Bug 101842

Description of problem:
RHN's current version of the Apache webserver is httpd-2.0.40-11.5.  This 
version has a number of security vulnerabilities and fails a number of 
security tests.  The current distribution of Apache web server is 2.0.47.  
Please make the most current, most secure versions of Apache products 
available through RHN.  It concerns me that I'm paying for a service that does 
not keep pace with stable releases.


Version-Release number of selected component (if applicable):
httpd-2.0.40-11.5


How reproducible:
Every time


Steps to Reproduce:
1. rpm -qa |grep httpd
2. Nessus and Nikto scans
3. Publicly available security advisories

    
Actual results:
-This version allows an attacker to view the source code of CGI scripts via a 
POST request made to a directory with both WebDAV and CGI enabled.
-There is a denial of service vulnerability which may allow an attacker to 
disable basic authentication on this host
-There is a denial of service vulnerability in the mod_dav module which may 
allow an attacker to crash this service remotely
-This version is vulnerable to various flaws which may allow
an attacker to disable this service remotely and/or locally.
-Apache/2.0.40 - Apache versions 2.0.40 through 2.0.45 are vulnerable to a DoS 
in basic authentication. CAN-2003-0189.
-Apache/2.0.40 - "Apache 2.0 up 2.0.46 are vulnerable to multiple remote 
problems. CAN-2003-0192. CAN-2003-0253. CAN-2003-0254. CERT VU
-Apache/2.0.40 - Apache versions 2.0.37 through 2.0.45 are vulnerable to a DoS 
in mod_dav. CAN-2003-0245.


Expected results:


Additional info:
Apache released version 2.0.47 some time ago.  Prior to that, other versions 
were released since 2.0.40.