Bug 202158 - Wishlist: back-port TraceEnable directive to RHEL4 version of Apache
Summary: Wishlist: back-port TraceEnable directive to RHEL4 version of Apache
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: httpd   
(Show other bugs)
Version: 4.3
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-08-11 05:05 UTC by Russell Coker
Modified: 2007-11-17 01:14 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-16 13:52:17 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Russell Coker 2006-08-11 05:05:37 UTC
The HTTP TRACE option facilities cross-site trace attacks.  Some organizations
such as Google consider this to not be an issue, but many pen tests flag it.

The solution to the TRACE problems is to use mod_redirect to prevent such
requests.  However even though the Red Hat httpd package is not vulnerable to
the mod_redirect bug there is still a push to remove that module.

It would be good if it was possible to turn off the TRACE option without using
mod_redirect and in the manner that the ASF has designed for all future versions
of Apache.

Comment 1 Joe Orton 2007-05-16 13:52:17 UTC
Thanks for the request.  This problem is resolved in the next release of Red Hat
Enterprise Linux (v5). Red Hat does not currently plan to provide a resolution
for this in a Red Hat Enterprise Linux update for currently deployed systems.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.

Note You need to log in before you can comment on or make changes to this bug.