Rapid7 Vulnerability & Exploit Database

CESA-2015:0325: httpd security, bug fix, and enhancement update

Back to Search

CESA-2015:0325: httpd security, bug fix, and enhancement update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
10/10/2014
Created
07/25/2018
Added
11/12/2015
Modified
03/14/2019

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient, andextensible web server.A flaw was found in the way httpd handled HTTP Trailer headers when processingrequests using chunked encoding. A malicious client could use Trailer headers toset additional HTTP headers after header processing was performed by othermodules. This could, for example, lead to a bypass of header restrictionsdefined with mod_headers. (CVE-2013-5704)A NULL pointer dereference flaw was found in the way the mod_cache httpd modulehandled Content-Type headers. A malicious HTTP server could cause the httpdchild process to crash when the Apache HTTP server was configured to proxy to aserver with caching enabled. (CVE-2014-3581)This update also fixes the following bugs:In addition, this update adds the following enhancements:All httpd users are advised to upgrade to these updated packages, which containbackported patches to correct these issues and add these enhancements. Afterinstalling the updated packages, the httpd daemon will be restartedautomatically.

Solution(s)

  • centos-upgrade-httpd
  • centos-upgrade-httpd-debuginfo
  • centos-upgrade-httpd-devel
  • centos-upgrade-httpd-manual
  • centos-upgrade-httpd-tools
  • centos-upgrade-mod_ldap
  • centos-upgrade-mod_proxy_html
  • centos-upgrade-mod_session
  • centos-upgrade-mod_ssl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;