LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: Moderate: httpd security update Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux Updated Apache httpd packages that correct security issues and resolve bugs are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team.
- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Moderate: httpd security update
Advisory ID:       RHSA-2006:0619-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2006-0619.html
Issue date:        2006-08-10
Updated on:        2006-08-10
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2006-3918 
- ---------------------------------------------------------------------

1. Summary:

Updated Apache httpd packages that correct security issues and resolve bugs
are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

The Apache HTTP Server is a popular Web server available for free.

A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message.  This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header.  (CVE-2006-3918)

While a web browser cannot be forced to send an arbitrary Expect
header by a third-party attacker, it was recently discovered that
certain versions of the Flash plugin can manipulate request headers.
If users running such versions can be persuaded to load a web page
with a malicious Flash applet, a cross-site scripting attack against
the server may be possible.

On Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in
the handling of malformed Expect headers, the page produced by the
cross-site scripting attack will only be returned after a timeout expires
(2-5 minutes by default) if not first canceled by the user.

Users of httpd should update to these erratum packages, which contain a
backported patch to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

200732 - CVE-2006-3918 Expect header XSS

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-61.ent.src.rpm
04cf2be7ea48113d24aad1d32b36ad0b  httpd-2.0.46-61.ent.src.rpm

i386:
d9bb6b02095ee31f3779a41ccf37e889  httpd-2.0.46-61.ent.i386.rpm
eae693185994488d65566a690a1e43b5  httpd-debuginfo-2.0.46-61.ent.i386.rpm
59adb3ab038e3bf0e799b1d246913b87  httpd-devel-2.0.46-61.ent.i386.rpm
8095700d500f6427d83e7e65010d91c5  mod_ssl-2.0.46-61.ent.i386.rpm

ia64:
66c25ecc5c74599ba3a7bb3f2fa9f4b8  httpd-2.0.46-61.ent.ia64.rpm
f8e037feaae5deef8418d5d7f276eae5  httpd-debuginfo-2.0.46-61.ent.ia64.rpm
c967c0497ef645d09805b432add9fac2  httpd-devel-2.0.46-61.ent.ia64.rpm
635c92aac642b85d9b49322c4fd09f39  mod_ssl-2.0.46-61.ent.ia64.rpm

ppc:
54e916bfdc60fdd36ff8e924f18fa165  httpd-2.0.46-61.ent.ppc.rpm
59e5b716afb5cc4968c445d4114b18e0  httpd-debuginfo-2.0.46-61.ent.ppc.rpm
acaaf4cbdca1df0cd1e781af286c8758  httpd-devel-2.0.46-61.ent.ppc.rpm
076c66ddc29fc5d97fc9b33f744dda30  mod_ssl-2.0.46-61.ent.ppc.rpm

s390:
631fd6776f5930a1a5346ef7b651a596  httpd-2.0.46-61.ent.s390.rpm
c92b39cea6574b088d879f17406e1f1e  httpd-debuginfo-2.0.46-61.ent.s390.rpm
d547adbcdb6e9b7c3971db416196eb24  httpd-devel-2.0.46-61.ent.s390.rpm
7bb49ad738ca9fd78ee1fcaaf6fa85e9  mod_ssl-2.0.46-61.ent.s390.rpm

s390x:
88820ef80fc2f013716483ed9cc24618  httpd-2.0.46-61.ent.s390x.rpm
b5da9fe9b0a72da25644623099c97d54  httpd-debuginfo-2.0.46-61.ent.s390x.rpm
9f02adf3a99778f31bdcc5e83c552ccf  httpd-devel-2.0.46-61.ent.s390x.rpm
6f9e00153fb16ca4d84ca25edc8b369d  mod_ssl-2.0.46-61.ent.s390x.rpm

