Alerts This Week
Warning Icon 1 626
Alerts This Week
Warning Icon 1 626

Red Hat: 2019:0746-01 Important: Httpd24-Httpd Authentication Bypass

Calendar Apr 11, 2019 User Avatar LinuxSecurity Advisories
9 - 17 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory Red Hat update httpd important authentication bypass
An update for httpd24-httpd and httpd24-mod_auth_mellon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: httpd24-httpd and httpd24-mod_auth_mellon security update
Advisory ID:       RHSA-2019:0746-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0746
Issue date:        2019-04-11
CVE Names:         CVE-2019-0211 CVE-2019-3878 
====================================================================
1. Summary:

An update for httpd24-httpd and httpd24-mod_auth_mellon is now available
for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

The Apache HTTP Server is a powerful, efficient, and extensible web server.
The httpd24 packages provide a recent stable release of version 2.4 of the
Apache HTTP Server, along with the mod_auth_kerb module.

Security Fix(es):

* httpd: privilege escalation from modules scripts (CVE-2019-0211)

* mod_auth_mellon: authentication bypass in ECP flow (CVE-2019-3878)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1691126 - CVE-2019-3878 mod_auth_mellon: authentication bypass in ECP flow
1694980 - CVE-2019-0211 httpd: privilege escalation from modules scripts

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):

Source:
httpd24-httpd-2.4.34-7.el6.1.src.rpm

noarch:
httpd24-httpd-manual-2.4.34-7.el6.1.noarch.rpm

x86_64:
httpd24-httpd-2.4.34-7.el6.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el6.1.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el6.1.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el6.1.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el6.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el6.1.x86_64.rpm
httpd24-mod_session-2.4.34-7.el6.1.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el6.1.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):

Source:
httpd24-httpd-2.4.34-7.el6.1.src.rpm

noarch:
httpd24-httpd-manual-2.4.34-7.el6.1.noarch.rpm

x86_64:
httpd24-httpd-2.4.34-7.el6.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el6.1.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el6.1.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el6.1.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el6.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el6.1.x86_64.rpm
httpd24-mod_session-2.4.34-7.el6.1.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el6.1.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
httpd24-httpd-2.4.34-7.el7.1.src.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.src.rpm

aarch64:
httpd24-httpd-2.4.34-7.el7.1.aarch64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.aarch64.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.aarch64.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.aarch64.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.aarch64.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.aarch64.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.aarch64.rpm
httpd24-mod_md-2.4.34-7.el7.1.aarch64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.aarch64.rpm
httpd24-mod_session-2.4.34-7.el7.1.aarch64.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.aarch64.rpm

noarch:
httpd24-httpd-manual-2.4.34-7.el7.1.noarch.rpm

ppc64le:
httpd24-httpd-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.ppc64le.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.ppc64le.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_md-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_session-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.ppc64le.rpm

s390x:
httpd24-httpd-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.s390x.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.s390x.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_md-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_session-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.s390x.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
httpd24-httpd-2.4.34-7.el7.1.src.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.src.rpm

aarch64:
httpd24-httpd-2.4.34-7.el7.1.aarch64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.aarch64.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.aarch64.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.aarch64.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.aarch64.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.aarch64.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.aarch64.rpm
httpd24-mod_md-2.4.34-7.el7.1.aarch64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.aarch64.rpm
httpd24-mod_session-2.4.34-7.el7.1.aarch64.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.aarch64.rpm

noarch:
httpd24-httpd-manual-2.4.34-7.el7.1.noarch.rpm

ppc64le:
httpd24-httpd-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.ppc64le.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.ppc64le.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_md-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_session-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.ppc64le.rpm

s390x:
httpd24-httpd-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.s390x.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.s390x.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_md-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_session-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.s390x.rpm

x86_64:
httpd24-httpd-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.x86_64.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_md-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_session-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):

Source:
httpd24-httpd-2.4.34-7.el7.1.src.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.src.rpm

noarch:
httpd24-httpd-manual-2.4.34-7.el7.1.noarch.rpm

ppc64le:
httpd24-httpd-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.ppc64le.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.ppc64le.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_md-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_session-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.ppc64le.rpm

s390x:
httpd24-httpd-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.s390x.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.s390x.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_md-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_session-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.s390x.rpm

x86_64:
httpd24-httpd-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.x86_64.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_md-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_session-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):

Source:
httpd24-httpd-2.4.34-7.el7.1.src.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.src.rpm

noarch:
httpd24-httpd-manual-2.4.34-7.el7.1.noarch.rpm

ppc64le:
httpd24-httpd-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.ppc64le.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.ppc64le.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_md-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_session-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.ppc64le.rpm

s390x:
httpd24-httpd-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.s390x.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.s390x.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_md-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_session-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.s390x.rpm

x86_64:
httpd24-httpd-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.x86_64.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_md-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_session-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):

Source:
httpd24-httpd-2.4.34-7.el7.1.src.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.src.rpm

noarch:
httpd24-httpd-manual-2.4.34-7.el7.1.noarch.rpm

ppc64le:
httpd24-httpd-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.ppc64le.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.ppc64le.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.ppc64le.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_md-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_session-2.4.34-7.el7.1.ppc64le.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.ppc64le.rpm

s390x:
httpd24-httpd-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.s390x.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.s390x.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.s390x.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_md-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_session-2.4.34-7.el7.1.s390x.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.s390x.rpm

x86_64:
httpd24-httpd-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.x86_64.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_md-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_session-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
httpd24-httpd-2.4.34-7.el7.1.src.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.src.rpm

noarch:
httpd24-httpd-manual-2.4.34-7.el7.1.noarch.rpm

x86_64:
httpd24-httpd-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el7.1.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_auth_mellon-0.13.1-2.el7.1.x86_64.rpm
httpd24-mod_auth_mellon-debuginfo-0.13.1-2.el7.1.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_md-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_session-2.4.34-7.el7.1.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el7.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key

