Synopsis:	Moderate: httpd security and bug fix update
Issue date:	2010-08-30
CVE Names:	CVE-2010-1452 CVE-2010-2791

A flaw was discovered in the way the mod_proxy module of the Apache HTTP
Server handled the timeouts of requests forwarded by a reverse proxy to 
the back-end server. If the proxy was configured to reuse existing 
back-end connections, it could return a response intended for another 
user under certain timeout conditions, possibly leading to information 
disclosure. (CVE-2010-2791)

A flaw was found in the way the mod_dav module of the Apache HTTP Server
handled certain requests. If a remote attacker were to send a carefully
crafted request to the server, it could cause the httpd child process to
crash. (CVE-2010-1452)

This update also fixes the following bugs:

* numerous issues in the INFLATE filter provided by mod_deflate. 
"Inflate error -5 on flush" errors may have been logged. This update 
upgrades mod_deflate to the newer upstream version from Apache HTTP 
Server 2.2.15. (BZ#625435)

* the response would be corrupted if mod_filter applied the DEFLATE 
filter to a resource requiring a subrequest with an internal redirect. 
(BZ#625451)

* the OID() function used in the mod_ssl "SSLRequire" directive did not
correctly evaluate extensions of an unknown type. (BZ#625452)

After installing the updatedpackages, the httpd daemon must be restarted 
for the update to take effect.

SL 5.x

     SRPMS:
httpd-2.2.3-43.el5_5.3.src.rpm
     i386:
httpd-2.2.3-43.sl5.3.i386.rpm
httpd-devel-2.2.3-43.sl5.3.i386.rpm
httpd-manual-2.2.3-43.sl5.3.i386.rpm
mod_ssl-2.2.3-43.sl5.3.i386.rpm
     x86_64:
httpd-2.2.3-43.sl5.3.x86_64.rpm
httpd-devel-2.2.3-43.sl5.3.i386.rpm
httpd-devel-2.2.3-43.sl5.3.x86_64.rpm
httpd-manual-2.2.3-43.sl5.3.x86_64.rpm
mod_ssl-2.2.3-43.sl5.3.x86_64.rpm

-Connie Sieh
-Troy Dawson