Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 534
Alerts This Week
Warning Icon 1 534

Red Hat RHSA-2018:3558-01 Moderate: httpd24 Security Fix Advisory

red hat
Calendar Grey November 13, 2018
Dist Redhat Esm H88
Critical security notice for httpd24 patches tackling several vulnerabilities. Important updates for users of Red Hat.
An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now available for Red Hat Software Collections

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Summary

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.
The following packages have been upgraded to a later upstream version: httpd24-httpd (2.4.34), httpd24-curl (7.61.1). (BZ#1590833, BZ#1648928)
Security Fix(es):
* httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications (CVE-2018-1283)
* httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause DoS (CVE-2018-1303)
* httpd: mod_http2: Too much time allocated to workers, possibly leading to DoS (CVE-2018-1333)
* httpd: DoS for HTTP/2 connections by continuous SETTINGS frames (CVE-2018-11763)
* httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)
* httpd: bypass with a trailing newline in the file name (CVE-2017-15715)
* httpd: Out of bounds access after failure in reading the HTTP request (CVE-2018-1301)
* httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)
* curl: Multiple security issues were fixed in httpd24-curl (CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254, CVE-2017-1000257, CVE-2017-7407, CVE-2017-8816, CVE-2017-8817, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122, CVE-2018-1000301, CVE-2018-14618)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank the Curl project for reporting CVE-2017-8816, CVE-2017-8817, CVE-2017-1000254, CVE-2017-1000257, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000122, CVE-2018-1000301, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2018-14618, and CVE-2018-1000121. Upstream acknowledges Alex Nichols as the original reporter of CVE-2017-8816; the OSS-Fuzz project as the original reporter of CVE-2017-8817 and CVE-2018-1000301; Max Dymond as the original reporter of CVE-2017-1000254 and CVE-2018-1000122; Brian Carpenter and the OSS-Fuzz project as the original reporters of CVE-2017-1000257; Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Even Rouault as the original reporter of CVE-2017-1000100; Brian Carpenter as the original reporter of CVE-2017-1000101; Zhaoyang Wu as the original reporter of CVE-2018-14618; and Dario Weisser as the original reporter of CVE-2018-1000121.
Bug Fix(es):
* Previously, the Apache HTTP Server from the httpd24 Software Collection was unable to handle situations when static content was repeatedly requested in a browser by refreshing the page. As a consequence, HTTP/2 connections timed out and httpd became unresponsive. This bug has been fixed, and HTTP/2 connections now work as expected in the described scenario. (BZ#1518737)
Enhancement(s):
* This update adds the mod_md module to the httpd24 Software Collection. This module enables managing domains across virtual hosts and certificate provisioning using the Automatic Certificate Management Environment (ACME) protocol. The mod_md module is available only for Red Hat Enterprise Linux 7. (BZ#1640722)
Additional Changes:
For detailed information on changes in this release, see the Red Hat Software Collections 3.2 Release Notes linked from the References section.

References

https://access.redhat.com/security/cve/CVE-2016-5419 https://access.redhat.com/security/cve/CVE-2016-5420 https://access.redhat.com/security/cve/CVE-2016-5421 https://access.redhat.com/security/cve/CVE-2016-7141 https://access.redhat.com/security/cve/CVE-2016-7167 https://access.redhat.com/security/cve/CVE-2016-8615 https://access.redhat.com/security/cve/CVE-2016-8616 https://access.redhat.com/security/cve/CVE-2016-8617 https://access.redhat.com/security/cve/CVE-2016-8618 https://access.redhat.com/security/cve/CVE-2016-8619 https://access.redhat.com/security/cve/CVE-2016-8620 https://access.redhat.com/security/cve/CVE-2016-8621 https://access.redhat.com/security/cve/CVE-2016-8622 https://access.redhat.com/security/cve/CVE-2016-8623 https://access.redhat.com/security/cve/CVE-2016-8624 https://access.redhat.com/security/cve/CVE-2016-8625 https://access.redhat.com/security/cve/CVE-2016-9586 https://access.redhat.com/security/cve/CVE-2017-7407 https://access.redhat.com/security/cve/CVE-2017-8816 https://access.redhat.com/security/cve/CVE-2017-8817 https://access.redhat.com/security/cve/CVE-2017-15710 https://access.redhat.com/security/cve/CVE-2017-15715 https://access.redhat.com/security/cve/CVE-2017-1000100 https://access.redhat.com/security/cve/CVE-2017-1000101 Read the Full Advisory

