Red Hat Bugzilla – Bug 202158
Wishlist: back-port TraceEnable directive to RHEL4 version of Apache
Last modified: 2007-11-16 20:14:53 EST
The HTTP TRACE option facilities cross-site trace attacks. Some organizations
such as Google consider this to not be an issue, but many pen tests flag it.
The solution to the TRACE problems is to use mod_redirect to prevent such
requests. However even though the Red Hat httpd package is not vulnerable to
the mod_redirect bug there is still a push to remove that module.
It would be good if it was possible to turn off the TRACE option without using
mod_redirect and in the manner that the ASF has designed for all future versions
Thanks for the request. This problem is resolved in the next release of Red Hat
Enterprise Linux (v5). Red Hat does not currently plan to provide a resolution
for this in a Red Hat Enterprise Linux update for currently deployed systems.
With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.