[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

RHSA-2010:0168-01 -- Redhat httpd

ID: oval:org.secpod.oval:def:500320Date: (C)2012-01-31   (M)2024-02-19
Class: PATCHFamily: unix




The Apache HTTP Server is a popular web server. It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period by sending specially-crafted requests. A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM could possibly leak information from other requests in request replies. This update also adds the following enhancement: * with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the "SSLInsecureRenegotiation" configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Platform:
Red Hat Enterprise Linux 5
Product:
httpd
Reference:
RHSA-2010:0168-01
CVE-2010-0408
CVE-2010-0434
CVE    2
CVE-2010-0408
CVE-2010-0434
CPE    16
cpe:/o:redhat:enterprise_linux:5
cpe:/a:apache:http_server:2.2.13
cpe:/a:apache:http_server:2.2
cpe:/a:apache:http_server:2.2.14
...

© SecPod Technologies