CESA-2010:0175 -- centos 4 i386 httpdID: oval:org.secpod.oval:def:201727 | Date: (C)2012-01-31 (M)2024-05-22 |
Class: PATCH | Family: unix |
The Apache HTTP Server is a popular web server. A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM could possibly leak information from other requests in request replies. This update also fixes the following bug: * a bug was found in the mod_dav module. If a PUT request for an existing file failed, that file would be unexpectedly deleted and a "Could not get next bucket brigade" error logged. With this update, failed PUT requests no longer cause mod_dav to delete files, which resolves this issue. As well, this update adds the following enhancement: * with the updated openssl packages from RHSA-2010:0163 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the "SSLInsecureRenegotiation" configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.