RedHat: RHSA-2020-1336:01 Moderate: Red Hat JBoss Core Services Apache HTTP

    Date 06 Apr 2020
    255
    Posted By LinuxSecurity Advisories
    Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 2 zip release for RHEL 6, RHEL 7 and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP2 security update
    Advisory ID:       RHSA-2020:1336-01
    Product:           Red Hat JBoss Core Services
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1336
    Issue date:        2020-04-06
    CVE Names:         CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 
                       CVE-2019-10081 CVE-2019-10082 CVE-2019-10092 
                       CVE-2019-10097 CVE-2019-10098 
    =====================================================================
    
    1. Summary:
    
    Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 2 zip
    release for RHEL 6, RHEL 7 and Microsoft Windows is available.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat JBoss Core Services is a set of supplementary software for Red Hat
    JBoss middleware products. This software, such as Apache HTTP Server, is
    common to multiple JBoss middleware products, and is packaged under Red Hat
    JBoss Core Services to allow for faster distribution of updates, and for a
    more consistent update experience.
    
    This release adds the new Apache HTTP Server 2.4.37 Service Pack 2 packages
    that are part of the JBoss Core Services offering.
    
    This release serves as a replacement for Red Hat JBoss Core Services Pack
    Apache Server 2.4.37 Service Pack 1 and includes bug fixes and
    enhancements. Refer to the Release Notes for information on the most
    significant bug fixes and enhancements included in this release.
    
    Security Fix(es):
    
    * openssl: side-channel weak encryption vulnerability (CVE-2019-1547)
    
    * httpd: memory corruption on early pushes (CVE-2019-10081)
    
    * httpd: read-after-free in h2 connection shutdown (CVE-2019-10082)
    
    * httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)
    
    * openssl: information disclosure in fork() (CVE-2019-1549)
    
    * openssl: information disclosure in PKCS7_dataDecode and
    CMS_decrypt_set1_pkey (CVE-2019-1563)
    
    * httpd: limited cross-site scripting in mod_proxy error page
    (CVE-2019-10092)
    
    * httpd: mod_rewrite potential open redirect (CVE-2019-10098)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    3. Solution:
    
    The References section of this erratum contains a download link (you must
    log in to download the update).
    
    Before applying the update, back up your existing Red Hat JBoss Core
    Services installation (including all applications and configuration files).
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1743956 - CVE-2019-10092 httpd: limited cross-site scripting in mod_proxy error page
    1743959 - CVE-2019-10098 httpd: mod_rewrite potential open redirect
    1743966 - CVE-2019-10081 httpd: memory corruption on early pushes
    1743974 - CVE-2019-10082 httpd: read-after-free in h2 connection shutdown
    1743996 - CVE-2019-10097 httpd: null-pointer dereference in mod_remoteip
    1752090 - CVE-2019-1547 openssl: side-channel weak encryption vulnerability
    1752095 - CVE-2019-1549 openssl: information disclosure in fork()
    1752100 - CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2019-1547
    https://access.redhat.com/security/cve/CVE-2019-1549
    https://access.redhat.com/security/cve/CVE-2019-1563
    https://access.redhat.com/security/cve/CVE-2019-10081
    https://access.redhat.com/security/cve/CVE-2019-10082
    https://access.redhat.com/security/cve/CVE-2019-10092
    https://access.redhat.com/security/cve/CVE-2019-10097
    https://access.redhat.com/security/cve/CVE-2019-10098
    https://access.redhat.com/security/updates/classification/#moderate
    https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=securityPatches&version=2.4.37
    https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.openssl&downloadType=securityPatches&version=1.1.1c
    https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.37/
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXot+y9zjgjWX9erEAQg0TxAAmz55mqR/H1CrJ+yAscrw2aUjh0HQMGbe
    AcmnemaluF2q5LVRQXiCSH804IRw378H8srbNWMHlHCJXqJ8voqehu+p0AL+inxj
    aEJbds87mZhw495cDofuvMm8BmUNGg9kNHQ5jjLS73EoLwiD7kqVLq4H1SF+GRGG
    bMBmHCcU74vmbqMIo34yftx1v6oGf6GrSuY03T4lWObdsCOyF9pBciyjZye0Qx38
    2RsbA2ILqxREF6RYVVgNsc6kb1tE52C+XepoaORG1tNnYLv5ditcZ7K3/C1aNM5A
    CO+bl5qMYMFrBSMsM9sk0jyrGMkvwUTKiOJRRa422NSnrdGOimtZz9shnEMhHf7i
    LtNESbzu2fm6uMsgtOpBdlCCfCSxMPutspOu5cp+/gVsuhgrmIoGTTcXJpqR7QsI
    /E4YwD9JOhLZrs8Zcj5t+I6Z6XzAKOT366BW9ChnhrLPJkoI4U9CPPWCGmfVLDNA
    NhsX8km+8iVBAn8gMsl87QVyiezFtcaxAOvEOeMMflM4XdjSuYOzNXvgZiDb/Gss
    QGhU5mXOftNcH3Q9L2u4RW+JNJKM1rXD1qU9mQVU87Evxqm5vVEwfcv/gZVOr51A
    gV4flUKpXSRciL/wBS4SnuAzYL1kNxhHOH2skybg+6VJseazkpapdEP+K81Gy+UH
    dnPoWHciEk4=
    =G9gQ
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"94","type":"x","order":"1","pct":79.66,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"18","type":"x","order":"2","pct":15.25,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"6","type":"x","order":"3","pct":5.08,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.