x86_64:
a867591bfea47c5918bb37b37fbec21a  httpd-2.0.46-61.ent.x86_64.rpm
8f8cd4e2b9024b355965888c3ba0196d  httpd-debuginfo-2.0.46-61.ent.x86_64.rpm
624fd85d9aa4e6372f1663052df06309  httpd-devel-2.0.46-61.ent.x86_64.rpm
927b300b3ff027401c1c7b38dac1cfa0  mod_ssl-2.0.46-61.ent.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-61.ent.src.rpm
04cf2be7ea48113d24aad1d32b36ad0b  httpd-2.0.46-61.ent.src.rpm

i386:
d9bb6b02095ee31f3779a41ccf37e889  httpd-2.0.46-61.ent.i386.rpm
eae693185994488d65566a690a1e43b5  httpd-debuginfo-2.0.46-61.ent.i386.rpm
59adb3ab038e3bf0e799b1d246913b87  httpd-devel-2.0.46-61.ent.i386.rpm
8095700d500f6427d83e7e65010d91c5  mod_ssl-2.0.46-61.ent.i386.rpm

x86_64:
a867591bfea47c5918bb37b37fbec21a  httpd-2.0.46-61.ent.x86_64.rpm
8f8cd4e2b9024b355965888c3ba0196d  httpd-debuginfo-2.0.46-61.ent.x86_64.rpm
624fd85d9aa4e6372f1663052df06309  httpd-devel-2.0.46-61.ent.x86_64.rpm
927b300b3ff027401c1c7b38dac1cfa0  mod_ssl-2.0.46-61.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-61.ent.src.rpm
04cf2be7ea48113d24aad1d32b36ad0b  httpd-2.0.46-61.ent.src.rpm

i386:
d9bb6b02095ee31f3779a41ccf37e889  httpd-2.0.46-61.ent.i386.rpm
eae693185994488d65566a690a1e43b5  httpd-debuginfo-2.0.46-61.ent.i386.rpm
59adb3ab038e3bf0e799b1d246913b87  httpd-devel-2.0.46-61.ent.i386.rpm
8095700d500f6427d83e7e65010d91c5  mod_ssl-2.0.46-61.ent.i386.rpm

ia64:
66c25ecc5c74599ba3a7bb3f2fa9f4b8  httpd-2.0.46-61.ent.ia64.rpm
f8e037feaae5deef8418d5d7f276eae5  httpd-debuginfo-2.0.46-61.ent.ia64.rpm
c967c0497ef645d09805b432add9fac2  httpd-devel-2.0.46-61.ent.ia64.rpm
635c92aac642b85d9b49322c4fd09f39  mod_ssl-2.0.46-61.ent.ia64.rpm

x86_64:
a867591bfea47c5918bb37b37fbec21a  httpd-2.0.46-61.ent.x86_64.rpm
8f8cd4e2b9024b355965888c3ba0196d  httpd-debuginfo-2.0.46-61.ent.x86_64.rpm
624fd85d9aa4e6372f1663052df06309  httpd-devel-2.0.46-61.ent.x86_64.rpm
927b300b3ff027401c1c7b38dac1cfa0  mod_ssl-2.0.46-61.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-61.ent.src.rpm
04cf2be7ea48113d24aad1d32b36ad0b  httpd-2.0.46-61.ent.src.rpm

i386:
d9bb6b02095ee31f3779a41ccf37e889  httpd-2.0.46-61.ent.i386.rpm
eae693185994488d65566a690a1e43b5  httpd-debuginfo-2.0.46-61.ent.i386.rpm
59adb3ab038e3bf0e799b1d246913b87  httpd-devel-2.0.46-61.ent.i386.rpm
8095700d500f6427d83e7e65010d91c5  mod_ssl-2.0.46-61.ent.i386.rpm

ia64:
66c25ecc5c74599ba3a7bb3f2fa9f4b8  httpd-2.0.46-61.ent.ia64.rpm
f8e037feaae5deef8418d5d7f276eae5  httpd-debuginfo-2.0.46-61.ent.ia64.rpm
c967c0497ef645d09805b432add9fac2  httpd-devel-2.0.46-61.ent.ia64.rpm
635c92aac642b85d9b49322c4fd09f39  mod_ssl-2.0.46-61.ent.ia64.rpm

