CESA-2015:0325: httpd security, bug fix, and enhancement update
Description
The httpd packages provide the Apache HTTP Server, a powerful, efficient, andextensible web server.A flaw was found in the way httpd handled HTTP Trailer headers when processingrequests using chunked encoding. A malicious client could use Trailer headers toset additional HTTP headers after header processing was performed by othermodules. This could, for example, lead to a bypass of header restrictionsdefined with mod_headers. (CVE-2013-5704)A NULL pointer dereference flaw was found in the way the mod_cache httpd modulehandled Content-Type headers. A malicious HTTP server could cause the httpdchild process to crash when the Apache HTTP server was configured to proxy to aserver with caching enabled. (CVE-2014-3581)This update also fixes the following bugs:In addition, this update adds the following enhancements:All httpd users are advised to upgrade to these updated packages, which containbackported patches to correct these issues and add these enhancements. Afterinstalling the updated packages, the httpd daemon will be restartedautomatically.
Solution(s)
- centos-upgrade-httpd
- centos-upgrade-httpd-debuginfo
- centos-upgrade-httpd-devel
- centos-upgrade-httpd-manual
- centos-upgrade-httpd-tools
- centos-upgrade-mod_ldap
- centos-upgrade-mod_proxy_html
- centos-upgrade-mod_session
- centos-upgrade-mod_ssl
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center