Low: httpd security, bug fix, and enhancement update
Date: Thu, 28 Feb 2013 16:16:58 -0600
Reply-To: Pat Riehecky
Sender: Security Errata for Scientific Linux
From: Pat Riehecky
Organization: Fermilab
Subject: Security ERRATA Low: httpd on SL6.x i386/x86_64
MIME-Version: 1.0
Synopsis: Low: httpd security, bug fix, and enhancement update
Issue Date: 2013-02-21
CVE Numbers: CVE-2012-2687
CVE-2008-0455
CVE-2012-4557
--
An input sanitization flaw was found in the mod_negotiation Apache HTTP
Server module. A remote attacker able to upload or create files with arbitrary
names in a directory that has the MultiViews options enabled, could use this
flaw to conduct cross-site scripting attacks against users visiting the site.
(CVE-2008-0455, CVE-2012-2687)
It was discovered that mod_proxy_ajp, when used in configurations with
mod_proxy in load balancer mode, would mark a back-end server as failed when
request processing timed out, even when a previous AJP (Apache JServ
Protocol) CPing request was responded to by the back-end. A remote attacker able
to make a back-end use an excessive amount of time to process a request could cause
mod_proxy to not send requests to back-end AJP servers for the retry timeout
period or until all back-end servers were marked as failed. (CVE-2012-4557)
After installing the updated packages, the httpd daemon will be restarted
automatically.
--
SL6
x86_64
httpd-2.2.15-26.el6.x86_64.rpm
httpd-debuginfo-2.2.15-26.el6.x86_64.rpm
httpd-tools-2.2.15-26.el6.x86_64.rpm
httpd-debuginfo-2.2.15-26.el6.i686.rpm
httpd-devel-2.2.15-26.el6.i686.rpm
httpd-devel-2.2.15-26.el6.x86_64.rpm
mod_ssl-2.2.15-26.el6.x86_64.rpm
i386
httpd-2.2.15-26.el6.i686.rpm
httpd-debuginfo-2.2.15-26.el6.i686.rpm
httpd-tools-2.2.15-26.el6.i686.rpm
httpd-devel-2.2.15-26.el6.i686.rpm
mod_ssl-2.2.15-26.el6.i686.rpm
noarch
httpd-manual-2.2.15-26.el6.noarch.rpm
- Scientific Linux Development Team