Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Scientific Linux 4.x Low Advisory: Httpd Update for Request Leak

Calendar Mar 25, 2010 User Avatar LinuxSecurity Advisories
1 - 2 min read
Scientific Large Esm H500
Topics%20covered

Topics Covered

security advisory information leak bug fix httpd low severity enhancement Scientific Linux
Low: httpd security, bug fix, and enhancement update 
Date: Thu, 25 Mar 2010 14:30:35 -0500
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: Security ERRATA Low: httpd on SL4.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 

Synopsis:	Low: httpd security, bug fix, and enhancement update
Issue date:	2010-03-25
CVE Names:	CVE-2010-0434

CVE-2010-0434 httpd: request header information leak

A use-after-free flaw was discovered in the way the Apache HTTP Server
handled request headers in subrequests. In configurations where
subrequests are used, a multithreaded MPM (Multi-Processing Module)
could possibly leak information from other requests in request replies.
(CVE-2010-0434)

This update also fixes the following bug:

* a bug was found in the mod_dav module. If a PUT request for an
existing file failed, that file would be unexpectedly deleted and a
"Could not get next bucket brigade" error logged. With this update,
failed PUT requests no longer cause mod_dav to delete files, which
resolves this issue. (BZ#572932)

As well, this update adds the following enhancement:

* with the updated openssl packages from RHSA-2010:0163 installed,
mod_ssl will refuse to renegotiate a TLS/SSL connection with an
unpatched client that does not support RFC 5746. This update adds the
"SSLInsecureRenegotiation" configuration directive. If this directive is
enabled, mod_ssl will renegotiate insecurely with unpatched clients.
(BZ#575805)

Refer to the following Red Hat Knowledgebase article for more details
about the changed mod_ssl behavior:

After installing the updated packages, the httpd daemon must be
restarted for the update to take effect.

SL 4.x

 SRPMS:
httpd-2.0.52-41.ent.7.src.rpm
 i386:
httpd-2.0.52-41.sl4.7.i386.rpm
httpd-devel-2.0.52-41.sl4.7.i386.rpm
httpd-manual-2.0.52-41.sl4.7.i386.rpm
httpd-suexec-2.0.52-41.sl4.7.i386.rpm
mod_ssl-2.0.52-41.sl4.7.i386.rpm
 x86_64:
httpd-2.0.52-41.sl4.7.x86_64.rpm
httpd-devel-2.0.52-41.sl4.7.x86_64.rpm
httpd-manual-2.0.52-41.sl4.7.x86_64.rpm
httpd-suexec-2.0.52-41.sl4.7.x86_64.rpm
mod_ssl-2.0.52-41.sl4.7.x86_64.rpm

-Connie Sieh
-Troy Dawson
Your message here