httpd (SL7)

Synopsis: Low: httpd security, bug fix, and enhancement update
Advisory ID: SLSA-2015:0325-2
Issue Date: 2015-03-05
CVE Numbers: CVE-2013-5704

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could use
Trailer headers to set additional HTTP headers after header processing was
performed by other modules. This could, for example, lead to a bypass of
header restrictions defined with mod_headers. (CVE-2013-5704)

A NULL pointer dereference flaw was found in the way the mod_cache httpd
module handled Content-Type headers. A malicious HTTP server could cause
the httpd child process to crash when the Apache HTTP server was
configured to proxy to a server with caching enabled. (CVE-2014-3581)

This update also fixes the following bugs:

* Previously, the mod_proxy_fcgi Apache module always kept the back-end
connections open even when they should have been closed. As a consequence,
the number of open file descriptors was increasing over the time. With
this update, mod_proxy_fcgi has been fixed to check the state of the back-
end connections, and it closes the idle back-end connections as expected.

* An integer overflow occurred in the ab utility when a large request
count was used. Consequently, ab terminated unexpectedly with a
segmentation fault while printing statistics after the benchmark. This bug
has been fixed, and ab no longer crashes in this scenario.

* Previously, when httpd was running in the foreground and the user
pressed Ctrl+C to interrupt the httpd processes, a race condition in
signal handling occurred. The SIGINT signal was sent to all children
followed by SIGTERM from the main process, which interrupted the SIGINT
handler. Consequently, the affected processes became unresponsive or
terminated unexpectedly. With this update, the SIGINT signals in the child
processes are ignored, and httpd no longer hangs or crashes in this

In addition, this update adds the following enhancements:

* With this update, the mod_proxy module of the Apache HTTP Server
supports the Unix Domain Sockets (UDS). This allows mod_proxy back ends to
listen on UDS sockets instead of TCP sockets, and as a result, mod_proxy
can be used to connect UDS back ends.

* This update adds support for using the SetHandler directive together
with the mod_proxy module. As a result, it is possible to configure
SetHandler to use proxy for incoming requests, for example, in the
following format: SetHandler “proxy:fcgi://”.

* The htaccess API changes introduced in httpd 2.4.7 have been backported
to httpd shipped with Scientific Linux 7.1. These changes allow for the
MPM-ITK module to be compiled as an httpd module.

After installing the updated packages, the httpd daemon will be restarted


– Scientific Linux Development Team