Synopsis: Low: httpd security, bug fix, and enhancement update
Issue Date: 2013-02-21
CVE Numbers: CVE-2012-2687
CVE-2008-0455
CVE-2012-4557
—
An input sanitization flaw was found in the mod_negotiation Apache HTTP Server
module. A remote attacker able to upload or create files with arbitrary names
in a directory that has the MultiViews options enabled, could use this flaw to
conduct cross-site scripting attacks against users visiting the site.
(CVE-2008-0455, CVE-2012-2687)
It was discovered that mod_proxy_ajp, when used in configurations with
mod_proxy in load balancer mode, would mark a back-end server as failed when
request processing timed out, even when a previous AJP (Apache JServ Protocol)
CPing request was responded to by the back-end. A remote attacker able to make
a back-end use an excessive amount of time to process a request could cause
mod_proxy to not send requests to back-end AJP servers for the retry timeout
period or until all back-end servers were marked as failed. (CVE-2012-4557)
After installing the updated packages, the httpd daemon will be restarted
automatically.
—
SL6
x86_64
httpd-2.2.15-26.el6.x86_64.rpm
httpd-debuginfo-2.2.15-26.el6.x86_64.rpm
httpd-tools-2.2.15-26.el6.x86_64.rpm
httpd-debuginfo-2.2.15-26.el6.i686.rpm
httpd-devel-2.2.15-26.el6.i686.rpm
httpd-devel-2.2.15-26.el6.x86_64.rpm
mod_ssl-2.2.15-26.el6.x86_64.rpm
i386
httpd-2.2.15-26.el6.i686.rpm
httpd-debuginfo-2.2.15-26.el6.i686.rpm
httpd-tools-2.2.15-26.el6.i686.rpm
httpd-devel-2.2.15-26.el6.i686.rpm
mod_ssl-2.2.15-26.el6.i686.rpm
noarch
httpd-manual-2.2.15-26.el6.noarch.rpm
– Scientific Linux Development Team
