Bug 572404

Summary:	httpd 2.2.15 released - bug fixes and security updates - CVE-2010-0408 and CVE-2010-0434
Product:	[Fedora] Fedora	Reporter:	David <webmaster>
Component:	httpd	Assignee:	Joe Orton <jorton>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	11	CC:	jorton, pahan, redhat-bugzilla
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	httpd-2.2.15-1.fc12.2	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-04-22 22:51:30 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	569905, 570171

Description David 2010-03-11 04:12:57 UTC

Description of problem:

The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ("httpd"). This version is principally a security and bugfix release.

Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408, CVE-2010-0425 and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers respectively.

This version of httpd is a major release and the start of a new stable branch, and represents the best available version of Apache HTTP Server. New features include Smart Filtering, Improved Caching, AJP Proxy, Proxy Load Balancing, Graceful Shutdown support, Large File Support, the Event MPM, and refactored Authentication/Authorization.
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Tomas Hoger 2010-03-11 07:35:57 UTC

0425 is Windows-only:
  http://httpd.apache.org/security/vulnerabilities_22.html#2.2.15

Comment 2 David 2010-03-16 00:07:26 UTC

Agreed that is why I did not list 0425, but still leaves CVE-2010-0408 and CVE-2010-0434

I forgot to mention CVE-2010-0425 (if your using the mod_isapi module.

Cheers

Comment 3 David 2010-03-16 00:10:17 UTC

Woops - mentioned in the actual bug (rather than the description of the problem which is all the CVS as that was cut and paste from apache).

Bug 572404 - httpd 2.2.15 released - bug fixes and security updates - CVE-2010-0408 and CVE-2010-0434

Cheers

Comment 4 David 2010-03-21 23:35:20 UTC

Any update? Not seen any 2.2.15 builds for any os in koji yet.

Comment 5 David 2010-04-01 04:52:36 UTC

I have built a httpd-2.2.15-0 and using on 3 servers, not had an issue.  any updates yet?

Comment 6 Fedora Update System 2010-04-04 17:20:51 UTC

httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13

Comment 7 Fedora Update System 2010-04-04 17:22:00 UTC

httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12

Comment 8 Fedora Update System 2010-04-04 17:25:10 UTC

httpd-2.2.15-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11

Comment 9 Fedora Update System 2010-04-06 19:56:58 UTC

httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13

Comment 10 David 2010-04-06 21:55:11 UTC

It's been pushed for F13, but in admin updates F11 still shows pending, can it be pushed for today's sync?

Thanks!

Comment 11 Fedora Update System 2010-04-07 01:33:48 UTC

httpd-2.2.15-1.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1

Comment 12 Fedora Update System 2010-04-07 01:36:16 UTC

httpd-2.2.15-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1

Comment 13 Fedora Update System 2010-04-09 01:33:19 UTC

httpd-2.2.15-1.fc12.1 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1

Comment 14 Fedora Update System 2010-04-09 01:45:54 UTC

httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1

Comment 15 Fedora Update System 2010-04-22 22:50:58 UTC

httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2010-05-04 06:06:15 UTC

httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2010-05-31 18:24:56 UTC

httpd-2.2.15-1.fc12.2 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.