x86_64:
a867591bfea47c5918bb37b37fbec21a  httpd-2.0.46-61.ent.x86_64.rpm
8f8cd4e2b9024b355965888c3ba0196d  httpd-debuginfo-2.0.46-61.ent.x86_64.rpm
624fd85d9aa4e6372f1663052df06309  httpd-devel-2.0.46-61.ent.x86_64.rpm
927b300b3ff027401c1c7b38dac1cfa0  mod_ssl-2.0.46-61.ent.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/httpd-2.0.52-28.ent.src.rpm
4f35d5c8dc42f7e0c8d47fbe15f80ee7  httpd-2.0.52-28.ent.src.rpm

i386:
0b30f0a89cca20b95784a39fcab65e35  httpd-2.0.52-28.ent.i386.rpm
16c54cd14dd2efbcc264ce313107aa1e  httpd-debuginfo-2.0.52-28.ent.i386.rpm
1f5dc32947852da3a57662e6d8d5da21  httpd-devel-2.0.52-28.ent.i386.rpm
453758ed80cda526c0d28dbe6a4fb053  httpd-manual-2.0.52-28.ent.i386.rpm
08c31b58be6c3a3e56b4ab8cd7c9d60b  httpd-suexec-2.0.52-28.ent.i386.rpm
bafd04190956db5220e1931f1cdfda06  mod_ssl-2.0.52-28.ent.i386.rpm

ia64:
981d825a38f285dc367a57909ebb1bb5  httpd-2.0.52-28.ent.ia64.rpm
cf2d0c7a8b16aa07012fd164f490e040  httpd-debuginfo-2.0.52-28.ent.ia64.rpm
37da1e4c1527b539523bd076595ec3fb  httpd-devel-2.0.52-28.ent.ia64.rpm
e6dc477ed351c90340a16ee7e05a6c0f  httpd-manual-2.0.52-28.ent.ia64.rpm
2e8c68c3be5aba7ff97fe63a5204c1ed  httpd-suexec-2.0.52-28.ent.ia64.rpm
1b20f7a2d51bb180b8e0d7ce7198c37a  mod_ssl-2.0.52-28.ent.ia64.rpm

ppc:
d5f2c327364716fac423212bab0e78ae  httpd-2.0.52-28.ent.ppc.rpm
22e7b339bf1bd1673ac55d5ee26a9abf  httpd-debuginfo-2.0.52-28.ent.ppc.rpm
90bd7f4d121543fa18c46d5e4d061800  httpd-devel-2.0.52-28.ent.ppc.rpm
4df7750df209c840db61a391c4dc53cb  httpd-manual-2.0.52-28.ent.ppc.rpm
d990a29b89b52cc4f106f71e960de2f6  httpd-suexec-2.0.52-28.ent.ppc.rpm
2e36173faaf66a60e16f4ab560943264  mod_ssl-2.0.52-28.ent.ppc.rpm

s390:
6b4eadc50cd34b89a5e552a9d837915b  httpd-2.0.52-28.ent.s390.rpm
10b1258eaa72cb7d24f307f4b56587d6  httpd-debuginfo-2.0.52-28.ent.s390.rpm
c32a312d95476cb5239f09ac5640cc89  httpd-devel-2.0.52-28.ent.s390.rpm
9f2a04f98ba26be7241299f38b3bdb30  httpd-manual-2.0.52-28.ent.s390.rpm
3f69e468aa98ccb4041eb638fb4f9836  httpd-suexec-2.0.52-28.ent.s390.rpm
b1bf1d1537d3c69db0810449cd40a202  mod_ssl-2.0.52-28.ent.s390.rpm

