Oval Definition:oval:com.redhat.rhba:def:20152194
Revision Date:2015-11-19Version:638
Title:RHBA-2015:2194: httpd bug fix and enhancement update (Moderate)
Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

This update fixes the following bugs:

  • The httpd daemon did not reset an internal array for storing variables defined using the "Define" directive. Consequently, variables could be undefined after a graceful restart. httpd has been fixed to reset this internal array during a graceful restart, and variables are now correctly defined in this scenario. (BZ#1227219)

  • The SSL_CLIENT_VERIFY environment variable was incorrectly handled when the "SSLVerifyClient optional_no_ca" and "SSLSessionCache" options were used. Consequently, when an SSL session was resumed, the SSL_CLIENT_VERIFY value was set to "SUCCESS" instead of the previously set "GENEROUS". SSL_CLIENT_VERIFY is now correctly set to GENEROUS in this scenario. (BZ#1170206)

  • The mod_ssl module did not call the ERR_free_strings method during its cleanup. Consequently, during the httpd daemon's reload, mod_ssl leaked memory. Now, ERR_free_strings is called by mod_ssl during the httpd reload, and mod_ssl no longer leaks memory. (BZ#1181690)

  • The status line of an HTTP response message from a server did not include the HTTP Reason-Phrase if the original response from the mod_proxy back-end server contained only a Status Code. Consequently, the server displayed only the Status Code to an HTTP client. HTTP clients now receive both the Status Code and Reason-Phrase. (BZ#1162159)

  • The mod_authz_dbm module requires the mod_authz_owner module but this dependency was not reflected in the mod_authz_dbm code. Consequently, when the "Require dbm-file-group" directive was used and mod_authz_dbm was loaded before mod_authz_owner, the httpd daemon terminated unexpectedly with a segmentation fault. The mod_authz_dbm code now allows loading before the mod_authz_owner module, and httpd no loner crashes in this scenario. (BZ#1221575)

  • The mod_proxy_fcgi module had a hardcoded 30-second timeout for a request. Consequently, it was impossible to change the timeout. mod_proxy_fcgi has been fixed to honor the Timeout or ProxyTimeout directives, and users are now able to configure the timeout of mod_proxy_fcgi. (BZ#1222328)

  • The mod_ssl method used for enabling Next Protocol Negotiation (NPN) support returned incorrect exit status when NPN was disabled. Consequently, although NPN was disabled by the configuration, mod_ssl continued to send it. The mod_ssl method now returns the correct value in this scenario, and mod_ssl no longer sends NPN unless configured to do so. (BZ#1226015)

    The update adds these enhancements:

  • The default configuration of the mod_ssl module in the Apache HTTP Server no longer enables support for SSL cipher suites using the single IDEA or SEED encryption algorithms, which are known to be easily exploitable. (BZ#1118476)

  • The mod_proxy_wstunnel module is now enabled by default and it includes support for SSL connections in the "wss://" scheme. Additionally, it is possible to use the "ws://" scheme in the "mod_rewrite" directives. This allows for using WebSockets as a target to "mod_rewrite" and enabling WebSockets in the proxy module. (BZ#1180745)

  • Apache HTTP Server now supports Microsoft User Principal Name (UPN) in the SSLUserName directive. Users can now authenticate with their Common Access Card (CAC) or certificate with a UPN in it, and have their UPN used as authenticated user information, consumed by both the access control in Apache and using the REMOTE_USER environment variable or a similar mechanism in applications. As a result, users can now set "SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0" for authentication using UPN. (BZ#1242503)

    Users of httpd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically.
  • Family:unixClass:patch
    Status:Reference(s):CVE-2020-11985
    RHBA-2015:2194
    Platform(s):Red Hat Enterprise Linux 7
    Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 7 is installed
  • AND
  • httpd is earlier than 0:2.4.6-40.el7
  • AND httpd is signed with Red Hat redhatrelease2 key
  • httpd-devel is earlier than 0:2.4.6-40.el7
  • AND httpd-devel is signed with Red Hat redhatrelease2 key
  • httpd-manual is earlier than 0:2.4.6-40.el7
  • AND httpd-manual is signed with Red Hat redhatrelease2 key
  • httpd-tools is earlier than 0:2.4.6-40.el7
  • AND httpd-tools is signed with Red Hat redhatrelease2 key
  • mod_ldap is earlier than 0:2.4.6-40.el7
  • AND mod_ldap is signed with Red Hat redhatrelease2 key
  • mod_proxy_html is earlier than 1:2.4.6-40.el7
  • AND mod_proxy_html is signed with Red Hat redhatrelease2 key
  • mod_session is earlier than 0:2.4.6-40.el7
  • AND mod_session is signed with Red Hat redhatrelease2 key
  • mod_ssl is earlier than 1:2.4.6-40.el7
  • AND mod_ssl is signed with Red Hat redhatrelease2 key
  • BACK