Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0524
Low: httpd security, bug fix, and enhancement update
6 March 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: httpd
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3581 CVE-2013-5704
Reference: ASB-2015.0009
ESB-2015.0224
ESB-2014.2342
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2015-0325.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Low: httpd security, bug fix, and enhancement update
Advisory ID: RHSA-2015:0325-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0325.html
Issue date: 2015-03-05
CVE Names: CVE-2013-5704 CVE-2014-3581
=====================================================================
1. Summary:
Updated httpd packages that fix two security issues, several bugs, and add
various enhancements are for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Low security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.
A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could use
Trailer headers to set additional HTTP headers after header processing was
performed by other modules. This could, for example, lead to a bypass of
header restrictions defined with mod_headers. (CVE-2013-5704)
A NULL pointer dereference flaw was found in the way the mod_cache httpd
module handled Content-Type headers. A malicious HTTP server could cause
the httpd child process to crash when the Apache HTTP server was configured
to proxy to a server with caching enabled. (CVE-2014-3581)
This update also fixes the following bugs:
* Previously, the mod_proxy_fcgi Apache module always kept the back-end
connections open even when they should have been closed. As a consequence,
the number of open file descriptors was increasing over the time. With this
update, mod_proxy_fcgi has been fixed to check the state of the back-end
connections, and it closes the idle back-end connections as expected.
(BZ#1168050)
* An integer overflow occurred in the ab utility when a large request count
was used. Consequently, ab terminated unexpectedly with a segmentation
fault while printing statistics after the benchmark. This bug has been
fixed, and ab no longer crashes in this scenario. (BZ#1092420)
* Previously, when httpd was running in the foreground and the user pressed
Ctrl+C to interrupt the httpd processes, a race condition in signal
handling occurred. The SIGINT signal was sent to all children followed by
SIGTERM from the main process, which interrupted the SIGINT handler.
Consequently, the affected processes became unresponsive or terminated
unexpectedly. With this update, the SIGINT signals in the child processes
are ignored, and httpd no longer hangs or crashes in this scenario.
(BZ#1131006)
In addition, this update adds the following enhancements:
* With this update, the mod_proxy module of the Apache HTTP Server supports
the Unix Domain Sockets (UDS). This allows mod_proxy back ends to listen on
UDS sockets instead of TCP sockets, and as a result, mod_proxy can be used
to connect UDS back ends. (BZ#1168081)
* This update adds support for using the SetHandler directive together with
the mod_proxy module. As a result, it is possible to configure SetHandler
to use proxy for incoming requests, for example, in the following format:
SetHandler "proxy:fcgi://127.0.0.1:9000". (BZ#1136290)
* The htaccess API changes introduced in httpd 2.4.7 have been backported
to httpd shipped with Red Hat Enterprise Linux 7.1. These changes allow for
the MPM-ITK module to be compiled as an httpd module. (BZ#1059143)
All httpd users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements. After installing the updated packages, the httpd daemon will
be restarted automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1059143 - Feature request: update httpd to 2.4.7 / backport htaccess API changes
1060536 - mod_rewrite doesn't expose client_addr
1073078 - mod_ssl uses small DHE parameters for non standard RSA keys
1073081 - mod_ssl selects correct DHE parameters for keys only up to 4096 bit
1080125 - httpd uses hardcoded curve for ECDHE suites
1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
1114123 - RFE: set vstring dynamically
1131006 - Error in `/usr/sbin/httpd': free(): invalid pointer
1131847 - authzprovideralias and authnprovideralias-defined provider can't be used in virtualhost .