s390x:
1ade626c844752cacd4a4e3693b89c4d  httpd-2.0.52-28.ent.s390x.rpm
1b47cc782af3c9ae292070bc4153314d  httpd-debuginfo-2.0.52-28.ent.s390x.rpm
0473513c742d3926e936daa1cedb01e3  httpd-devel-2.0.52-28.ent.s390x.rpm
62693d03ee562582b0e8b3338da593ff  httpd-manual-2.0.52-28.ent.s390x.rpm
ce08d7a587630f3568d49a35d1aa3ad7  httpd-suexec-2.0.52-28.ent.s390x.rpm
bf53b4918b08d5efd7abaf97445821f5  mod_ssl-2.0.52-28.ent.s390x.rpm

x86_64:
5ea25c8a07bb0021b79d3607bebb7324  httpd-2.0.52-28.ent.x86_64.rpm
07e4bd6632a3775bb5fc56cdebdf1302  httpd-debuginfo-2.0.52-28.ent.x86_64.rpm
349f57d1d4819f8adb4a46118b774a50  httpd-devel-2.0.52-28.ent.x86_64.rpm
53ba74eac84a36cc1cb2829add804236  httpd-manual-2.0.52-28.ent.x86_64.rpm
ad3cdee012b0cc635caa391ab695345c  httpd-suexec-2.0.52-28.ent.x86_64.rpm
92a99ce7ec860e35b735814360ec37cb  mod_ssl-2.0.52-28.ent.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/httpd-2.0.52-28.ent.src.rpm
4f35d5c8dc42f7e0c8d47fbe15f80ee7  httpd-2.0.52-28.ent.src.rpm

i386:
0b30f0a89cca20b95784a39fcab65e35  httpd-2.0.52-28.ent.i386.rpm
16c54cd14dd2efbcc264ce313107aa1e  httpd-debuginfo-2.0.52-28.ent.i386.rpm
1f5dc32947852da3a57662e6d8d5da21  httpd-devel-2.0.52-28.ent.i386.rpm
453758ed80cda526c0d28dbe6a4fb053  httpd-manual-2.0.52-28.ent.i386.rpm
08c31b58be6c3a3e56b4ab8cd7c9d60b  httpd-suexec-2.0.52-28.ent.i386.rpm
bafd04190956db5220e1931f1cdfda06  mod_ssl-2.0.52-28.ent.i386.rpm

x86_64:
5ea25c8a07bb0021b79d3607bebb7324  httpd-2.0.52-28.ent.x86_64.rpm
07e4bd6632a3775bb5fc56cdebdf1302  httpd-debuginfo-2.0.52-28.ent.x86_64.rpm
349f57d1d4819f8adb4a46118b774a50  httpd-devel-2.0.52-28.ent.x86_64.rpm
53ba74eac84a36cc1cb2829add804236  httpd-manual-2.0.52-28.ent.x86_64.rpm
ad3cdee012b0cc635caa391ab695345c  httpd-suexec-2.0.52-28.ent.x86_64.rpm
92a99ce7ec860e35b735814360ec37cb  mod_ssl-2.0.52-28.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/httpd-2.0.52-28.ent.src.rpm
4f35d5c8dc42f7e0c8d47fbe15f80ee7  httpd-2.0.52-28.ent.src.rpm

i386:
0b30f0a89cca20b95784a39fcab65e35  httpd-2.0.52-28.ent.i386.rpm
16c54cd14dd2efbcc264ce313107aa1e  httpd-debuginfo-2.0.52-28.ent.i386.rpm
1f5dc32947852da3a57662e6d8d5da21  httpd-devel-2.0.52-28.ent.i386.rpm
453758ed80cda526c0d28dbe6a4fb053  httpd-manual-2.0.52-28.ent.i386.rpm
08c31b58be6c3a3e56b4ab8cd7c9d60b  httpd-suexec-2.0.52-28.ent.i386.rpm
bafd04190956db5220e1931f1cdfda06  mod_ssl-2.0.52-28.ent.i386.rpm

