====================================================================                   Red Hat Security Advisory

Synopsis:          Low: httpd security, bug fix, and enhancement update
Advisory ID:       RHSA-2015:0325-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2015:0325.html
Issue date:        2015-03-05
CVE Names:         CVE-2013-5704 CVE-2014-3581 
====================================================================
1. Summary:

Updated httpd packages that fix two security issues, several bugs, and add
various enhancements are for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Low security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could use
Trailer headers to set additional HTTP headers after header processing was
performed by other modules. This could, for example, lead to a bypass of
header restrictions defined with mod_headers. (CVE-2013-5704)

A NULL pointer dereference flaw was found in the way the mod_cache httpd
module handled Content-Type headers. A malicious HTTP server could cause
the httpd child process to crash when the Apache HTTP server was configured
to proxy to a server with caching enabled. (CVE-2014-3581)

This update also fixes the following bugs:

* Previously, the mod_proxy_fcgi Apache module always kept the back-end
connections open even when they should have been closed. As a consequence,
the number of open file descriptors was increasing over the time. With this
update, mod_proxy_fcgi has been fixed to check the state of the back-end
connections, and it closes the idle back-end connections as expected.
(BZ#1168050)

* An integer overflow occurred in the ab utility when a large request count
was used. Consequently, ab terminated unexpectedly with a segmentation
fault while printing statistics after the benchmark. This bug has been
fixed, and ab no longer crashes in this scenario. (BZ#1092420)

* Previously, when httpd was running in the foreground and the user pressed
Ctrl+C to interrupt the httpd processes, a race condition in signal
handling occurred. The SIGINT signal was sent to all children followed by
SIGTERM from the main process, which interrupted the SIGINT handler.
Consequently, the affected processes became unresponsive or terminated
unexpectedly. With this update, the SIGINT signals in the child processes
are ignored, and httpd no longer hangs or crashes in this scenario.
(BZ#1131006)

In addition, this update adds the following enhancements:

* With this update, the mod_proxy module of the Apache HTTP Server supports
the Unix Domain Sockets (UDS). This allows mod_proxy back ends to listen on
UDS sockets instead of TCP sockets, and as a result, mod_proxy can be used
to connect UDS back ends. (BZ#1168081)

* This update adds support for using the SetHandler directive together with
the mod_proxy module. As a result, it is possible to configure SetHandler
to use proxy for incoming requests, for example, in the following format:
SetHandler "proxy:fcgi://127.0.0.1:9000". (BZ#1136290)

* The htaccess API changes introduced in httpd 2.4.7 have been backported
to httpd shipped with Red Hat Enterprise Linux 7.1. These changes allow for
the MPM-ITK module to be compiled as an httpd module. (BZ#1059143)

All httpd users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements. After installing the updated packages, the httpd daemon will
be restarted automatically.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1059143 - Feature request: update httpd to 2.4.7 / backport htaccess API changes
1060536 - mod_rewrite doesn't expose client_addr
1073078 - mod_ssl uses small DHE parameters for non standard RSA keys
1073081 - mod_ssl selects correct DHE parameters for keys only up to 4096 bit
1080125 - httpd uses hardcoded curve for ECDHE suites
1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
1114123 - RFE: set vstring dynamically
1131006 - Error in `/usr/sbin/httpd': free(): invalid pointer
1131847 - authzprovideralias and authnprovideralias-defined provider can't be used in virtualhost .
1136290 - SetHandler to proxy support
1149709 - CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:
httpd-2.4.6-31.el7.src.rpm

noarch:
httpd-manual-2.4.6-31.el7.noarch.rpm

x86_64:
httpd-2.4.6-31.el7.x86_64.rpm
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
httpd-devel-2.4.6-31.el7.x86_64.rpm
httpd-tools-2.4.6-31.el7.x86_64.rpm
mod_ldap-2.4.6-31.el7.x86_64.rpm
mod_proxy_html-2.4.6-31.el7.x86_64.rpm
mod_session-2.4.6-31.el7.x86_64.rpm
mod_ssl-2.4.6-31.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:
httpd-2.4.6-31.el7.src.rpm

noarch:
httpd-manual-2.4.6-31.el7.noarch.rpm

x86_64:
httpd-2.4.6-31.el7.x86_64.rpm
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
httpd-devel-2.4.6-31.el7.x86_64.rpm
httpd-tools-2.4.6-31.el7.x86_64.rpm
mod_ldap-2.4.6-31.el7.x86_64.rpm
mod_proxy_html-2.4.6-31.el7.x86_64.rpm
mod_session-2.4.6-31.el7.x86_64.rpm
mod_ssl-2.4.6-31.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
httpd-2.4.6-31.el7.src.rpm

