httpd-2.2.3-76.0.1.AXS3

The Apache HTTP Server is a powerful, efficient, and extensible web server.

Security issues fixed with this release:

• CVE-2008-0455
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

• CVE-2008-0456
CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

• CVE-2012-2687
Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.

Fixed bugs:

• Previously, the validity of /etc/pki/tls/private/localhost.key was not checked before running the "%post" script for the "mod_ssl" package: If /etc/pki/tls/certs/localhost.crt did not exist and "localhost.key" was present but invalid and upgrading httpd with mod_ssl failed. This has been fixed.

• Added a patch to disable non-FIPS functionality in the "mod_ssl" module when running in FIPS mode so that httpd starts as expected under FIPS mode.

• Previously, the httpd exit codes were not LSB compliant. This has been fixed and httpd now returns "1" as an exist status code.

• Fixed the handling of long chunk-lines (32 bytes or more).

• Fixed header merging for 304 case.

• Fixed the response-line strings handling when run in a proxy set up so that response-lines without a "description" string are properly returned to the client.

• Previously, a bug in the mod_mem_cache module could result in a cached entity becoming corrupt when aborting an HTTP connection. This has been fixed.

Enhancements:

• Added support for the "LDAPReferrals" configuration directive.

• The "mod_proxy_ajp" module now supports the "ProxyErrorOverride" directive

• Now, if the /etc/sysconfig/httpd-disable-posttrans file exists, the "%posttrans" scriptlet will not automatically restarts the httpd service after a package upgrade.

• The output of "httpd -S" now includes configured alias names for each virtual host.

• "mod_ssl" using the "_DN_userID" (like "SSL_CLIENT_S_DN_userID") now expose new certificate variable names.