httpd-2.2.15-45.0.1.AXS4

The Apache HTTP Server is a powerful, efficient, and extensible
web server.

Security issues fixed with this release:

CVE-2013-5704
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote
attackers to bypass "RequestHeader unset" directives by placing a
header in the trailer portion of data sent with chunked transfer
coding. NOTE: the vendor states "this is not a security issue in httpd
as such."

Fixed bugs:

* The order of mod_proxy workers was not checked when httpd configuration was
reloaded. When mod_proxy workers were removed, added, or their order was
changed, their parameters and scores could become mixed. With this update,
the order of mod_proxy workers has been made internally consistent during
configuration reload.
* The local host certificate created during firstboot contained CA extensions,
which caused the httpd service to return warning messages. With this update,
the bug hes been fixed.
* The default mod_ssl configuration no longer enables support for SSL cipher
suites using the single DES, IDEA, or SEED encryption algorithms.
* The apachectl script did not take into account the HTTPD_LANG variable set in
the /etc/sysconfig/httpd file during graceful restarts. Consequently, httpd did
not use a changed value of HTTPD_LANG when the daemon was restarted gracefully.
To fix this bug, the script has been fixed to handle the HTTPD_LANG variable correctly.
* The mod_deflate module failed to check the original file size while extracting
files larger than 4 GB, making it impossible to extract large files. With this update,
the problem has been fixed.
* The httpd service did not check configuration before restart. When a
configuration contained an error, an attempt to restart httpd gracefully failed.
With this update, the problem has been fixed.
* The SSL_CLIENT_VERIFY environment variable was incorrectly handled when the
"SSLVerifyClient optional_no_ca" and "SSLSessionCache" options were used. When
an SSL session was resumed, the SSL_CLIENT_VERIFY value was set to "SUCCESS"
instead of the previously set "GENEROUS". SSL_CLIENT_VERIFY is now correctly set
to GENEROUS in this scenario.
* The ab utility did not correctly handle situations when an SSL connection was
closed after some data had already been read. As a consequence, ab did not work
correctly with SSL servers and printed "SSL read failed" error messages. With
this update, the described bug has been fixed.
* When a client presented a revoked certificate, log entries were created only
at the debug level. The log level of messages regarding a revoked certificate
has been increased to INFO, and administrators are now properly informed of this
situation.

Enhancements:

* A mod_proxy worker can now be set into drain mode (N) using the
balancer-manager web interface or using the httpd configuration file. A worker
in drain mode accepts only existing sticky sessions destined for itself and
ignores all other requests. The worker waits until all clients currently
connected to this worker complete their work before the worker is stopped. As a
result, drain mode enables to perform maintenance on a worker without affecting
clients.