Scientific Linux Security Update : httpd on SL6.x i386/x86_64

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Synopsis :

The remote Scientific Linux host is missing one or more security

Description :

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could
use Trailer headers to set additional HTTP headers after header
processing was performed by other modules. This could, for example,
lead to a bypass of header restrictions defined with mod_headers.

This update also fixes the following bugs :

- The order of mod_proxy workers was not checked when
httpd configuration was reloaded. When mod_proxy workers
were removed, added, or their order was changed, their
parameters and scores could become mixed. The order of
mod_proxy workers has been made internally consistent
during configuration reload.

- The local host certificate created during firstboot
contained CA extensions, which caused the httpd service
to return warning messages. This has been addressed by
local host certificates being generated with the
'-extensions v3_req' option.

- The default mod_ssl configuration no longer enables
support for SSL cipher suites using the single DES,
IDEA, or SEED encryption algorithms.

- The apachectl script did not take into account the
HTTPD_LANG variable set in the /etc/sysconfig/httpd file
during graceful restarts. Consequently, httpd did not
use a changed value of HTTPD_LANG when the daemon was
restarted gracefully. The script has been fixed to
handle the HTTPD_LANG variable correctly.

- The mod_deflate module failed to check the original file
size while extracting files larger than 4 GB, making it
impossible to extract large files. Now, mod_deflate
checks the original file size properly according to
RFC1952, and it is able to decompress files larger than
4 GB.

- The httpd service did not check configuration before
restart. When a configuration contained an error, an
attempt to restart httpd gracefully failed. Now, httpd
checks configuration before restart and if the
configuration is in an inconsistent state, an error
message is printed, httpd is not stopped and a restart
is not performed.

- The SSL_CLIENT_VERIFY environment variable was
incorrectly handled when the 'SSLVerifyClient
optional_no_ca' and 'SSLSessionCache' options were used.
When an SSL session was resumed, the SSL_CLIENT_VERIFY
value was set to 'SUCCESS' instead of the previously set
'GENEROUS'. SSL_CLIENT_VERIFY is now correctly set to
GENEROUS in this scenario.

- The ab utility did not correctly handle situations when
an SSL connection was closed after some data had already
been read. As a consequence, ab did not work correctly
with SSL servers and printed 'SSL read failed' error
messages. With this update, ab works as expected with
HTTPS servers.

- When a client presented a revoked certificate, log
entries were created only at the debug level. The log
level of messages regarding a revoked certificate has
been increased to INFO, and administrators are now
properly informed of this situation.

In addition, this update adds the following enhancement :

- A mod_proxy worker can now be set into drain mode (N)
using the balancer-manager web interface or using the
httpd configuration file. A worker in drain mode accepts
only existing sticky sessions destined for itself and
ignores all other requests. The worker waits until all
clients currently connected to this worker complete
their work before the worker is stopped. As a result,
drain mode enables to perform maintenance on a worker
without affecting clients.

After installing the updated packages, the httpd service will be
restarted automatically.

See also :

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 85196 ()

Bugtraq ID:

CVE ID: CVE-2013-5704

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now