Bug 572404 - httpd 2.2.15 released - bug fixes and security updates - CVE-2010-0408 and CVE-2010-0434
httpd 2.2.15 released - bug fixes and security updates - CVE-2010-0408 and CV...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
11
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
:
Depends On:
Blocks: CVE-2010-0408 CVE-2010-0434
  Show dependency treegraph
 
Reported: 2010-03-10 23:12 EST by David
Modified: 2010-05-31 14:25 EDT (History)
3 users (show)

See Also:
Fixed In Version: httpd-2.2.15-1.fc12.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-22 18:51:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David 2010-03-10 23:12:57 EST
Description of problem:

The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ("httpd"). This version is principally a security and bugfix release.

Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408, CVE-2010-0425 and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers respectively.

This version of httpd is a major release and the start of a new stable branch, and represents the best available version of Apache HTTP Server. New features include Smart Filtering, Improved Caching, AJP Proxy, Proxy Load Balancing, Graceful Shutdown support, Large File Support, the Event MPM, and refactored Authentication/Authorization.
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tomas Hoger 2010-03-11 02:35:57 EST
0425 is Windows-only:
  http://httpd.apache.org/security/vulnerabilities_22.html#2.2.15
Comment 2 David 2010-03-15 20:07:26 EDT
Agreed that is why I did not list 0425, but still leaves CVE-2010-0408 and CVE-2010-0434

I forgot to mention CVE-2010-0425 (if your using the mod_isapi module.

Cheers
Comment 3 David 2010-03-15 20:10:17 EDT
Woops - mentioned in the actual bug (rather than the description of the problem which is all the CVS as that was cut and paste from apache).

Bug 572404 - httpd 2.2.15 released - bug fixes and security updates - CVE-2010-0408 and CVE-2010-0434

Cheers
Comment 4 David 2010-03-21 19:35:20 EDT
Any update? Not seen any 2.2.15 builds for any os in koji yet.
Comment 5 David 2010-04-01 00:52:36 EDT
I have built a httpd-2.2.15-0 and using on 3 servers, not had an issue.  any updates yet?
Comment 6 Fedora Update System 2010-04-04 13:20:51 EDT
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13
Comment 7 Fedora Update System 2010-04-04 13:22:00 EDT
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12
Comment 8 Fedora Update System 2010-04-04 13:25:10 EDT
httpd-2.2.15-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11
Comment 9 Fedora Update System 2010-04-06 15:56:58 EDT
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13
Comment 10 David 2010-04-06 17:55:11 EDT
It's been pushed for F13, but in admin updates F11 still shows pending, can it be pushed for today's sync?

Thanks!
Comment 11 Fedora Update System 2010-04-06 21:33:48 EDT
httpd-2.2.15-1.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1
Comment 12 Fedora Update System 2010-04-06 21:36:16 EDT
httpd-2.2.15-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1
Comment 13 Fedora Update System 2010-04-08 21:33:19 EDT
httpd-2.2.15-1.fc12.1 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1
Comment 14 Fedora Update System 2010-04-08 21:45:54 EDT
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1
Comment 15 Fedora Update System 2010-04-22 18:50:58 EDT
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2010-05-04 02:06:15 EDT
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2010-05-31 14:24:56 EDT
httpd-2.2.15-1.fc12.2 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.