Synopsis:          Low: httpd security, bug fix, and enhancement update
Issue Date:        2013-02-21
CVE Numbers:       CVE-2012-2687
                    CVE-2008-0455
                    CVE-2012-4557
--

An input sanitization flaw was found in the mod_negotiation Apache HTTP 
Server
module. A remote attacker able to upload or create files with arbitrary 
names
in a directory that has the MultiViews options enabled, could use this 
flaw to
conduct cross-site scripting attacks against users visiting the site.
(CVE-2008-0455, CVE-2012-2687)

It was discovered that mod_proxy_ajp, when used in configurations with
mod_proxy in load balancer mode, would mark a back-end server as failed when
request processing timed out, even when a previous AJP (Apache JServ 
Protocol)
CPing request was responded to by the back-end. A remote attacker able 
to make
a back-end use an excessive amount of time to process a request could cause
mod_proxy to not send requests to back-end AJP servers for the retry timeout
period or until all back-end servers were marked as failed. (CVE-2012-4557)

After installing the updated packages, the httpd daemon will be restarted
automatically.
--

SL6
   x86_64
     httpd-2.2.15-26.el6.x86_64.rpm
     httpd-debuginfo-2.2.15-26.el6.x86_64.rpm
     httpd-tools-2.2.15-26.el6.x86_64.rpm
     httpd-debuginfo-2.2.15-26.el6.i686.rpm
     httpd-devel-2.2.15-26.el6.i686.rpm
     httpd-devel-2.2.15-26.el6.x86_64.rpm
     mod_ssl-2.2.15-26.el6.x86_64.rpm
   i386
     httpd-2.2.15-26.el6.i686.rpm
     httpd-debuginfo-2.2.15-26.el6.i686.rpm
     httpd-tools-2.2.15-26.el6.i686.rpm
     httpd-devel-2.2.15-26.el6.i686.rpm
     mod_ssl-2.2.15-26.el6.i686.rpm
   noarch
     httpd-manual-2.2.15-26.el6.noarch.rpm

- Scientific Linux Development Team