Bug 101842
| Summary: | [RFE] RHN not distributing current and "secure" Apache 2.0.47 | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Mark Blevis <mblevis> |
| Component: | httpd | Assignee: | Joe Orton <jorton> |
| Status: | CLOSED DUPLICATE | QA Contact: | Red Hat Satellite QA List <satqe-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 9 | CC: | rhn-bugs |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-02-21 18:58:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
See bug #101784 *** This bug has been marked as a duplicate of 101784 *** Changed to 'CLOSED' state since 'RESOLVED' has been deprecated. |
Description of problem: RHN's current version of the Apache webserver is httpd-2.0.40-11.5. This version has a number of security vulnerabilities and fails a number of security tests. The current distribution of Apache web server is 2.0.47. Please make the most current, most secure versions of Apache products available through RHN. It concerns me that I'm paying for a service that does not keep pace with stable releases. Version-Release number of selected component (if applicable): httpd-2.0.40-11.5 How reproducible: Every time Steps to Reproduce: 1. rpm -qa |grep httpd 2. Nessus and Nikto scans 3. Publicly available security advisories Actual results: -This version allows an attacker to view the source code of CGI scripts via a POST request made to a directory with both WebDAV and CGI enabled. -There is a denial of service vulnerability which may allow an attacker to disable basic authentication on this host -There is a denial of service vulnerability in the mod_dav module which may allow an attacker to crash this service remotely -This version is vulnerable to various flaws which may allow an attacker to disable this service remotely and/or locally. -Apache/2.0.40 - Apache versions 2.0.40 through 2.0.45 are vulnerable to a DoS in basic authentication. CAN-2003-0189. -Apache/2.0.40 - "Apache 2.0 up 2.0.46 are vulnerable to multiple remote problems. CAN-2003-0192. CAN-2003-0253. CAN-2003-0254. CERT VU -Apache/2.0.40 - Apache versions 2.0.37 through 2.0.45 are vulnerable to a DoS in mod_dav. CAN-2003-0245. Expected results: Additional info: Apache released version 2.0.47 some time ago. Prior to that, other versions were released since 2.0.40.