Synopsis

Moderate: httpd security update

Type/Severity

Security Advisory: Moderate

Topic

Updated httpd packages that fix multiple security issues are now available

for Red Hat Enterprise Linux 5 and 6.



The Red Hat Security Response Team has rated this update as having moderate

security impact. Common Vulnerability Scoring System (CVSS) base scores,

which give detailed severity ratings, are available for each vulnerability

from the CVE links in the References section.



Description

The Apache HTTP Server is a popular web server.



Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer

module's manager web interface. If a remote attacker could trick a user,

who was logged into the manager web interface, into visiting a

specially-crafted URL, it would lead to arbitrary web script execution in

the context of the user's manager interface session. (CVE-2012-4558)



It was found that mod_rewrite did not filter terminal escape sequences from

its log file. If mod_rewrite was configured with the RewriteLog directive,

a remote attacker could use specially-crafted HTTP requests to inject

terminal escape sequences into the mod_rewrite log file. If a victim viewed

the log file with a terminal emulator, it could result in arbitrary command

execution with the privileges of that user. (CVE-2013-1862)



Cross-site scripting (XSS) flaws were found in the mod_info, mod_status,

mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could

possibly use these flaws to perform XSS attacks if they were able to make

the victim's browser generate an HTTP request with a specially-crafted Host

header. (CVE-2012-3499)



All httpd users should upgrade to these updated packages, which contain

backported patches to correct these issues. After installing the updated

packages, the httpd daemon will be restarted automatically.



Solution

Before applying this update, make sure all previously-released errata

relevant to your system have been applied.



This update is available via the Red Hat Network. Details on how to

use the Red Hat Network to apply this update are available at

https://access.redhat.com/knowledge/articles/11258



Affected Products

Red Hat Enterprise Linux Server 6 x86_64

Red Hat Enterprise Linux Server 6 i386

Red Hat Enterprise Linux Server 5 x86_64

Red Hat Enterprise Linux Server 5 ia64

Red Hat Enterprise Linux Server 5 i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.4 x86_64

Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.4 i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.9 x86_64

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.9 ia64

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.9 i386

Red Hat Enterprise Linux Server - AUS 6.4 x86_64

Red Hat Enterprise Linux Server - AUS 5.9 x86_64

Red Hat Enterprise Linux Server - AUS 5.9 ia64

Red Hat Enterprise Linux Server - AUS 5.9 i386

Red Hat Enterprise Linux Workstation 6 x86_64

Red Hat Enterprise Linux Workstation 6 i386

Red Hat Enterprise Linux Workstation 5 x86_64

Red Hat Enterprise Linux Workstation 5 i386

Red Hat Enterprise Linux Desktop 6 x86_64

Red Hat Enterprise Linux Desktop 6 i386

Red Hat Enterprise Linux Desktop 5 x86_64

Red Hat Enterprise Linux Desktop 5 i386

Red Hat Enterprise Linux for IBM z Systems 6 s390x

Red Hat Enterprise Linux for IBM z Systems 5 s390x

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.4 s390x

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.9 s390x

Red Hat Enterprise Linux for Power, big endian 6 ppc64

Red Hat Enterprise Linux for Power, big endian 5 ppc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.4 ppc64

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.9 ppc

Red Hat Enterprise Linux for Scientific Computing 6 x86_64

Red Hat Enterprise Linux Server from RHUI 6 x86_64

Red Hat Enterprise Linux Server from RHUI 6 i386

Red Hat Enterprise Linux Server from RHUI 5 x86_64

Red Hat Enterprise Linux Server from RHUI 5 i386

Red Hat Enterprise Linux Server - Extended Update Support from RHUI 6.4 x86_64

Red Hat Enterprise Linux Server - Extended Update Support from RHUI 6.4 i386

Red Hat Enterprise Linux Server - Extended Update Support from RHUI 5.9 x86_64

Red Hat Enterprise Linux Server - Extended Update Support from RHUI 5.9 i386

Red Hat Gluster Storage Server for On-premise 2.1 x86_64

Red Hat Storage for Public Cloud (via RHUI) 2.1 x86_64

Fixes

BZ - 915883 - CVE-2012-3499 httpd: multiple XSS flaws due to unescaped hostnames

BZ - 915884 - CVE-2012-4558 httpd: XSS flaw in mod_proxy_balancer manager interface

BZ - 953729 - CVE-2013-1862 httpd: mod_rewrite allows terminal escape sequences to be written to the log file

CVEs

References