Updated httpd24-httpd packages that fix two security issues and one bugare now available for Red Hat Software Collections 1.Red Hat Product Security has rated this update as having Low securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient,and extensible web server.A NULL pointer dereference flaw was found in the way the mod_cache httpdmodule handled Content-Type headers. A malicious HTTP server could causethe httpd child process to crash when the Apache HTTP server was configuredto proxy to a server with caching enabled. (CVE-2014-3581)A flaw was found in the way httpd handled HTTP Trailer headers whenprocessing requests using chunked encoding. A malicious client could useTrailer headers to set additional HTTP headers after header processing wasperformed by other modules. This could, for example, lead to a bypass ofheader restrictions defined with mod_headers. (CVE-2013-5704)Note: With this update, httpd has been modified to not merge HTTP Trailerheaders with other HTTP request headers. A newly introduced configurationdirective MergeTrailers can be used to re-enable the old method ofprocessing Trailer headers, which also re-introduces the aforementionedflaw.This update also fixes the following bug:* Prior to this update, the mod_proxy_wstunnel module failed to set up anSSL connection when configured to use a back end server using the “wss:”URL scheme, causing proxied connections to fail. In these updated packages,SSL is used when proxying to “wss:” back end servers. (BZ#1141950)All httpd24-httpd users are advised to upgrade to these updated packages,which contain backported patches to correct these issues. After installingthe updated packages, the httpd24-httpd service will be restartedautomatically.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/articles/11258Red Hat Software Collections 1 for RHEL 6

SRPMS:
httpd24-httpd-2.4.6-22.el6.src.rpm
    MD5: 1bd31083eba0f65566136fa4f54ad144SHA-256: 571dce59120c3a3e887a9e384abdd52004a6ac3bedfa63fd52389604ff217159
 
x86_64:
httpd24-httpd-2.4.6-22.el6.x86_64.rpm
    MD5: bab3312d2cd047c87b86ae2945283f23SHA-256: 2928d8aaa2b8c6674a2f572cc83d539f82c6d14dc45310c5fdffae63c87350a8
httpd24-httpd-debuginfo-2.4.6-22.el6.x86_64.rpm
    MD5: 98d69e744b74b188d4f30b6e83ddb372SHA-256: 52e0b881d44d4c8348cb99c9955267e6da884809cc618cfb29a56982a0c3055f
httpd24-httpd-devel-2.4.6-22.el6.x86_64.rpm
    MD5: acb9155b9c3edda8bf9c1a03bf5ecf90SHA-256: aafb451abde861c7d3ed89216f7844037cb813768d3bc45ba018a7a8d73cf213
httpd24-httpd-manual-2.4.6-22.el6.noarch.rpm
    MD5: 51e2a060a3e8440ce1ab4fa233137ab6SHA-256: 8faa3f6b50923b2cc3edb88bcf622a932c44d80915cbd2f07fc49611df2cd7f8
httpd24-httpd-tools-2.4.6-22.el6.x86_64.rpm
    MD5: 1741d04ead89889bdeb0be5829456f4fSHA-256: 830d50f05e4a4947b4e78266127a3f9aa0ba600312e3574abce841ca41cc131c
httpd24-mod_ldap-2.4.6-22.el6.x86_64.rpm
    MD5: e8775bc36d53c6357cdc59e1d9a15c98SHA-256: f2cf9494acb250d663b2d333d62eb58d26f6f2ebf49070c8df85771c9baad8e8
httpd24-mod_proxy_html-2.4.6-22.el6.x86_64.rpm
    MD5: 7d6a650174e43d5563d81ab7a76d56fbSHA-256: e6037e524b9056436fa0c486acff1efcb631908cc1997206fc81710c88da573a
httpd24-mod_session-2.4.6-22.el6.x86_64.rpm
    MD5: 4e5f13ac57f3e879de21282648deadd2SHA-256: e101ccfc1f0cd821d63f455f1c36fd71d4c65c016998236ddf51a00e32df0951
httpd24-mod_ssl-2.4.6-22.el6.x86_64.rpm
    MD5: d0a922defcb115abebcee2d5e3afff4dSHA-256: c713845de30042dc9a3e3ea22c6f192767af2bfee16e3a2271433f3018074f92
 
Red Hat Software Collections 1 for RHEL 7

SRPMS:
httpd24-httpd-2.4.6-25.el7.src.rpm
    MD5: eb0488154ea550243a86975f5e839026SHA-256: 724f639aaac6cef7430edb7f4d813584ae32b5ddf2a498bc95697fe59d939744
 
x86_64:
httpd24-httpd-2.4.6-25.el7.x86_64.rpm
    MD5: 5417aec7426a8955873a8f37773411f2SHA-256: 5f9398f202205478a28a5e37f170e00e416c3b095f980e24f405fe4c549a35d9
httpd24-httpd-debuginfo-2.4.6-25.el7.x86_64.rpm
    MD5: cc005ce39d9ea8992f80fde87d8b665cSHA-256: ecc32cd3bceee383ae20b987b5b1e8f9d752fd274cbbf58117f1791222df70b3
httpd24-httpd-devel-2.4.6-25.el7.x86_64.rpm
    MD5: e564dc0ddb5f288cab94cf5f74efa33bSHA-256: 081069f5c4ad575e6a384ee89c6175b0d87602902873976497cdadf5f50caa35
httpd24-httpd-manual-2.4.6-25.el7.noarch.rpm
    MD5: 2588f40a50f4a3a7093944109970d480SHA-256: 7479a6f95ed1f12c3b183eedad5def5916335a0eccecb77eb8b582223e5e0efc
httpd24-httpd-tools-2.4.6-25.el7.x86_64.rpm
    MD5: 684caa949c2f84156e12a9ffffaedd7bSHA-256: 3cb193dbd5838411249b50af663785df710f1780939e0b1289c7c3d5bd6fb467
httpd24-mod_ldap-2.4.6-25.el7.x86_64.rpm
    MD5: 8d4b9088535c9686b5dbd57fa8108199SHA-256: 0f8ab71c2f1e1f27b6675fd4b120e408017ec543acb4602e29b4b9600438b422
httpd24-mod_proxy_html-2.4.6-25.el7.x86_64.rpm
    MD5: 75e9451406c5c5a5bc347658a357de8bSHA-256: fa7d93a059b1f12a491d1243a4afb4e1db02c4d239bdd89a265ebe03e45b183f
httpd24-mod_session-2.4.6-25.el7.x86_64.rpm
    MD5: 7d96972cd3e45f1384ba0c247a0295eaSHA-256: fa8875bad8fad8b7ad4319213bdbb121364f6e5588b99c401fbd4a6cd7a3d272
httpd24-mod_ssl-2.4.6-25.el7.x86_64.rpm
    MD5: 84c54ec2fa7bade08ca76c472d97ef6bSHA-256: 98feb0361e2f6eed00f0fe617c5093b85b1da8b5b365b6795846f0b2d3ca7ecf
 
(The unlinked packages above are only available from the Red Hat Network)
1082903 – CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests1141950 – Request to resolve upstream bug 553201149709 – CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply