Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0524 Low: httpd security, bug fix, and enhancement update 6 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: httpd Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Unauthorised Access -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3581 CVE-2013-5704 Reference: ASB-2015.0009 ESB-2015.0224 ESB-2014.2342 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2015-0325.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: httpd security, bug fix, and enhancement update Advisory ID: RHSA-2015:0325-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0325.html Issue date: 2015-03-05 CVE Names: CVE-2013-5704 CVE-2014-3581 ===================================================================== 1. Summary: Updated httpd packages that fix two security issues, several bugs, and add various enhancements are for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. (CVE-2013-5704) A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled. (CVE-2014-3581) This update also fixes the following bugs: * Previously, the mod_proxy_fcgi Apache module always kept the back-end connections open even when they should have been closed. As a consequence, the number of open file descriptors was increasing over the time. With this update, mod_proxy_fcgi has been fixed to check the state of the back-end connections, and it closes the idle back-end connections as expected. (BZ#1168050) * An integer overflow occurred in the ab utility when a large request count was used. Consequently, ab terminated unexpectedly with a segmentation fault while printing statistics after the benchmark. This bug has been fixed, and ab no longer crashes in this scenario. (BZ#1092420) * Previously, when httpd was running in the foreground and the user pressed Ctrl+C to interrupt the httpd processes, a race condition in signal handling occurred. The SIGINT signal was sent to all children followed by SIGTERM from the main process, which interrupted the SIGINT handler. Consequently, the affected processes became unresponsive or terminated unexpectedly. With this update, the SIGINT signals in the child processes are ignored, and httpd no longer hangs or crashes in this scenario. (BZ#1131006) In addition, this update adds the following enhancements: * With this update, the mod_proxy module of the Apache HTTP Server supports the Unix Domain Sockets (UDS). This allows mod_proxy back ends to listen on UDS sockets instead of TCP sockets, and as a result, mod_proxy can be used to connect UDS back ends. (BZ#1168081) * This update adds support for using the SetHandler directive together with the mod_proxy module. As a result, it is possible to configure SetHandler to use proxy for incoming requests, for example, in the following format: SetHandler "proxy:fcgi://127.0.0.1:9000". (BZ#1136290) * The htaccess API changes introduced in httpd 2.4.7 have been backported to httpd shipped with Red Hat Enterprise Linux 7.1. These changes allow for the MPM-ITK module to be compiled as an httpd module. (BZ#1059143) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1059143 - Feature request: update httpd to 2.4.7 / backport htaccess API changes 1060536 - mod_rewrite doesn't expose client_addr 1073078 - mod_ssl uses small DHE parameters for non standard RSA keys 1073081 - mod_ssl selects correct DHE parameters for keys only up to 4096 bit 1080125 - httpd uses hardcoded curve for ECDHE suites 1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests 1114123 - RFE: set vstring dynamically 1131006 - Error in `/usr/sbin/httpd': free(): invalid pointer 1131847 - authzprovideralias and authnprovideralias-defined provider can't be used in virtualhost . 