(RHSA-2004:562) httpd security update

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.

An issue has been discovered in the mod_ssl module when configured to use
the “SSLCipherSuite” directive in directory or location context. If a
particular location context has been configured to require a specific set
of cipher suites, then a client will be able to access that location using
any cipher suite allowed by the virtual host configuration. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0885 to this issue.

An issue has been discovered in the handling of white space in request
header lines using MIME folding. A malicious client could send a carefully
crafted request, forcing the server to consume large amounts of memory,
leading to a denial of service. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue.

Several minor bugs were also discovered, including:

• In the mod_cgi module, problems that arise when CGI scripts are
  invoked from SSI pages by mod_include using the “#include virtual”
  syntax have been fixed.

• In the mod_dav_fs module, problems with the handling of indirect locks
  on the S/390x platform have been fixed.

Users of the Apache HTTP server who are affected by these issues should
upgrade to these updated packages, which contain backported patches.