Bug 572404 - httpd 2.2.15 released - bug fixes and security updates - CVE-2010-0408 and CVE-2010-0434
Summary: httpd 2.2.15 released - bug fixes and security updates - CVE-2010-0408 and CV...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd
Version: 11
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2010-0408 CVE-2010-0434
TreeView+ depends on / blocked
 
Reported: 2010-03-11 04:12 UTC by David
Modified: 2010-05-31 18:25 UTC (History)
3 users (show)

Fixed In Version: httpd-2.2.15-1.fc12.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-22 22:51:30 UTC


Attachments (Terms of Use)

Description David 2010-03-11 04:12:57 UTC
Description of problem:

The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ("httpd"). This version is principally a security and bugfix release.

Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408, CVE-2010-0425 and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers respectively.

This version of httpd is a major release and the start of a new stable branch, and represents the best available version of Apache HTTP Server. New features include Smart Filtering, Improved Caching, AJP Proxy, Proxy Load Balancing, Graceful Shutdown support, Large File Support, the Event MPM, and refactored Authentication/Authorization.
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Tomas Hoger 2010-03-11 07:35:57 UTC
0425 is Windows-only:
  http://httpd.apache.org/security/vulnerabilities_22.html#2.2.15

Comment 2 David 2010-03-16 00:07:26 UTC
Agreed that is why I did not list 0425, but still leaves CVE-2010-0408 and CVE-2010-0434

I forgot to mention CVE-2010-0425 (if your using the mod_isapi module.

Cheers

Comment 3 David 2010-03-16 00:10:17 UTC
Woops - mentioned in the actual bug (rather than the description of the problem which is all the CVS as that was cut and paste from apache).

Bug 572404 - httpd 2.2.15 released - bug fixes and security updates - CVE-2010-0408 and CVE-2010-0434

Cheers

Comment 4 David 2010-03-21 23:35:20 UTC
Any update? Not seen any 2.2.15 builds for any os in koji yet.

Comment 5 David 2010-04-01 04:52:36 UTC
I have built a httpd-2.2.15-0 and using on 3 servers, not had an issue.  any updates yet?

Comment 6 Fedora Update System 2010-04-04 17:20:51 UTC
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13

Comment 7 Fedora Update System 2010-04-04 17:22:00 UTC
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12

Comment 8 Fedora Update System 2010-04-04 17:25:10 UTC
httpd-2.2.15-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11

Comment 9 Fedora Update System 2010-04-06 19:56:58 UTC
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13

Comment 10 David 2010-04-06 21:55:11 UTC
It's been pushed for F13, but in admin updates F11 still shows pending, can it be pushed for today's sync?

Thanks!

Comment 11 Fedora Update System 2010-04-07 01:33:48 UTC
httpd-2.2.15-1.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1

Comment 12 Fedora Update System 2010-04-07 01:36:16 UTC
httpd-2.2.15-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1

Comment 13 Fedora Update System 2010-04-09 01:33:19 UTC
httpd-2.2.15-1.fc12.1 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1

Comment 14 Fedora Update System 2010-04-09 01:45:54 UTC
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1

Comment 15 Fedora Update System 2010-04-22 22:50:58 UTC
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2010-05-04 06:06:15 UTC
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2010-05-31 18:24:56 UTC
httpd-2.2.15-1.fc12.2 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.