RHSA-2009:1580: httpd security update
Description
The Apache HTTP Server is a popular Web server.A flaw was found in the way the TLS/SSL (Transport Layer Security/SecureSockets Layer) protocols handle session renegotiation. A man-in-the-middleattacker could use this flaw to prefix arbitrary plain text to a client'ssession (for example, an HTTPS connection to a website). This could forcethe server to process an attacker's request as if authenticated using thevictim's credentials. This update partially mitigates this flaw for SSLsessions to HTTP servers using mod_ssl by rejecting client-requestedrenegotiation. (CVE-2009-3555)Note: This update does not fully resolve the issue for HTTPS servers. Anattack is still possible in configurations that require a server-initiatedrenegotiation. Refer to the following Knowledgebase article for furtherinformation: http://kbase.redhat.com/faq/docs/DOC-20491A denial of service flaw was found in the Apache mod_deflate module. Thismodule continued to compress large files until compression was complete,even if the network connection that requested the content was closed beforecompression completed. This would cause mod_deflate to consume largeamounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)A NULL pointer dereference flaw was found in the Apache mod_proxy_ftpmodule. A malicious FTP server to which requests are being proxied coulduse this flaw to crash an httpd child process via a malformed reply to theEPSV or PASV commands, resulting in a limited denial of service.(CVE-2009-3094)A second flaw was found in the Apache mod_proxy_ftp module. In a reverseproxy configuration, a remote attacker could use this flaw to bypassintended access restrictions by creating a carefully-crafted HTTPAuthorization header, allowing the attacker to send arbitrary commands tothe FTP server. (CVE-2009-3095)All httpd users should upgrade to these updated packages, which containbackported patches to correct these issues. After installing the updatedpackages, the httpd daemon must be restarted for the update to take effect.
Solution(s)
- redhat-upgrade-httpd
- redhat-upgrade-httpd-devel
- redhat-upgrade-httpd-manual
- redhat-upgrade-httpd-suexec
- redhat-upgrade-mod_ssl
References
- redhat-upgrade-httpd
- redhat-upgrade-httpd-devel
- redhat-upgrade-httpd-manual
- redhat-upgrade-httpd-suexec
- redhat-upgrade-mod_ssl
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center