Rapid7 Vulnerability & Exploit Database

CESA-2015:1249: httpd security, bug fix, and enhancement update

Back to Search

CESA-2015:1249: httpd security, bug fix, and enhancement update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
04/15/2014
Created
07/25/2018
Added
11/12/2015
Modified
03/14/2019

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient,and extensible web server.A flaw was found in the way httpd handled HTTP Trailer headers whenprocessing requests using chunked encoding. A malicious client could useTrailer headers to set additional HTTP headers after header processing wasperformed by other modules. This could, for example, lead to a bypass ofheader restrictions defined with mod_headers. (CVE-2013-5704)This update also fixes the following bugs:In addition, this update adds the following enhancement:Users of httpd are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues and add thisenhancement. After installing the updated packages, the httpd service willbe restarted automatically.

Solution(s)

  • centos-upgrade-httpd
  • centos-upgrade-httpd-debuginfo
  • centos-upgrade-httpd-devel
  • centos-upgrade-httpd-manual
  • centos-upgrade-httpd-tools
  • centos-upgrade-mod_ssl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;