First published: Wed May 27 2009(Updated: )
The Apache HTTP Server is a popular and freely-available Web server.<br>A flaw was found in the handling of compression structures between mod_ssl<br>and OpenSSL. If too many connections were opened in a short period of time,<br>all system memory and swap space would be consumed by httpd, negatively<br>impacting other processes, or causing a system crash. (CVE-2008-1678)<br>Note: The CVE-2008-1678 issue did not affect Red Hat Enterprise Linux 5<br>prior to 5.3. The problem was introduced via the RHBA-2009:0181 errata in<br>Red Hat Enterprise Linux 5.3, which upgraded OpenSSL to the newer 0.9.8e<br>version.<br>A flaw was found in the handling of the "Options" and "AllowOverride"<br>directives. In configurations using the "AllowOverride" directive with<br>certain "Options=" arguments, local users were not restricted from<br>executing commands from a Server-Side-Include script as intended.<br>(CVE-2009-1195)<br>All httpd users should upgrade to these updated packages, which contain<br>backported patches to resolve these issues. Users must restart httpd for<br>this update to take effect.
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/httpd | <2.2.3-22.el5_3.1 | 2.2.3-22.el5_3.1 |
redhat/httpd | <2.2.3-22.el5_3.1 | 2.2.3-22.el5_3.1 |
redhat/httpd-devel | <2.2.3-22.el5_3.1 | 2.2.3-22.el5_3.1 |
redhat/httpd-devel | <2.2.3-22.el5_3.1 | 2.2.3-22.el5_3.1 |
redhat/httpd-manual | <2.2.3-22.el5_3.1 | 2.2.3-22.el5_3.1 |
redhat/httpd-manual | <2.2.3-22.el5_3.1 | 2.2.3-22.el5_3.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.