RedHat: RHSA-2016-1420:01 Important: httpd24-httpd security update
Summary
The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.
Security Fix(es):
* It was discovered that httpd used the value of the Proxy header from HTTP
requests to initialize the HTTP_PROXY environment variable for CGI scripts,
which in turn was incorrectly used by certain HTTP client implementations
to configure the proxy for outgoing HTTP requests. A remote attacker could
possibly use this flaw to redirect HTTP requests performed by a CGI script
to an attacker-controlled proxy via a malicious HTTP request.
(CVE-2016-5387)
Note: After this update, httpd will no longer pass the value of the Proxy
request header to scripts via the HTTP_PROXY environment variable.
* A flaw was found in the way httpd performed client authentication using
X.509 client certificates. When the HTTP/2 protocol was enabled, a remote
attacker could use this flaw to access resources protected by certificate
authentication without providing a valid client certificate.
(CVE-2016-4979)
Red Hat would like to thank Scott Geary (VendHQ) for reporting
CVE-2016-5387 and Apache Software Foundation for reporting CVE-2016-4979.
Upstream acknowledges Erki Aring (Liewenthal Electronics Ltd) as the
original reporter of CVE-2016-4979.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted
automatically.
References
https://access.redhat.com/security/cve/CVE-2016-4979 https://access.redhat.com/security/cve/CVE-2016-5387 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/httpoxy https://access.redhat.com/solutions/2435501
Package List
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source:
httpd24-httpd-2.4.18-11.el6.src.rpm
noarch:
httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm
x86_64:
httpd24-httpd-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm
httpd24-mod_session-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6):
Source:
httpd24-httpd-2.4.18-11.el6.src.rpm
noarch:
httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm
x86_64:
httpd24-httpd-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm
httpd24-mod_session-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):
Source:
httpd24-httpd-2.4.18-11.el6.src.rpm
noarch:
httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm
x86_64:
httpd24-httpd-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm
httpd24-mod_session-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source:
httpd24-httpd-2.4.18-11.el6.src.rpm
noarch:
httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm
x86_64:
httpd24-httpd-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm
httpd24-mod_session-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
httpd24-httpd-2.4.18-11.el7.src.rpm
noarch:
httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm
x86_64:
httpd24-httpd-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm
httpd24-mod_session-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1):
Source:
httpd24-httpd-2.4.18-11.el7.src.rpm
noarch:
httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm
x86_64:
httpd24-httpd-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm
httpd24-mod_session-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2):
Source:
httpd24-httpd-2.4.18-11.el7.src.rpm
noarch:
httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm
x86_64:
httpd24-httpd-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm
httpd24-mod_session-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
httpd24-httpd-2.4.18-11.el7.src.rpm
noarch:
httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm
x86_64:
httpd24-httpd-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm
httpd24-mod_session-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for httpd24-httpd is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Bugs Fixed
1352476 - CVE-2016-4979 httpd: X509 client certificate authentication bypass using HTTP/2
1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header