Package List

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source: httpd24-curl-7.61.1-1.el6.src.rpm httpd24-httpd-2.4.34-7.el6.src.rpm httpd24-nghttp2-1.7.1-7.el6.src.rpm
noarch: httpd24-httpd-manual-2.4.34-7.el6.noarch.rpm
x86_64: httpd24-curl-7.61.1-1.el6.x86_64.rpm httpd24-curl-debuginfo-7.61.1-1.el6.x86_64.rpm httpd24-httpd-2.4.34-7.el6.x86_64.rpm httpd24-httpd-debuginfo-2.4.34-7.el6.x86_64.rpm httpd24-httpd-devel-2.4.34-7.el6.x86_64.rpm httpd24-httpd-tools-2.4.34-7.el6.x86_64.rpm httpd24-libcurl-7.61.1-1.el6.x86_64.rpm httpd24-libcurl-devel-7.61.1-1.el6.x86_64.rpm httpd24-libnghttp2-1.7.1-7.el6.x86_64.rpm httpd24-libnghttp2-devel-1.7.1-7.el6.x86_64.rpm httpd24-mod_ldap-2.4.34-7.el6.x86_64.rpm httpd24-mod_proxy_html-2.4.34-7.el6.x86_64.rpm httpd24-mod_session-2.4.34-7.el6.x86_64.rpm httpd24-mod_ssl-2.4.34-7.el6.x86_64.rpm httpd24-nghttp2-1.7.1-7.el6.x86_64.rpm httpd24-nghttp2-debuginfo-1.7.1-7.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source: httpd24-curl-7.61.1-1.el6.src.rpm httpd24-httpd-2.4.34-7.el6.src.rpm httpd24-nghttp2-1.7.1-7.el6.src.rpm
noarch: httpd24-httpd-manual-2.4.34-7.el6.noarch.rpm
x86_64: httpd24-curl-7.61.1-1.el6.x86_64.rpm httpd24-curl-debuginfo-7.61.1-1.el6.x86_64.rpm

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2018:3558-01
Product: Red Hat Software Collections
Issue date: 2018-11-13

Topic

An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is nowavailable for Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

Bugs Fixed

1362183 - CVE-2016-5419 curl: TLS session resumption client cert bypass

1362190 - CVE-2016-5420 curl: Re-using connection with wrong client cert

1362199 - CVE-2016-5421 curl: Use of connection struct after free

1373229 - CVE-2016-7141 curl: Incorrect reuse of client certificates

1375906 - CVE-2016-7167 curl: escape and unescape integer overflows

1388370 - CVE-2016-8615 curl: Cookie injection for other servers1388371 - CVE-2016-8616 curl: Case insensitive password comparison

1388377 - CVE-2016-8617 curl: Out-of-bounds write via unchecked multiplication

1388378 - CVE-2016-8618 curl: Double-free in curl_maprintf

1388379 - CVE-2016-8619 curl: Double-free in krb5 code

1388382 - CVE-2016-8620 curl: Glob parser write/read out of bounds

1388385 - CVE-2016-8621 curl: curl_getdate out-of-bounds read

1388386 - CVE-2016-8622 curl: URL unescape heap overflow via integer truncation

1388388 - CVE-2016-8623 curl: Use-after-free via shared cookies

1388390 - CVE-2016-8624 curl: Invalid URL parsing with '#'

1388392 - CVE-2016-8625 curl: IDNA 2003 makes curl use wrong host

1406712 - CVE-2016-9586 curl: printf floating point buffer overflow

1439190 - CVE-2017-7407 curl: --write-out out of bounds read

1478309 - CVE-2017-1000101 curl: URL globbing out of bounds read

1478310 - CVE-2017-1000100 curl: TFTP sends more than buffer size

1495541 - CVE-2017-1000254 curl: FTP PWD response parser out of bounds read

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.