7. References:

https://access.redhat.com/security/cve/CVE-2019-0211
https://access.redhat.com/security/cve/CVE-2019-3878
https://access.redhat.com/security/updates/classification#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXK8sC9zjgjWX9erEAQi7lw//Xx6LqmrUSO5A3ZoWhQZQTfISA9IiLpYy
z8CihSfJERVj1lyjINoCQ7vmFyZyPKaBBy+xJhN60WRoYb0ymCTQXQ+eP9vmYXyz
cfTs5oYeZzuL7d9FZmv6msUq8wOVm6q6Yt7pGBH8ZkzezCiLj2Ald36r5bH/ExxH
zh1HB7U45yEqDmtcg8ezVsJSu1jXX1E6uhrINcBCRvVgfWw0xFthhiY7C5doOxmX
/QEGFhRicUsFO/PX063z2IdoYojJeozBKTPKecMOEMDS1A46W7f6v9Sm+LVZXN8z
a40xkpy6PudREBJyWfd+aDKApJUTN+cGEwnC5N7T8K/G03mW08rGUFOsBKu1zdtw
TxrmgbYqHvkBBkH0A7zLhpizRMwWaTi+UQsQO90OUro2S19GNdLrDhK6oP1gy/0q
couwBERVBjfzyqAVa2mKpNiUoW4BJT2C4ltJN/l2S2xyc3D5Stni6nXJtIzLcjqJ
QnEpocjDAX1I5Uq4p6VttPMB2htJ2L3KDS1igoi7NBVNYijEKiroVClmFbj+sjBX
LNuMBYbNe+G0mK6geBzvxnh0tuSdlnbWJckWyO6+UEucs2n9cT40rxCsPMTA5ggr
LQXrhvzIQkNVvbc2JMg6j5kboymYyUDkm6RV9itBe3NmJNFKaKCHdmuKJZVbeQKm
jlbXNl9kOkM=iRSz
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

Red Hat: 2019:0746-01 Important: Httpd24-Httpd Authentication Bypass

red hat
Calendar Grey April 11, 2019
Dist Redhat Esm H88
A significant announcement for Red Hat Software Collections has been released, tackling vulnerabilities in httpd components.
An update for httpd24-httpd and httpd24-mod_auth_mellon is now available for Red Hat Software Collections

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Summary

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.
Security Fix(es):
* httpd: privilege escalation from modules scripts (CVE-2019-0211)
* mod_auth_mellon: authentication bypass in ECP flow (CVE-2019-3878)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat update httpd important authentication bypass

References

https://access.redhat.com/security/cve/CVE-2019-0211 https://access.redhat.com/security/cve/CVE-2019-3878 https://access.redhat.com/security/updates/classification#important

Package List

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source: httpd24-httpd-2.4.34-7.el6.1.src.rpm
noarch: httpd24-httpd-manual-2.4.34-7.el6.1.noarch.rpm
x86_64: httpd24-httpd-2.4.34-7.el6.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.34-7.el6.1.x86_64.rpm httpd24-httpd-devel-2.4.34-7.el6.1.x86_64.rpm httpd24-httpd-tools-2.4.34-7.el6.1.x86_64.rpm httpd24-mod_ldap-2.4.34-7.el6.1.x86_64.rpm httpd24-mod_proxy_html-2.4.34-7.el6.1.x86_64.rpm httpd24-mod_session-2.4.34-7.el6.1.x86_64.rpm httpd24-mod_ssl-2.4.34-7.el6.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source: httpd24-httpd-2.4.34-7.el6.1.src.rpm
noarch: httpd24-httpd-manual-2.4.34-7.el6.1.noarch.rpm
x86_64: httpd24-httpd-2.4.34-7.el6.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.34-7.el6.1.x86_64.rpm httpd24-httpd-devel-2.4.34-7.el6.1.x86_64.rpm httpd24-httpd-tools-2.4.34-7.el6.1.x86_64.rpm httpd24-mod_ldap-2.4.34-7.el6.1.x86_64.rpm httpd24-mod_proxy_html-2.4.34-7.el6.1.x86_64.rpm httpd24-mod_session-2.4.34-7.el6.1.x86_64.rpm httpd24-mod_ssl-2.4.34-7.el6.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: httpd24-httpd-2.4.34-7.el7.1.src.rpm httpd24-mod_auth_mellon-0.13.1-2.el7.1.src.rpm
aarch64: httpd24-httpd-2.4.34-7.el7.1.aarch64.rpm

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2019:0746-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2019:0746
Issue date: 2019-04-11

Topic

An update for httpd24-httpd and httpd24-mod_auth_mellon is now availablefor Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat update httpd important authentication bypass

Relevant Releases Architectures

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

Bugs Fixed

1691126 - CVE-2019-3878 mod_auth_mellon: authentication bypass in ECP flow

1694980 - CVE-2019-0211 httpd: privilege escalation from modules scripts

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here