-Include script as intended. (CVE-2009-1195)
All httpd users should upgrade to these updated packages, which contain backported patches to resolve these issues. Users must restart httpd for this update to take effect.

1.81.3.  RHBA-2009:1380: bug fix update

Updated httpd packages that fix various bugs are now available.
The Apache HTTP Server is a popular and freely-available Web server.
These updated httpd packages provide fixes for the following bugs:
  • Apache's mod_mime_magic module attempts to determine the MIME type of files using heuristic tests. However, the "magic" file used by the mod_mime_magic module was unable to detect PNG images correctly as being of MIME type "image/png", which this update corrects. (BZ#240844)
  • when using a reverse-proxy configuration with the mod_nss module being used in place of the usual mod_ssl module, the mod_proxy module failed to pass the hostname, which resulted in this error message: "Requested domain name does not match the server's certificate". The hostname is now passed correctly so that secure HTTP (https) connections no longer fail due to this error. (BZ#479410)
  • the "mod_ssl" module placed a hard-coded 128K limit on the amount of request body data which would be buffered if an SSL renegotiation was required in a Location or Directory context. This could occur if a POST request was made to a Directory or Location which required client certificate authentication. The limit on the amount of data to buffer is now configurable using the "SSLRenegBufferSize" directive. (BZ#479806)
  • when configuring a reverse proxy using an .htaccess file (instead of httpd.conf) by using a "RewriteRule" to proxy requests using the "[P]" flag, space characters in URIs would not be correctly escaped in remote server requests, resulting in "404 Not Found" response codes. This has been fixed so that .htaccess-configured reverse proxies perform proper character-escaping. (BZ#480604)
  • if an error occurred when invoking a CGI script, the "500 Internal Server Error" error document was not generated. (BZ#480932)
  • the mod_speling module attempts to correct misspellings of URLs. When the "AcceptPathInfo" directive was not enabled, then mod_speling did not handle and correct misspelled directory names. This has been fixed so that directory names are always handled, and possibly corrected, by the mod_speling module, regardless of the value that "AcceptPathInfo" is set to. (BZ#485524)
  • if request body data was buffered when an SSL renegotiation was required in a Location or Directory context, then the buffered data was discarded if an internal redirect occurred. (BZ#488886)
  • the httpd init script did not reference the process ID stored by a running daemon, and invocations could affect other httpd processes running on the system. (BZ#491135)
  • during a graceful restart, a spurious "Bad file descriptor" error message was sometimes logged. The error, though harmless, occurred because the socket on which the server called the accept() function was immediately closed in child processes upon receipt of the graceful restart signal. This error message is no longer logged. (BZ#233955)
  • during a graceful restart, the following spurious error messages were logged by the mod_rewrite module if the "RewriteLog" directive was configured: "apr_global_mutex_lock(rewrite_log_lock) failed". (BZ#493023)
  • Apache's mod_ext_filter module sometimes logged this spurious error message if an input filter was configured and an error response was sent: "Bad file descriptor: apr_file_close(child input)". (BZ#479463)
  • the "%p" format option in the "CustomLog" directive, used to log a port number in a request, did not respect the "remote" and "local" specifiers. (BZ#493070)
  • the httpd package inappropriately obsoleted the "mod_jk" package; it no longer does so. (BZ#493592)
  • an invalid HTTP status code—such as 70007—was logged to the access log if a timeout or other input error occurred while reading the request body during processing of a CGI script. (BZ#498170)
  • a security issue fix (CVE-2009-1195) in Server-Side Include (SSI) Options-handling inadvertently broke backwards-compatibility with the mod_perl module. (BZ#502998)
Users are advised to upgrade to these updated packages, which resolve these issues.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.