Red Hat: RHSA-2018:2187 Moderate: JBoss HTTP Server Security Update
red hat
July 12, 2018
Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are now available
Solution
The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Web Server installation (including all applications
and configuration files).
After installing the updated packages, the httpd daemon will be restarted
automatically.
Summary
This release adds the new Apache HTTP Server 2.4.29 packages that are part
of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services
Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer
to the Release Notes for information on the most significant bug fixes,
enhancements and component upgrades included in this release.
This release upgrades OpenSSL to version 1.0.2.n
Security Fix(es):
* openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
(CVE-2016-2182)
* openssl: Insufficient TLS session ticket HMAC length checks
(CVE-2016-6302)
* openssl: certificate message OOB reads (CVE-2016-6306)
* openssl: Carry propagating bug in Montgomery multiplication
(CVE-2016-7055)
* openssl: Truncated packet could crash via OOB read (CVE-2017-3731)
* openssl: BN_mod_exp may produce incorrect results on x86_64
(CVE-2017-3732)
* openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* openssl: Read/write after SSL object in error state (CVE-2017-3737)
* openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306
and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360
Inc.) as the original reporter of CVE-2016-6306.
References
https://access.redhat.com/security/cve/CVE-2016-2182 https://access.redhat.com/security/cve/CVE-2016-6302 https://access.redhat.com/security/cve/CVE-2016-6306 https://access.redhat.com/security/cve/CVE-2016-7055 https://access.redhat.com/security/cve/CVE-2017-3731 https://access.redhat.com/security/cve/CVE-2017-3732 https://access.redhat.com/security/cve/CVE-2017-3736 https://access.redhat.com/security/cve/CVE-2017-3737 https://access.redhat.com/security/cve/CVE-2017-3738 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_jboss_core_services/2.4.29
Package List
PREVIOUS
NEXT
Advisory ID: RHSA-2018:2187-01
Product: Red Hat JBoss Core Services
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2187
Issue date: 2018-07-12
Topic
Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are nowavailable.Red Hat Product Security has rated this release as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Relevant Releases Architectures
Bugs Fixed
1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
1377594 - CVE-2016-6306 openssl: certificate message OOB reads
1393929 - CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication
1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read
1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64
1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64
1523504 - CVE-2017-3737 openssl: Read/write after SSL object in error state
1523510 - CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!