Security Fix

CVE-2011-3192

A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.

Security Fixes

CVE-2011-3368

It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker.

CVE-2011-3348

It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed.

BZ#736592

The fix for CVE-2011-3192 provided by the RHSA-2011:1245 update introduced regressions in the way httpd handled certain Range HTTP header values. This update corrects those regressions.

BZ#694939

The Apache module "mod_proxy" implements a proxy or gateway for the Apache web server. The "ProxyErrorOverride On" option did not work if used with "mod_proxy_ajp", the AJP support module for mod_proxy. Consequently when accessing a 404 URL in the "/static" context, which was proxied with AJP, the 404 page from the proxy was displayed rather than the 404 page from Apache itself. This update corrects the code and accessing 404 URLs now works as intended, via Apache, as defined in "ErrorDocument".

BZ#700074

When a backend server sends data via SSL, and is using chunked transfer encoding, the backend splits the chunk between two different SSL blocks. Prior to this update, when transferring data via SSL through a reverse proxy implemented with Apache, "mod_proxy", and "mod_ssl", the end of the first SSL block was sometimes lost and the length of the next chunk was thus invalid. Consequently, files were sometimes corrupted during transfer via SSL. This updates implements a backported fix to this problem and the error no longer occurs.

BZ#700075

The "FilterProvider" directive of the "mod_filter" module was unable to match against non-standard HTTP response headers. Consequently, output content data was not filtered or processed as expected by httpd in certain configurations. With this update, a backported patch has been applied to address this issue, and the FilterProvider directive is now able to match against non-standard HTTP response headers as expected.

BZ#700393

In situations where httpd could not allocate memory, httpd sometimes terminated unexpectedly with a segmentation fault rather than terminating the process with an error message. With this update, a patch has been applied to correct this issue and httpd no longer crashes in the scenario described.

BZ#714704

Server Name Indication (SNI) sends the name of the virtual domain as part of the TLS negotiation. Prior to this enhancement, if a client sent the wrong SNI data the client would be rejected. With this update, in configurations where SNI is not required, "mod_ssl" can ignore the SNI hostname "hint".

BZ#720980

Prior to this update, httpd terminated unexpectedly on startup with a segmentation fault when proxy client certificates were shared across multiple virtual hosts (using the SSLProxyMachineCertificateFile directive). With this update a patch has been applied and httpd no longer crashes in the scenario described.

BZ#729585

When the "SSLCryptoDevice" config variable in "ssl.conf" was set to an unknown or invalid value, the httpd daemon would terminate unexpectedly with a segmentation fault at startup. With this update the code has been corrected, httpd no longer crashes, and httpd will issue an appropriate error message in this scenario.

BZ#737960

If using mod_proxy_ftp, an httpd process could terminated unexpectedly with a segmentation fault when tests were made on an IPv6 localhost enabled machine. This update implements improvements to the code and the mod_proxy_ftp process no longer crashes in the scenario described.

BZ#740242

When using the "mod_cache" module, by default, the "CacheMaxExpire" directive is only applied to responses which do not specify their expiry date. Previously, it was not possible to limit the maximum expiry time for all resources. This update applies a patch which adapts the mod_cache module to provide support for "hard" as a second argument of the CacheMaxExpire directive, allowing a maximum expiry time to be enforced for all resources.

BZ#676634

The "mod_reqtimeout" module, when enabled, allows fine-grained timeouts to be applied during request parsing. The mod_reqtimeout module has been backported from upstream in this update.