Executive Summary
Summary | |
---|---|
Title | httpd security, bug fix, and enhancement update |
Informations | |||
---|---|---|---|
Name | RHSA-2015:0325 | First vendor Publication | 2015-03-05 |
Vendor | RedHat | Last vendor Modification | 2015-03-05 |
Severity (Vendor) | Low | Revision | 02 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated httpd packages that fix two security issues, several bugs, and add various enhancements are for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. (CVE-2013-5704) A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled. (CVE-2014-3581) This update also fixes the following bugs: * Previously, the mod_proxy_fcgi Apache module always kept the back-end connections open even when they should have been closed. As a consequence, the number of open file descriptors was increasing over the time. With this update, mod_proxy_fcgi has been fixed to check the state of the back-end connections, and it closes the idle back-end connections as expected. (BZ#1168050) * An integer overflow occurred in the ab utility when a large request count was used. Consequently, ab terminated unexpectedly with a segmentation fault while printing statistics after the benchmark. This bug has been fixed, and ab no longer crashes in this scenario. (BZ#1092420) * Previously, when httpd was running in the foreground and the user pressed Ctrl+C to interrupt the httpd processes, a race condition in signal handling occurred. The SIGINT signal was sent to all children followed by SIGTERM from the main process, which interrupted the SIGINT handler. Consequently, the affected processes became unresponsive or terminated unexpectedly. With this update, the SIGINT signals in the child processes are ignored, and httpd no longer hangs or crashes in this scenario. (BZ#1131006) In addition, this update adds the following enhancements: * With this update, the mod_proxy module of the Apache HTTP Server supports the Unix Domain Sockets (UDS). This allows mod_proxy back ends to listen on UDS sockets instead of TCP sockets, and as a result, mod_proxy can be used to connect UDS back ends. (BZ#1168081) * This update adds support for using the SetHandler directive together with the mod_proxy module. As a result, it is possible to configure SetHandler to use proxy for incoming requests, for example, in the following format: SetHandler "proxy:fcgi://127.0.0.1:9000". (BZ#1136290) * The htaccess API changes introduced in httpd 2.4.7 have been backported to httpd shipped with Red Hat Enterprise Linux 7.1. These changes allow for the MPM-ITK module to be compiled as an httpd module. (BZ#1059143) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1059143 - Feature request: update httpd to 2.4.7 / backport htaccess API changes 1060536 - mod_rewrite doesn't expose client_addr 1073078 - mod_ssl uses small DHE parameters for non standard RSA keys 1073081 - mod_ssl selects correct DHE parameters for keys only up to 4096 bit 1080125 - httpd uses hardcoded curve for ECDHE suites 1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests 1114123 - RFE: set vstring dynamically 1131006 - Error in `/usr/sbin/httpd': free(): invalid pointer 1131847 - authzprovideralias and authnprovideralias-defined provider can't be used in virtualhost . 1136290 - SetHandler to proxy support 1149709 - CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2015-0325.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-476 | NULL Pointer Dereference |
OVAL Definitions
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-08-20 | IAVM : 2015-A-0199 - Multiple Vulnerabilities in Apple Mac OS X Severity : Category I - VMSKEY : V0061337 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-10-07 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201610-02.nasl - Type : ACT_GATHER_INFO |
2016-05-31 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL16863.nasl - Type : ACT_GATHER_INFO |
2016-01-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2016-0061.nasl - Type : ACT_GATHER_INFO |
2015-12-17 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2660.nasl - Type : ACT_GATHER_INFO |
2015-12-17 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2659.nasl - Type : ACT_GATHER_INFO |
2015-09-22 | Name : The remote host is missing a security update for OS X Server. File : macosx_server_5_0_3.nasl - Type : ACT_GATHER_INFO |
2015-08-17 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_SecUpd2015-006.nasl - Type : ACT_GATHER_INFO |
2015-08-17 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_10_5.nasl - Type : ACT_GATHER_INFO |
2015-08-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150722_httpd_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2015-07-28 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-1249.nasl - Type : ACT_GATHER_INFO |
2015-07-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-1249.nasl - Type : ACT_GATHER_INFO |
2015-06-02 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0974-1.nasl - Type : ACT_GATHER_INFO |
2015-04-22 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2015-111-03.nasl - Type : ACT_GATHER_INFO |
2015-04-13 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201504-03.nasl - Type : ACT_GATHER_INFO |
2015-04-10 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_SecUpd2015-004.nasl - Type : ACT_GATHER_INFO |
2015-04-10 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_10_3.nasl - Type : ACT_GATHER_INFO |
2015-04-09 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_apache2-150325.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-093.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150305_httpd_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-71.nasl - Type : ACT_GATHER_INFO |
2015-03-18 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-0325.nasl - Type : ACT_GATHER_INFO |
2015-03-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-17195.nasl - Type : ACT_GATHER_INFO |
2015-03-13 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-0325.nasl - Type : ACT_GATHER_INFO |
2015-03-11 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2523-1.nasl - Type : ACT_GATHER_INFO |
2015-03-05 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-0325.nasl - Type : ACT_GATHER_INFO |
2015-03-02 | Name : The remote Fedora host is missing a security update. File : fedora_2014-17153.nasl - Type : ACT_GATHER_INFO |
2015-02-18 | Name : The remote application server is affected by multiple vulnerabilities. File : websphere_8_0_0_10.nasl - Type : ACT_GATHER_INFO |
2015-02-13 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-483.nasl - Type : ACT_GATHER_INFO |
2015-02-02 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_5804b9d4a95911e4936320cf30e32f6d.nasl - Type : ACT_GATHER_INFO |
2015-02-02 | Name : The remote web server is affected by multiple vulnerabilities. File : apache_2_4_12.nasl - Type : ACT_GATHER_INFO |
2015-01-27 | Name : The remote web server is affected by multiple vulnerabilities. File : oracle_http_server_cpu_jan_2015.nasl - Type : ACT_GATHER_INFO |
2015-01-07 | Name : The remote application server is affected by multiple vulnerabilities. File : websphere_8_5_5_4.nasl - Type : ACT_GATHER_INFO |
2014-12-30 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-822.nasl - Type : ACT_GATHER_INFO |
2014-10-21 | Name : The remote application server is affected by multiple vulnerabilities. File : websphere_7_0_0_35.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-414.nasl - Type : ACT_GATHER_INFO |
2014-09-12 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-174.nasl - Type : ACT_GATHER_INFO |
2014-09-04 | Name : The remote web server is affected by multiple vulnerabilities. File : apache_2_2_29.nasl - Type : ACT_GATHER_INFO |
2014-07-25 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_f927e06c110911e4b09020cf30e32f6d.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-12-22 09:25:42 |
|
2016-12-07 09:26:10 |
|
2016-10-12 09:25:39 |
|
2016-06-17 09:53:23 |
|
2016-04-27 05:21:24 |
|
2016-01-22 09:26:32 |
|
2015-12-05 13:27:49 |
|
2015-09-25 00:28:47 |
|
2015-09-23 21:31:19 |
|
2015-09-19 09:28:33 |
|
2015-08-19 00:29:52 |
|
2015-07-17 09:25:58 |
|
2015-04-15 09:36:08 |
|
2015-04-14 09:32:15 |
|
2015-03-21 00:34:37 |
|
2015-03-20 00:35:25 |
|
2015-03-19 13:28:27 |
|
2015-03-17 09:32:05 |
|
2015-03-06 13:26:03 |
|
2015-03-05 21:26:58 |
|
2015-03-05 21:22:39 |
|