Sender: |
|
Date: |
Thu, 25 Mar 2010 11:12:26 -0500 |
MIME-version: |
1.0 |
Reply-To: |
|
Content-type: |
text/plain; format=flowed; charset=ISO-8859-1 |
Subject: |
|
From: |
|
Content-transfer-encoding: |
7BIT |
Comments: |
|
Parts/Attachments: |
|
|
Synopsis: Moderate: httpd security and enhancement update
Issue date: 2010-03-25
CVE Names: CVE-2010-0408 CVE-2010-0434
CVE-2010-0408 httpd: mod_proxy_ajp remote temporary DoS
CVE-2010-0434 httpd: request header information leak
It was discovered that mod_proxy_ajp incorrectly returned an "Internal
Server Error" response when processing certain malformed requests, which
caused the back-end server to be marked as failed in configurations
where mod_proxy is used in load balancer mode. A remote attacker could
cause mod_proxy to not send requests to back-end AJP (Apache JServ
Protocol) servers for the retry timeout period (60 seconds by default)
by sending specially-crafted requests. (CVE-2010-0408)
A use-after-free flaw was discovered in the way the Apache HTTP Server
handled request headers in subrequests. In configurations where
subrequests are used, a multithreaded MPM (Multi-Processing Module)
could possibly leak information from other requests in request replies.
(CVE-2010-0434)
This update also adds the following enhancement:
* with the updated openssl packages from RHSA-2010:0162 installed,
mod_ssl will refuse to renegotiate a TLS/SSL connection with an
unpatched client that does not support RFC 5746. This update adds the
"SSLInsecureRenegotiation" configuration directive. If this directive is
enabled, mod_ssl will renegotiate insecurely with unpatched clients.
(BZ#567980)
Refer to the following Red Hat Knowledgebase article for more details
about the changed mod_ssl behavior:
http://kbase.redhat.com/faq/docs/DOC-20491
After installing the updated packages, the httpd daemon must be
restarted for the update to take effect.
SL 5.x
SRPMS:
httpd-2.2.3-31.el5_4.4.src.rpm
i386:
httpd-2.2.3-31.sl5.4.i386.rpm
httpd-devel-2.2.3-31.sl5.4.i386.rpm
httpd-manual-2.2.3-31.sl5.4.i386.rpm
mod_ssl-2.2.3-31.sl5.4.i386.rpm
x86_64:
httpd-2.2.3-31.sl5.4.x86_64.rpm
httpd-devel-2.2.3-31.sl5.4.i386.rpm
httpd-devel-2.2.3-31.sl5.4.x86_64.rpm
httpd-manual-2.2.3-31.sl5.4.x86_64.rpm
mod_ssl-2.2.3-31.sl5.4.x86_64.rpm
-Connie Sieh
-Troy Dawson
|
|
|