noarch:
httpd-manual-2.4.6-31.el7.noarch.rpm

ppc64:
httpd-2.4.6-31.el7.ppc64.rpm
httpd-debuginfo-2.4.6-31.el7.ppc64.rpm
httpd-devel-2.4.6-31.el7.ppc64.rpm
httpd-tools-2.4.6-31.el7.ppc64.rpm
mod_ssl-2.4.6-31.el7.ppc64.rpm

s390x:
httpd-2.4.6-31.el7.s390x.rpm
httpd-debuginfo-2.4.6-31.el7.s390x.rpm
httpd-devel-2.4.6-31.el7.s390x.rpm
httpd-tools-2.4.6-31.el7.s390x.rpm
mod_ssl-2.4.6-31.el7.s390x.rpm

x86_64:
httpd-2.4.6-31.el7.x86_64.rpm
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
httpd-devel-2.4.6-31.el7.x86_64.rpm
httpd-tools-2.4.6-31.el7.x86_64.rpm
mod_ssl-2.4.6-31.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
httpd-debuginfo-2.4.6-31.el7.ppc64.rpm
mod_ldap-2.4.6-31.el7.ppc64.rpm
mod_proxy_html-2.4.6-31.el7.ppc64.rpm
mod_session-2.4.6-31.el7.ppc64.rpm

s390x:
httpd-debuginfo-2.4.6-31.el7.s390x.rpm
mod_ldap-2.4.6-31.el7.s390x.rpm
mod_proxy_html-2.4.6-31.el7.s390x.rpm
mod_session-2.4.6-31.el7.s390x.rpm

x86_64:
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
mod_ldap-2.4.6-31.el7.x86_64.rpm
mod_proxy_html-2.4.6-31.el7.x86_64.rpm
mod_session-2.4.6-31.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
httpd-2.4.6-31.el7.src.rpm

noarch:
httpd-manual-2.4.6-31.el7.noarch.rpm

x86_64:
httpd-2.4.6-31.el7.x86_64.rpm
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
httpd-devel-2.4.6-31.el7.x86_64.rpm
httpd-tools-2.4.6-31.el7.x86_64.rpm
mod_ssl-2.4.6-31.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
mod_ldap-2.4.6-31.el7.x86_64.rpm
mod_proxy_html-2.4.6-31.el7.x86_64.rpm
mod_session-2.4.6-31.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2013-5704
https://access.redhat.com/security/cve/CVE-2014-3581
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.

Red Hat: 2015:0325-02: httpd: Low Advisory

Updated httpd packages that fix two security issues, several bugs, and add various enhancements are for Red Hat Enterprise Linux 7

Summary

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. (CVE-2013-5704)
A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled. (CVE-2014-3581)
This update also fixes the following bugs:
* Previously, the mod_proxy_fcgi Apache module always kept the back-end connections open even when they should have been closed. As a consequence, the number of open file descriptors was increasing over the time. With this update, mod_proxy_fcgi has been fixed to check the state of the back-end connections, and it closes the idle back-end connections as expected. (BZ#1168050)
* An integer overflow occurred in the ab utility when a large request count was used. Consequently, ab terminated unexpectedly with a segmentation fault while printing statistics after the benchmark. This bug has been fixed, and ab no longer crashes in this scenario. (BZ#1092420)
* Previously, when httpd was running in the foreground and the user pressed Ctrl+C to interrupt the httpd processes, a race condition in signal handling occurred. The SIGINT signal was sent to all children followed by SIGTERM from the main process, which interrupted the SIGINT handler. Consequently, the affected processes became unresponsive or terminated unexpectedly. With this update, the SIGINT signals in the child processes are ignored, and httpd no longer hangs or crashes in this scenario. (BZ#1131006)
In addition, this update adds the following enhancements:
* With this update, the mod_proxy module of the Apache HTTP Server supports the Unix Domain Sockets (UDS). This allows mod_proxy back ends to listen on UDS sockets instead of TCP sockets, and as a result, mod_proxy can be used to connect UDS back ends. (BZ#1168081)
* This update adds support for using the SetHandler directive together with the mod_proxy module. As a result, it is possible to configure SetHandler to use proxy for incoming requests, for example, in the following format: SetHandler "proxy:fcgi://127.0.0.1:9000". (BZ#1136290)
* The htaccess API changes introduced in httpd 2.4.7 have been backported to httpd shipped with Red Hat Enterprise Linux 7.1. These changes allow for the MPM-ITK module to be compiled as an httpd module. (BZ#1059143)
All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2013-5704 https://access.redhat.com/security/cve/CVE-2014-3581 https://access.redhat.com/security/updates/classification/#low