ia64:
981d825a38f285dc367a57909ebb1bb5  httpd-2.0.52-28.ent.ia64.rpm
cf2d0c7a8b16aa07012fd164f490e040  httpd-debuginfo-2.0.52-28.ent.ia64.rpm
37da1e4c1527b539523bd076595ec3fb  httpd-devel-2.0.52-28.ent.ia64.rpm
e6dc477ed351c90340a16ee7e05a6c0f  httpd-manual-2.0.52-28.ent.ia64.rpm
2e8c68c3be5aba7ff97fe63a5204c1ed  httpd-suexec-2.0.52-28.ent.ia64.rpm
1b20f7a2d51bb180b8e0d7ce7198c37a  mod_ssl-2.0.52-28.ent.ia64.rpm

x86_64:
5ea25c8a07bb0021b79d3607bebb7324  httpd-2.0.52-28.ent.x86_64.rpm
07e4bd6632a3775bb5fc56cdebdf1302  httpd-debuginfo-2.0.52-28.ent.x86_64.rpm
349f57d1d4819f8adb4a46118b774a50  httpd-devel-2.0.52-28.ent.x86_64.rpm
53ba74eac84a36cc1cb2829add804236  httpd-manual-2.0.52-28.ent.x86_64.rpm
ad3cdee012b0cc635caa391ab695345c  httpd-suexec-2.0.52-28.ent.x86_64.rpm
92a99ce7ec860e35b735814360ec37cb  mod_ssl-2.0.52-28.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/httpd-2.0.52-28.ent.src.rpm
4f35d5c8dc42f7e0c8d47fbe15f80ee7  httpd-2.0.52-28.ent.src.rpm

i386:
0b30f0a89cca20b95784a39fcab65e35  httpd-2.0.52-28.ent.i386.rpm
16c54cd14dd2efbcc264ce313107aa1e  httpd-debuginfo-2.0.52-28.ent.i386.rpm
1f5dc32947852da3a57662e6d8d5da21  httpd-devel-2.0.52-28.ent.i386.rpm
453758ed80cda526c0d28dbe6a4fb053  httpd-manual-2.0.52-28.ent.i386.rpm
08c31b58be6c3a3e56b4ab8cd7c9d60b  httpd-suexec-2.0.52-28.ent.i386.rpm
bafd04190956db5220e1931f1cdfda06  mod_ssl-2.0.52-28.ent.i386.rpm

ia64:
981d825a38f285dc367a57909ebb1bb5  httpd-2.0.52-28.ent.ia64.rpm
cf2d0c7a8b16aa07012fd164f490e040  httpd-debuginfo-2.0.52-28.ent.ia64.rpm
37da1e4c1527b539523bd076595ec3fb  httpd-devel-2.0.52-28.ent.ia64.rpm
e6dc477ed351c90340a16ee7e05a6c0f  httpd-manual-2.0.52-28.ent.ia64.rpm
2e8c68c3be5aba7ff97fe63a5204c1ed  httpd-suexec-2.0.52-28.ent.ia64.rpm
1b20f7a2d51bb180b8e0d7ce7198c37a  mod_ssl-2.0.52-28.ent.ia64.rpm

x86_64:
5ea25c8a07bb0021b79d3607bebb7324  httpd-2.0.52-28.ent.x86_64.rpm
07e4bd6632a3775bb5fc56cdebdf1302  httpd-debuginfo-2.0.52-28.ent.x86_64.rpm
349f57d1d4819f8adb4a46118b774a50  httpd-devel-2.0.52-28.ent.x86_64.rpm
53ba74eac84a36cc1cb2829add804236  httpd-manual-2.0.52-28.ent.x86_64.rpm
ad3cdee012b0cc635caa391ab695345c  httpd-suexec-2.0.52-28.ent.x86_64.rpm
92a99ce7ec860e35b735814360ec37cb  mod_ssl-2.0.52-28.ent.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.