Detections
Analytics

MiracleLinux 4 : httpd-2.2.15-45.0.1.AXS4 (AXSA:2015-347:01)

high Nessus Plugin ID 288961

Synopsis

The remote MiracleLinux host is missing a security update.

Description

The remote MiracleLinux 4 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2015-347:01 advisory.

 The Apache HTTP Server is a powerful, efficient, and extensible web server.
 Security issues fixed with this release:
 CVE-2013-5704 The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass RequestHeader unset directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states this is not a security issue in httpd as such.
 Fixed bugs:
 * The order of mod_proxy workers was not checked when httpd configuration was reloaded. When mod_proxy workers were removed, added, or their order was changed, their parameters and scores could become mixed. With this update, the order of mod_proxy workers has been made internally consistent during configuration reload.
 * The local host certificate created during firstboot contained CA extensions, which caused the httpd service to return warning messages. With this update, the bug hes been fixed.
 * The default mod_ssl configuration no longer enables support for SSL cipher suites using the single DES, IDEA, or SEED encryption algorithms.
 * The apachectl script did not take into account the HTTPD_LANG variable set in the /etc/sysconfig/httpd file during graceful restarts. Consequently, httpd did not use a changed value of HTTPD_LANG when the daemon was restarted gracefully.
 To fix this bug, the script has been fixed to handle the HTTPD_LANG variable correctly.
 * The mod_deflate module failed to check the original file size while extracting files larger than 4 GB, making it impossible to extract large files. With this update, the problem has been fixed.
 * The httpd service did not check configuration before restart. When a configuration contained an error, an attempt to restart httpd gracefully failed.
 With this update, the problem has been fixed.
 * The SSL_CLIENT_VERIFY environment variable was incorrectly handled when the SSLVerifyClient optional_no_ca and SSLSessionCache options were used. When an SSL session was resumed, the SSL_CLIENT_VERIFY value was set to SUCCESS instead of the previously set GENEROUS. SSL_CLIENT_VERIFY is now correctly set to GENEROUS in this scenario.
 * The ab utility did not correctly handle situations when an SSL connection was closed after some data had already been read. As a consequence, ab did not work correctly with SSL servers and printed SSL read failed error messages. With this update, the described bug has been fixed.
 * When a client presented a revoked certificate, log entries were created only at the debug level. The log level of messages regarding a revoked certificate has been increased to INFO, and administrators are now properly informed of this situation.
 Enhancements:
 * A mod_proxy worker can now be set into drain mode (N) using the balancer-manager web interface or using the httpd configuration file. A worker in drain mode accepts only existing sticky sessions destined for itself and ignores all other requests. The worker waits until all clients currently connected to this worker complete their work before the worker is stopped. As a result, drain mode enables to perform maintenance on a worker without affecting clients.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://tsn.miraclelinux.com/en/node/5693

Plugin Details

Severity: High

ID: 288961

File Name: miracle_linux_AXSA-2015-347.nasl

Version: 1.1

Type: local

Published: 1/16/2026

Updated: 1/16/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2013-5704

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:miracle:linux:httpd-tools, p-cpe:/a:miracle:linux:httpd-manual, p-cpe:/a:miracle:linux:httpd, cpe:/o:miracle:linux:4, p-cpe:/a:miracle:linux:httpd-devel, p-cpe:/a:miracle:linux:mod_ssl

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 8/12/2015

Vulnerability Publication Date: 10/19/2013

Reference Information

CVE: CVE-2013-5704