Bug 202158

Summary: Wishlist: back-port TraceEnable directive to RHEL4 version of Apache
Product: Red Hat Enterprise Linux 4 Reporter: Russell Coker <russell.coker>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-16 13:52:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Russell Coker 2006-08-11 05:05:37 UTC 
The HTTP TRACE option facilities cross-site trace attacks.  Some organizations
such as Google consider this to not be an issue, but many pen tests flag it.

The solution to the TRACE problems is to use mod_redirect to prevent such
requests.  However even though the Red Hat httpd package is not vulnerable to
the mod_redirect bug there is still a push to remove that module.

It would be good if it was possible to turn off the TRACE option without using
mod_redirect and in the manner that the ASF has designed for all future versions
of Apache.
Comment 1 Joe Orton 2007-05-16 13:52:17 UTC 
Thanks for the request.  This problem is resolved in the next release of Red Hat
Enterprise Linux (v5). Red Hat does not currently plan to provide a resolution
for this in a Red Hat Enterprise Linux update for currently deployed systems.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.