RHSA-2009:1075: Moderate security update
87
1.81.2. RHSA-2009:1075: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata
RHSA-2009:1075
523
Updated httpd packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
The Apache HTTP Server is a popular and freely-available Web server.
A flaw was found in the handling of compression structures between mod_ssl and OpenSSL. If
too many connections were opened in a short period of time, all system memory and swap space
would be consumed by httpd, negatively impacting other processes, or causing a system crash.
(
CVE-2008-1678
524
)
Note: The CVE-2008-1678 issue did not affect Red Hat Enterprise Linux 5 prior to 5.3. The problem
was introduced via the RHBA-2009:0181 errata in Red Hat Enterprise Linux 5.3, which upgraded
OpenSSL to the newer 0.9.8e version.
A flaw was found in the handling of the "Options" and "AllowOverride" directives. In configurations
using the "AllowOverride" directive with certain "Options=" arguments, local users were not restricted
from executing commands from a Server-Side-Include script as intended. (
CVE-2009-1195
525
)
All httpd users should upgrade to these updated packages, which contain backported patches to
resolve these issues. Users must restart httpd for this update to take effect.
1.81.3. RHBA-2009:1380: bug fix update
Updated httpd packages that fix various bugs are now available.
The Apache HTTP Server is a popular and freely-available Web server.
These updated httpd packages provide fixes for the following bugs:
• Apache's mod_mime_magic module attempts to determine the MIME type of files using heuristic
tests. However, the "magic" file used by the mod_mime_magic module was unable to detect PNG
images correctly as being of MIME type "image/png", which this update corrects. (
BZ#240844
526
)
• when using a reverse-proxy configuration with the mod_nss module being used in place of the
usual mod_ssl module, the mod_proxy module failed to pass the hostname, which resulted in this
error message: "Requested domain name does not match the server's certificate". The hostname
is now passed correctly so that secure HTTP (https) connections no longer fail due to this error.
(
BZ#479410
527
)
• the "mod_ssl" module placed a hard-coded 128K limit on the amount of request body data
which would be buffered if an SSL renegotiation was required in a Location or Directory context.
This could occur if a POST request was made to a Directory or Location which required client
524
https://www.redhat.com/security/data/cve/CVE-2008-1678.html
525
https://www.redhat.com/security/data/cve/CVE-2009-1195.html
Summary of Contents for ENTERPRISE 5.4 RELEASE NOTES
Page 1: ...Red Hat Enterprise Linux 5 4 Technical Notes Every Change to Every Package ...
Page 18: ...xviii ...
Page 306: ...288 ...
Page 464: ...446 ...
Page 466: ...448 ...