1136290 - SetHandler to proxy support
1149709 - CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value
6. Package List:
Red Hat Enterprise Linux Client Optional (v. 7):
Source:
httpd-2.4.6-31.el7.src.rpm
noarch:
httpd-manual-2.4.6-31.el7.noarch.rpm
x86_64:
httpd-2.4.6-31.el7.x86_64.rpm
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
httpd-devel-2.4.6-31.el7.x86_64.rpm
httpd-tools-2.4.6-31.el7.x86_64.rpm
mod_ldap-2.4.6-31.el7.x86_64.rpm
mod_proxy_html-2.4.6-31.el7.x86_64.rpm
mod_session-2.4.6-31.el7.x86_64.rpm
mod_ssl-2.4.6-31.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source:
httpd-2.4.6-31.el7.src.rpm
noarch:
httpd-manual-2.4.6-31.el7.noarch.rpm
x86_64:
httpd-2.4.6-31.el7.x86_64.rpm
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
httpd-devel-2.4.6-31.el7.x86_64.rpm
httpd-tools-2.4.6-31.el7.x86_64.rpm
mod_ldap-2.4.6-31.el7.x86_64.rpm
mod_proxy_html-2.4.6-31.el7.x86_64.rpm
mod_session-2.4.6-31.el7.x86_64.rpm
mod_ssl-2.4.6-31.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
httpd-2.4.6-31.el7.src.rpm
noarch:
httpd-manual-2.4.6-31.el7.noarch.rpm
ppc64:
httpd-2.4.6-31.el7.ppc64.rpm
httpd-debuginfo-2.4.6-31.el7.ppc64.rpm
httpd-devel-2.4.6-31.el7.ppc64.rpm
httpd-tools-2.4.6-31.el7.ppc64.rpm
mod_ssl-2.4.6-31.el7.ppc64.rpm
s390x:
httpd-2.4.6-31.el7.s390x.rpm
httpd-debuginfo-2.4.6-31.el7.s390x.rpm
httpd-devel-2.4.6-31.el7.s390x.rpm
httpd-tools-2.4.6-31.el7.s390x.rpm
mod_ssl-2.4.6-31.el7.s390x.rpm
x86_64:
httpd-2.4.6-31.el7.x86_64.rpm
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
httpd-devel-2.4.6-31.el7.x86_64.rpm
httpd-tools-2.4.6-31.el7.x86_64.rpm
mod_ssl-2.4.6-31.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
httpd-debuginfo-2.4.6-31.el7.ppc64.rpm
mod_ldap-2.4.6-31.el7.ppc64.rpm
mod_proxy_html-2.4.6-31.el7.ppc64.rpm
mod_session-2.4.6-31.el7.ppc64.rpm
s390x:
httpd-debuginfo-2.4.6-31.el7.s390x.rpm
mod_ldap-2.4.6-31.el7.s390x.rpm
mod_proxy_html-2.4.6-31.el7.s390x.rpm
mod_session-2.4.6-31.el7.s390x.rpm
x86_64:
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
mod_ldap-2.4.6-31.el7.x86_64.rpm
mod_proxy_html-2.4.6-31.el7.x86_64.rpm
mod_session-2.4.6-31.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
httpd-2.4.6-31.el7.src.rpm
noarch:
httpd-manual-2.4.6-31.el7.noarch.rpm
x86_64:
httpd-2.4.6-31.el7.x86_64.rpm
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
httpd-devel-2.4.6-31.el7.x86_64.rpm
httpd-tools-2.4.6-31.el7.x86_64.rpm
mod_ssl-2.4.6-31.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
httpd-debuginfo-2.4.6-31.el7.x86_64.rpm
mod_ldap-2.4.6-31.el7.x86_64.rpm
mod_proxy_html-2.4.6-31.el7.x86_64.rpm
mod_session-2.4.6-31.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2013-5704
https://access.redhat.com/security/cve/CVE-2014-3581
https://access.redhat.com/security/updates/classification/#low
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU+G1OXlSAg2UNWIIRApdZAJ9WoUSSz1gMZRg0enaqlQXWp6sZJgCeLTaB
F9KjL6Xrpxvd6e3GWkQBfGE=
=hvwa
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVPk/UBLndAQH1ShLAQINBRAAtf7PSfZqf7b+Dhnkv7c+Ty9ey5tdjm1t
IXWgYdJekM6kJD+fEr+TMmn1+6ZXVnYI+ukiTC6NRnZIJERjCZ4nfNhh37+Cj3cX
jhX1aNLhOfGuKzUucGu39+rufZjjK5gHA4K1f+Yme//iLKJfIyb8NLqu7qOyOn0q
B37MMafvtSuTSkuR3YWdl47P7UDXYLoismY4Ne+2HYeJ/SbhE2VYz/chQSKMCrmi
VJ1K6P8rHyf1Z3d2eqURu0h9zotbh3fPZGfThikIcD9jmcUoYwUkIND1DK8e/zv6
yAaBT5XkWCi3D253XjXm/xm41zHQhi0qM7EP+Wfsi7nw61sPfvb4NubVgWxTF9Az
HCrowHEuuEUJfHDoRs7C2gg091dR+2mvoD9h5yWLCa5MXra6dkOvk2AkOYua+D+Z
hdFfTX5kzMYpLQnyLVYaDBaPAAX4U2H6qKfsieCakHqHu8X8hfIvdy2H1P8Lh/BP
Yb6vywZ4qtmNeCSX29SRiCSWg1UNO6fMDMwOXhIjTBCx12CvzqJ8IMRfWz8qjdX4
EWOw/OibdTJV31f6d12kJaUagyWyTrgaNMxjXHrLFIaUGOVhEdsSJ85PvQXpZ0Ps
CObK3AuWanBNkaUNDEnpX5YP3NVMWPL7BB0Yd8AYdDR6r9IP0rIVQiNuW2OZO+cW
zti4yKZjNMI=
=4yUQ
-----END PGP SIGNATURE-----