1136290 - SetHandler to proxy support 1149709 - CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: httpd-2.4.6-31.el7.src.rpm noarch: httpd-manual-2.4.6-31.el7.noarch.rpm x86_64: httpd-2.4.6-31.el7.x86_64.rpm httpd-debuginfo-2.4.6-31.el7.x86_64.rpm httpd-devel-2.4.6-31.el7.x86_64.rpm httpd-tools-2.4.6-31.el7.x86_64.rpm mod_ldap-2.4.6-31.el7.x86_64.rpm mod_proxy_html-2.4.6-31.el7.x86_64.rpm mod_session-2.4.6-31.el7.x86_64.rpm mod_ssl-2.4.6-31.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: httpd-2.4.6-31.el7.src.rpm noarch: httpd-manual-2.4.6-31.el7.noarch.rpm x86_64: httpd-2.4.6-31.el7.x86_64.rpm httpd-debuginfo-2.4.6-31.el7.x86_64.rpm httpd-devel-2.4.6-31.el7.x86_64.rpm httpd-tools-2.4.6-31.el7.x86_64.rpm mod_ldap-2.4.6-31.el7.x86_64.rpm mod_proxy_html-2.4.6-31.el7.x86_64.rpm mod_session-2.4.6-31.el7.x86_64.rpm mod_ssl-2.4.6-31.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: httpd-2.4.6-31.el7.src.rpm noarch: httpd-manual-2.4.6-31.el7.noarch.rpm ppc64: httpd-2.4.6-31.el7.ppc64.rpm httpd-debuginfo-2.4.6-31.el7.ppc64.rpm httpd-devel-2.4.6-31.el7.ppc64.rpm httpd-tools-2.4.6-31.el7.ppc64.rpm mod_ssl-2.4.6-31.el7.ppc64.rpm s390x: httpd-2.4.6-31.el7.s390x.rpm httpd-debuginfo-2.4.6-31.el7.s390x.rpm httpd-devel-2.4.6-31.el7.s390x.rpm httpd-tools-2.4.6-31.el7.s390x.rpm mod_ssl-2.4.6-31.el7.s390x.rpm x86_64: httpd-2.4.6-31.el7.x86_64.rpm httpd-debuginfo-2.4.6-31.el7.x86_64.rpm httpd-devel-2.4.6-31.el7.x86_64.rpm httpd-tools-2.4.6-31.el7.x86_64.rpm mod_ssl-2.4.6-31.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: httpd-debuginfo-2.4.6-31.el7.ppc64.rpm mod_ldap-2.4.6-31.el7.ppc64.rpm mod_proxy_html-2.4.6-31.el7.ppc64.rpm mod_session-2.4.6-31.el7.ppc64.rpm s390x: httpd-debuginfo-2.4.6-31.el7.s390x.rpm mod_ldap-2.4.6-31.el7.s390x.rpm mod_proxy_html-2.4.6-31.el7.s390x.rpm mod_session-2.4.6-31.el7.s390x.rpm x86_64: httpd-debuginfo-2.4.6-31.el7.x86_64.rpm mod_ldap-2.4.6-31.el7.x86_64.rpm mod_proxy_html-2.4.6-31.el7.x86_64.rpm mod_session-2.4.6-31.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: httpd-2.4.6-31.el7.src.rpm noarch: httpd-manual-2.4.6-31.el7.noarch.rpm x86_64: httpd-2.4.6-31.el7.x86_64.rpm httpd-debuginfo-2.4.6-31.el7.x86_64.rpm httpd-devel-2.4.6-31.el7.x86_64.rpm httpd-tools-2.4.6-31.el7.x86_64.rpm mod_ssl-2.4.6-31.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: httpd-debuginfo-2.4.6-31.el7.x86_64.rpm mod_ldap-2.4.6-31.el7.x86_64.rpm mod_proxy_html-2.4.6-31.el7.x86_64.rpm mod_session-2.4.6-31.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-5704 https://access.redhat.com/security/cve/CVE-2014-3581 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFU+G1OXlSAg2UNWIIRApdZAJ9WoUSSz1gMZRg0enaqlQXWp6sZJgCeLTaB F9KjL6Xrpxvd6e3GWkQBfGE= =hvwa - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVPk/UBLndAQH1ShLAQINBRAAtf7PSfZqf7b+Dhnkv7c+Ty9ey5tdjm1t IXWgYdJekM6kJD+fEr+TMmn1+6ZXVnYI+ukiTC6NRnZIJERjCZ4nfNhh37+Cj3cX jhX1aNLhOfGuKzUucGu39+rufZjjK5gHA4K1f+Yme//iLKJfIyb8NLqu7qOyOn0q B37MMafvtSuTSkuR3YWdl47P7UDXYLoismY4Ne+2HYeJ/SbhE2VYz/chQSKMCrmi VJ1K6P8rHyf1Z3d2eqURu0h9zotbh3fPZGfThikIcD9jmcUoYwUkIND1DK8e/zv6 yAaBT5XkWCi3D253XjXm/xm41zHQhi0qM7EP+Wfsi7nw61sPfvb4NubVgWxTF9Az HCrowHEuuEUJfHDoRs7C2gg091dR+2mvoD9h5yWLCa5MXra6dkOvk2AkOYua+D+Z hdFfTX5kzMYpLQnyLVYaDBaPAAX4U2H6qKfsieCakHqHu8X8hfIvdy2H1P8Lh/BP Yb6vywZ4qtmNeCSX29SRiCSWg1UNO6fMDMwOXhIjTBCx12CvzqJ8IMRfWz8qjdX4 EWOw/OibdTJV31f6d12kJaUagyWyTrgaNMxjXHrLFIaUGOVhEdsSJ85PvQXpZ0Ps CObK3AuWanBNkaUNDEnpX5YP3NVMWPL7BB0Yd8AYdDR6r9IP0rIVQiNuW2OZO+cW zti4yKZjNMI= =4yUQ -----END PGP SIGNATURE-----