Synopsis: Low: httpd security, bug fix, and enhancement update Issue Date: 2013-02-21 CVE Numbers: CVE-2012-2687 CVE-2008-0455 CVE-2012-4557 -- An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687) It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557) After installing the updated packages, the httpd daemon will be restarted automatically. -- SL6 x86_64 httpd-2.2.15-26.el6.x86_64.rpm httpd-debuginfo-2.2.15-26.el6.x86_64.rpm httpd-tools-2.2.15-26.el6.x86_64.rpm httpd-debuginfo-2.2.15-26.el6.i686.rpm httpd-devel-2.2.15-26.el6.i686.rpm httpd-devel-2.2.15-26.el6.x86_64.rpm mod_ssl-2.2.15-26.el6.x86_64.rpm i386 httpd-2.2.15-26.el6.i686.rpm httpd-debuginfo-2.2.15-26.el6.i686.rpm httpd-tools-2.2.15-26.el6.i686.rpm httpd-devel-2.2.15-26.el6.i686.rpm mod_ssl-2.2.15-26.el6.i686.rpm noarch httpd-manual-2.2.15-26.el6.noarch.rpm - Scientific Linux Development Team