- Vulnerability/
- RHSA-2011:1391
RHSA-2011:1391: Moderate: httpd security and bug fix update
First published: Thu Oct 20 2011(Updated: )
The Apache HTTP Server is a popular web server.<br>It was discovered that the Apache HTTP Server did not properly validate the<br>request URI for proxied requests. In certain configurations, if a reverse<br>proxy used the ProxyPassMatch directive, or if it used the RewriteRule<br>directive with the proxy flag, a remote attacker could make the proxy<br>connect to an arbitrary server, possibly disclosing sensitive information<br>from internal web servers not directly accessible to the attacker.<br>(CVE-2011-3368)<br>It was discovered that mod_proxy_ajp incorrectly returned an "Internal<br>Server Error" response when processing certain malformed HTTP requests,<br>which caused the back-end server to be marked as failed in configurations<br>where mod_proxy was used in load balancer mode. A remote attacker could<br>cause mod_proxy to not send requests to back-end AJP (Apache JServ<br>Protocol) servers for the retry timeout period or until all back-end<br>servers were marked as failed. (CVE-2011-3348)<br>Red Hat would like to thank Context Information Security for reporting the<br>CVE-2011-3368 issue.<br>This update also fixes the following bug:<br><li> The fix for CVE-2011-3192 provided by the RHSA-2011:1245 update</li> introduced regressions in the way httpd handled certain Range HTTP header<br>values. This update corrects those regressions. (BZ#736592)<br>All httpd users should upgrade to these updated packages, which contain<br>backported patches to correct these issues. After installing the updated<br>packages, the httpd daemon must be restarted for the update to take effect.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/httpd | <2.2.15-9.el6_1.3 | 2.2.15-9.el6_1.3 |
| redhat/httpd | <2.2.15-9.el6_1.3 | 2.2.15-9.el6_1.3 |
| redhat/httpd-debuginfo | <2.2.15-9.el6_1.3 | 2.2.15-9.el6_1.3 |
| redhat/httpd-debuginfo | <2.2.15-9.el6_1.3 | 2.2.15-9.el6_1.3 |
| redhat/httpd-devel | <2.2.15-9.el6_1.3 | 2.2.15-9.el6_1.3 |
| redhat/httpd-devel | <2.2.15-9.el6_1.3 | 2.2.15-9.el6_1.3 |
| redhat/httpd-manual | <2.2.15-9.el6_1.3 | 2.2.15-9.el6_1.3 |
| redhat/httpd-tools | <2.2.15-9.el6_1.3 | 2.2.15-9.el6_1.3 |
| redhat/httpd-tools | <2.2.15-9.el6_1.3 | 2.2.15-9.el6_1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=736592
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=736690
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=740045
- https://access.redhat.com/security/updates/classification/#moderate
- https://rhn.redhat.com/errata/RHSA-2011-1245.html
- https://access.redhat.com/errata/RHSA-2011:1391 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/redhat-errata
- anchor-id/RHSA-2011:1391
- package-manager/redhat