httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update

CentOS Errata and Security Advisory CESA-2015:1667

The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.

Multiple flaws were found in the way httpd parsed HTTP requests and
responses using chunked transfer encoding. A remote attacker could use
these flaws to create a specially crafted request, which httpd would decode
differently from an HTTP proxy software in front of it, possibly leading to
HTTP request smuggling attacks. (CVE-2015-3183)

It was discovered that in httpd 2.4, the internal API function
ap_some_auth_required() could incorrectly indicate that a request was
authenticated even when no authentication was used. An httpd module using
this API function could consequently allow access that should have been
denied. (CVE-2015-3185)

All httpd users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, the httpd service will be restarted automatically.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2015-August/083508.html

Affected packages:
httpd
httpd-devel
httpd-manual
httpd-tools
mod_ldap
mod_proxy_html
mod_session
mod_ssl

Upstream details at:
https://access.redhat.com/errata/RHSA-2015:1667