Este conteúdo não está disponível no idioma selecionado.
7.82. httpd
Updated httpd packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.
Security Fixes
- CVE-2008-0455, CVE-2012-2687
- An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site.
- CVE-2012-4557
- It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed.
Bug Fixes
- BZ#787247
- When the Apache module mod_proxy was configured, and a particular back-end URL was reverse proxied into the server two or more times, a spurious warning in the following format was given:
[warn] worker [URL] already used by another worker
The level of this message has been changed from WARNING to INFO as it is not incorrect to proxy more than one URL to the same back-end server. - BZ#822587
- The mod_cache module did not handle
206
partialHTTP
responses correctly. This resulted in incorrect responses being returned to clients if a cache was configured. With this update, mod_cache no longer caches206
responses, thus ensuring correct responses are returned. - BZ#829689
- If
LDAP
authentication was used with a Novell eDirectory LDAP server, mod_ldap could return500 Internal Server Error
response if the LDAP server was temporarily unavailable. This update fixes mod_ldap to retry LDAP requests if the server is unavailable, and the500
errors will not be returned in this case. - BZ#837086
- Previously, mod_proxy_connect performed unnecessary
DNS
queries whenProxyRemote
was configured. Consequently, in configurations withProxyRemote
, mod_proxy_connect could either fail to connect, or be slow to connect to the remote server. This update changes mod_proxy to omit DNS queries ifProxyRemote
is configured. As a result, the proxy no longer fails in such configurations. - BZ#837613
- When an
SSL
request failed and the-v 2
option was used, the ApacheBench (ab) benchmarking tool tried to free a certificate twice. Consequently, ab terminated unexpectedly due to a doublefree()
error. The ab tool has been fixed to free certificates only once. As a result, the ab tool no longer crashes in the scenario described. - BZ#848954
- Previously, mod_ssl presumed the private key was set after the certificate in
SSLProxyMachineCertificateFile
. Consequently, httpd terminated unexpectedly if the private key had been set before the certificate in SSLProxyMachineCertificateFile. This update improves mod_ssl to check if the private key is set before the certificate. As a result, mod_ssl no longer crashes in this situation and prints an error message instead. - BZ#853160
- Prior to this update, mod_proxy_ajp did not correctly handle a
flush
message from a Java application server if received before theHTTP
response headers had been sent. Consequently, users could receive a truncated response page without the correct HTTP headers. This update fixes mod_proxy_ajp to ignoreflush
messages before the HTTP response headers have been sent. As a result, truncated responses are no longer sent in scenario described. - BZ#853348
- In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a
description
string was received from the origin server, for a non-standard status code, such as the450
status code, a500 Internal Server Error
would be returned to the client. This bug has been fixed so that the original response line is returned to the client. - BZ#867268
- Previously, the value of
${cookie}C
in theLogFormat
directive's definition matched substrings of cookie. Consequently, a bad cookie could be printed if its name contained a substring of the name defined inLogFormat
using the${cookie}C
string. With this update, the code is improved so that cookie names are now matched exactly. As a result, a proper cookie is returned even when there are other cookies with its substring in their name. - BZ#867745
- Previously, no check was made to see if the
/etc/pki/tls/private/localhost.key
file was a valid key prior to running the%post
script for the mod_ssl package. Consequently, when/etc/pki/tls/certs/localhost.crt
did not exist andlocalhost.key
was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The%post
script has been fixed to test for an existingSSL
key. As a result, upgrading httpd with mod_ssl now proceeds as expected. - BZ#868253
- Previously, in a reverse proxy configuration, mod_cache did not correctly handle a
304 Not Modified
response from the origin server when refreshing a cache entry. Consequently, in some cases an empty page was returned to a client requesting an entity which already existed in the cache. This update fixes handling of304 Not Modified
responses in mod_cache and as a result no empty pages will be displayed in the scenario described. - BZ#868283
- Due to a regression, when mod_cache received a non-cacheable
304
response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client.
Enhancements
- BZ#748400
- The Apache module mod_proxy now allows changing the BalancerMember state in the web interface.
- BZ#757735
- The rotatelogs program now provides a new
rotatelogs
-p
option to execute a custom program after each log rotation. - BZ#757739
- The rotatelogs program now provides a new
rotatelogs
-c
option to create log files for each set interval, even if empty. - BZ#796958
- The
LDAPReferrals
configuration directive has been added, as an alias for the existingLDAPChaseReferrals
directive. - BZ#805720
- The mod_proxy and mod_ssl modules have been updated to support the concurrent use of the mod_nss (NSS) and mod_ssl (OpenSSL) modules.
- BZ#805810
- An init script for the
htcacheclean
daemon has been added. - BZ#824571
- The
failonstatus
parameter has been added for balancer configuration in mod_proxy. - BZ#828896
- Previously, mod_authnz_ldap had the ability to set environment variables from received
LDAP
attributes, but only by LDAP authentication, not by LDAP authorization. Consequently, if the mod_authnz_ldap module was used to enable LDAP for authorization but not authentication, theAUTHORIZE_
environment variables were not populated. This update applies a patch to implement setting ofAUTHORIZE_
environment variables using LDAP authorization. As a result, other methods of authentication can be used while using LDAP authorization for setting environment variables for all configured LDAP attributes. - BZ#833064
- The %posttrans scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file
/etc/sysconfig/httpd-disable-posttrans
exists, the scriptlet will not restart the daemon. - BZ#833092
- The output of
httpd -S
now includes configured alias names for each virtual host. - BZ#838493
- The rotatelogs program has been updated to support the
-L
option to create a hard link from the current log to a specified path. - BZ#842375
- New certificate variable names are now exposed by mod_ssl using the
_DN_userID
suffix, such asSSL_CLIENT_S_DN_userID
, which uses the commonly used object identifier (OID) definition ofuserID
, OID 0.9.2342.19200300.100.1.1. - BZ#842376
- Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a
chunk-size
orchunk-extension
value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs.
Users of httpd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.