httpd-2.2.3-31.4.0.1.AXS3

エラータID: AXSA:2010-165:01

Release date: 
Tuesday, March 30, 2010 - 15:28
Subject: 
httpd-2.2.3-31.4.0.1.AXS3
Affected Channels: 
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity: 
High
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible web server.
Security issues fixed in this release:
CVE-2010-0408
The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.
CVE-2010-0434
The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.
Enhancements:
The previous update made mod_ssl to refuse to renegotiate with an unpatched client. The 'SSLInsecureRenegotiation' configuration directive has been added so that, if this directive is enabled, mod_ssl will renegotiate insecurely with an unpatched client.

Solution: 

Update packages.

CVEs: 
CVE-2010-0408
The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.
CVE-2010-0434
The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.
Additional Info: 

N/A

Download: 

Asianux Server 3 for x86
  1. httpd-2.2.3-31.4.0.1.AXS3.i386.rpm
    MD5: 596050c28eb7f7b7c95a5d7df8a9a748
    SHA-256: 2b73a4ae0323794956cc01704ddd64f721527e88ae148fbf9d593b5d4be59e18
    Size: 1.09 MB
  2. httpd-devel-2.2.3-31.4.0.1.AXS3.i386.rpm
    MD5: ac9dc6bd1810bb753052f125fc295b26
    SHA-256: a90d02fb47755775ee9503e6479903f6d0fa49f86091b1fc86b56dfc83e55f0e
    Size: 148.78 kB
  3. httpd-manual-2.2.3-31.4.0.1.AXS3.i386.rpm
    MD5: 966ff2ab2fe8d30fead4a164287a5661
    SHA-256: 5f4ab71cf5d74fd4e7fadae418ba18d368ee28bde33e4b1d23d4f84a2f33589a
    Size: 821.43 kB
  4. mod_ssl-2.2.3-31.4.0.1.AXS3.i386.rpm
    MD5: e9163be45d29db6d800f5846390207d2
    SHA-256: f1d96435028657d168738ec1cbefa47643d2e8fdcd14dd85a477e5a86739a96c
    Size: 89.55 kB

Asianux Server 3 for x86_64
  1. httpd-2.2.3-31.4.0.1.AXS3.x86_64.rpm
    MD5: b709955c634016df72bfff6ff6823984
    SHA-256: 72a4e1918c0f31e369efe7da2ef16091f1ddb74d0d2d1633a57ef1ff10e937b4
    Size: 1.10 MB
  2. httpd-devel-2.2.3-31.4.0.1.AXS3.x86_64.rpm
    MD5: dfb32207bbfa141659d6dfe2fadba032
    SHA-256: 49e0ecfd7be2259faa57150ca652a7f4b9984b97a3f97d12322bc75f1326d54b
    Size: 148.69 kB
  3. httpd-manual-2.2.3-31.4.0.1.AXS3.x86_64.rpm
    MD5: 7191aa781061362f7da03213c840a631
    SHA-256: 4c441177803fc0218e2f8d29168b40c2dabf48aa9691c20893a1636f97bd2e1f
    Size: 821.41 kB
  4. mod_ssl-2.2.3-31.4.0.1.AXS3.x86_64.rpm
    MD5: b59ed5deada7d7371da0af4576943a6e
    SHA-256: 732d0bea29cfbeb007e284c33ccf81b468da6f19233693fd4ee1a2c5bf6fd8a9
    Size: 90.46 kB