Scientific Linux Security Update : httpd on SL5.x, SL6.x i386/x86_64
Medium Nessus Plugin ID 76753
SynopsisThe remote Scientific Linux host is missing one or more security updates.
DescriptionA race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)
A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.
A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)
After installing the updated packages, the httpd daemon will be restarted automatically.
SolutionUpdate the affected packages.