Package List

Red Hat Enterprise Linux Client Optional (v. 7):
Source: httpd-2.4.6-31.el7.src.rpm
noarch: httpd-manual-2.4.6-31.el7.noarch.rpm
x86_64: httpd-2.4.6-31.el7.x86_64.rpm httpd-debuginfo-2.4.6-31.el7.x86_64.rpm httpd-devel-2.4.6-31.el7.x86_64.rpm httpd-tools-2.4.6-31.el7.x86_64.rpm mod_ldap-2.4.6-31.el7.x86_64.rpm mod_proxy_html-2.4.6-31.el7.x86_64.rpm mod_session-2.4.6-31.el7.x86_64.rpm mod_ssl-2.4.6-31.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source: httpd-2.4.6-31.el7.src.rpm
noarch: httpd-manual-2.4.6-31.el7.noarch.rpm
x86_64: httpd-2.4.6-31.el7.x86_64.rpm httpd-debuginfo-2.4.6-31.el7.x86_64.rpm httpd-devel-2.4.6-31.el7.x86_64.rpm httpd-tools-2.4.6-31.el7.x86_64.rpm mod_ldap-2.4.6-31.el7.x86_64.rpm mod_proxy_html-2.4.6-31.el7.x86_64.rpm mod_session-2.4.6-31.el7.x86_64.rpm mod_ssl-2.4.6-31.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: httpd-2.4.6-31.el7.src.rpm
noarch: httpd-manual-2.4.6-31.el7.noarch.rpm
ppc64: httpd-2.4.6-31.el7.ppc64.rpm httpd-debuginfo-2.4.6-31.el7.ppc64.rpm httpd-devel-2.4.6-31.el7.ppc64.rpm httpd-tools-2.4.6-31.el7.ppc64.rpm mod_ssl-2.4.6-31.el7.ppc64.rpm
s390x: httpd-2.4.6-31.el7.s390x.rpm httpd-debuginfo-2.4.6-31.el7.s390x.rpm httpd-devel-2.4.6-31.el7.s390x.rpm httpd-tools-2.4.6-31.el7.s390x.rpm mod_ssl-2.4.6-31.el7.s390x.rpm
x86_64: httpd-2.4.6-31.el7.x86_64.rpm httpd-debuginfo-2.4.6-31.el7.x86_64.rpm httpd-devel-2.4.6-31.el7.x86_64.rpm httpd-tools-2.4.6-31.el7.x86_64.rpm mod_ssl-2.4.6-31.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: httpd-debuginfo-2.4.6-31.el7.ppc64.rpm mod_ldap-2.4.6-31.el7.ppc64.rpm mod_proxy_html-2.4.6-31.el7.ppc64.rpm mod_session-2.4.6-31.el7.ppc64.rpm
s390x: httpd-debuginfo-2.4.6-31.el7.s390x.rpm mod_ldap-2.4.6-31.el7.s390x.rpm mod_proxy_html-2.4.6-31.el7.s390x.rpm mod_session-2.4.6-31.el7.s390x.rpm
x86_64: httpd-debuginfo-2.4.6-31.el7.x86_64.rpm mod_ldap-2.4.6-31.el7.x86_64.rpm mod_proxy_html-2.4.6-31.el7.x86_64.rpm mod_session-2.4.6-31.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: httpd-2.4.6-31.el7.src.rpm
noarch: httpd-manual-2.4.6-31.el7.noarch.rpm
x86_64: httpd-2.4.6-31.el7.x86_64.rpm httpd-debuginfo-2.4.6-31.el7.x86_64.rpm httpd-devel-2.4.6-31.el7.x86_64.rpm httpd-tools-2.4.6-31.el7.x86_64.rpm mod_ssl-2.4.6-31.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: httpd-debuginfo-2.4.6-31.el7.x86_64.rpm mod_ldap-2.4.6-31.el7.x86_64.rpm mod_proxy_html-2.4.6-31.el7.x86_64.rpm mod_session-2.4.6-31.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2015:0325-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2015:0325.html
Issued Date: : 2015-03-05
CVE Names: CVE-2013-5704 CVE-2014-3581

Topic

Updated httpd packages that fix two security issues, several bugs, and addvarious enhancements are for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having Low securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64


Bugs Fixed

1059143 - Feature request: update httpd to 2.4.7 / backport htaccess API changes

1060536 - mod_rewrite doesn't expose client_addr

1073078 - mod_ssl uses small DHE parameters for non standard RSA keys

1073081 - mod_ssl selects correct DHE parameters for keys only up to 4096 bit

1080125 - httpd uses hardcoded curve for ECDHE suites

1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests

1114123 - RFE: set vstring dynamically

1131006 - Error in `/usr/sbin/httpd': free(): invalid pointer

1131847 - authzprovideralias and authnprovideralias-defined provider can't be used in virtualhost .

1136290 - SetHandler to proxy support

1149709 - CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value


Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
1.Penguin Landscape Esm H320
1 - 2 min read
There are compelling arguments in favor of Linux over Windows for desktop usage. Let's explore some advantages of choosing Linux over Windows for

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved