RedHat: RHSA-2020-1337:01 Moderate: Red Hat JBoss Core Services Apache HTTP

    Date 06 Apr 2020
    255
    Posted By LinuxSecurity Advisories
    Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2.4.37 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP2 security update
    Advisory ID:       RHSA-2020:1337-01
    Product:           Red Hat JBoss Core Services
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1337
    Issue date:        2020-04-06
    CVE Names:         CVE-2019-1547 CVE-2019-1549 CVE-2019-1563 
                       CVE-2019-10081 CVE-2019-10082 CVE-2019-10092 
                       CVE-2019-10097 CVE-2019-10098 
    =====================================================================
    
    1. Summary:
    
    Updated packages that provide Red Hat JBoss Core Services Pack Apache
    Server 2.4.37 and fix several bugs, and add various enhancements are now
    available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    Red Hat JBoss Core Services on RHEL 6 Server - i386, noarch, ppc64, x86_64
    Red Hat JBoss Core Services on RHEL 7 Server - noarch, ppc64, x86_64
    
    3. Description:
    
    This release adds the new Apache HTTP Server 2.4.37 Service Pack 2 packages
    that are part of the JBoss Core Services offering.
    
    This release serves as a replacement for Red Hat JBoss Core Services Pack
    Apache Server 2.4.37 Service Pack 1 and includes bug fixes and
    enhancements. Refer to the Release Notes for information on the most
    significant bug fixes and enhancements included in this release.
    
    Security Fix(es):
    
    * openssl: side-channel weak encryption vulnerability (CVE-2019-1547)
    
    * httpd: memory corruption on early pushes (CVE-2019-10081)
    
    * httpd: read-after-free in h2 connection shutdown (CVE-2019-10082)
    
    * httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)
    
    * openssl: information disclosure in fork() (CVE-2019-1549)
    
    * openssl: information disclosure in PKCS7_dataDecode and
    CMS_decrypt_set1_pkey (CVE-2019-1563)
    
    * httpd: limited cross-site scripting in mod_proxy error page
    (CVE-2019-10092)
    
    * httpd: mod_rewrite potential open redirect (CVE-2019-10098)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    4. Solution:
    
    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.
    
    For details on how to apply this update, refer to:
    
    https://access.redhat.com/articles/11258
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1743956 - CVE-2019-10092 httpd: limited cross-site scripting in mod_proxy error page
    1743959 - CVE-2019-10098 httpd: mod_rewrite potential open redirect
    1743966 - CVE-2019-10081 httpd: memory corruption on early pushes
    1743974 - CVE-2019-10082 httpd: read-after-free in h2 connection shutdown
    1743996 - CVE-2019-10097 httpd: null-pointer dereference in mod_remoteip
    1752090 - CVE-2019-1547 openssl: side-channel weak encryption vulnerability
    1752095 - CVE-2019-1549 openssl: information disclosure in fork()
    1752100 - CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey
    
    6. Package List:
    
    Red Hat JBoss Core Services on RHEL 6 Server:
    
    Source:
    jbcs-httpd24-apr-1.6.3-86.jbcs.el6.src.rpm
    jbcs-httpd24-brotli-1.0.6-21.jbcs.el6.src.rpm
    jbcs-httpd24-httpd-2.4.37-52.jbcs.el6.src.rpm
    jbcs-httpd24-mod_cluster-native-1.3.12-41.Final_redhat_2.jbcs.el6.src.rpm
    jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el6.src.rpm
    jbcs-httpd24-openssl-1.1.1c-16.jbcs.el6.src.rpm
    
    i386:
    jbcs-httpd24-apr-1.6.3-86.jbcs.el6.i686.rpm
    jbcs-httpd24-apr-debuginfo-1.6.3-86.jbcs.el6.i686.rpm
    jbcs-httpd24-apr-devel-1.6.3-86.jbcs.el6.i686.rpm
    jbcs-httpd24-brotli-1.0.6-21.jbcs.el6.i686.rpm
    jbcs-httpd24-brotli-debuginfo-1.0.6-21.jbcs.el6.i686.rpm
    jbcs-httpd24-brotli-devel-1.0.6-21.jbcs.el6.i686.rpm
    jbcs-httpd24-httpd-2.4.37-52.jbcs.el6.i686.rpm
    jbcs-httpd24-httpd-debuginfo-2.4.37-52.jbcs.el6.i686.rpm
    jbcs-httpd24-httpd-devel-2.4.37-52.jbcs.el6.i686.rpm
    jbcs-httpd24-httpd-selinux-2.4.37-52.jbcs.el6.i686.rpm
    jbcs-httpd24-httpd-tools-2.4.37-52.jbcs.el6.i686.rpm
    jbcs-httpd24-mod_cluster-native-1.3.12-41.Final_redhat_2.jbcs.el6.i686.rpm
    jbcs-httpd24-mod_cluster-native-debuginfo-1.3.12-41.Final_redhat_2.jbcs.el6.i686.rpm
    jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el6.i686.rpm
    jbcs-httpd24-mod_http2-debuginfo-1.11.3-22.jbcs.el6.i686.rpm
    jbcs-httpd24-mod_ldap-2.4.37-52.jbcs.el6.i686.rpm
    jbcs-httpd24-mod_proxy_html-2.4.37-52.jbcs.el6.i686.rpm
    jbcs-httpd24-mod_session-2.4.37-52.jbcs.el6.i686.rpm
    jbcs-httpd24-mod_ssl-2.4.37-52.jbcs.el6.i686.rpm
    jbcs-httpd24-openssl-1.1.1c-16.jbcs.el6.i686.rpm
    jbcs-httpd24-openssl-debuginfo-1.1.1c-16.jbcs.el6.i686.rpm
    jbcs-httpd24-openssl-devel-1.1.1c-16.jbcs.el6.i686.rpm
    jbcs-httpd24-openssl-libs-1.1.1c-16.jbcs.el6.i686.rpm
    jbcs-httpd24-openssl-perl-1.1.1c-16.jbcs.el6.i686.rpm
    jbcs-httpd24-openssl-static-1.1.1c-16.jbcs.el6.i686.rpm
    
    noarch:
    jbcs-httpd24-httpd-manual-2.4.37-52.jbcs.el6.noarch.rpm
    
    ppc64:
    jbcs-httpd24-brotli-1.0.6-21.jbcs.el6.ppc64.rpm
    jbcs-httpd24-brotli-debuginfo-1.0.6-21.jbcs.el6.ppc64.rpm
    jbcs-httpd24-brotli-devel-1.0.6-21.jbcs.el6.ppc64.rpm
    jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el6.ppc64.rpm
    jbcs-httpd24-mod_http2-debuginfo-1.11.3-22.jbcs.el6.ppc64.rpm
    
    x86_64:
    jbcs-httpd24-apr-1.6.3-86.jbcs.el6.x86_64.rpm
    jbcs-httpd24-apr-debuginfo-1.6.3-86.jbcs.el6.x86_64.rpm
    jbcs-httpd24-apr-devel-1.6.3-86.jbcs.el6.x86_64.rpm
    jbcs-httpd24-brotli-1.0.6-21.jbcs.el6.x86_64.rpm
    jbcs-httpd24-brotli-debuginfo-1.0.6-21.jbcs.el6.x86_64.rpm
    jbcs-httpd24-brotli-devel-1.0.6-21.jbcs.el6.x86_64.rpm
    jbcs-httpd24-httpd-2.4.37-52.jbcs.el6.x86_64.rpm
    jbcs-httpd24-httpd-debuginfo-2.4.37-52.jbcs.el6.x86_64.rpm
    jbcs-httpd24-httpd-devel-2.4.37-52.jbcs.el6.x86_64.rpm
    jbcs-httpd24-httpd-selinux-2.4.37-52.jbcs.el6.x86_64.rpm
    jbcs-httpd24-httpd-tools-2.4.37-52.jbcs.el6.x86_64.rpm
    jbcs-httpd24-mod_cluster-native-1.3.12-41.Final_redhat_2.jbcs.el6.x86_64.rpm
    jbcs-httpd24-mod_cluster-native-debuginfo-1.3.12-41.Final_redhat_2.jbcs.el6.x86_64.rpm
    jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el6.x86_64.rpm
    jbcs-httpd24-mod_http2-debuginfo-1.11.3-22.jbcs.el6.x86_64.rpm
    jbcs-httpd24-mod_ldap-2.4.37-52.jbcs.el6.x86_64.rpm
    jbcs-httpd24-mod_proxy_html-2.4.37-52.jbcs.el6.x86_64.rpm
    jbcs-httpd24-mod_session-2.4.37-52.jbcs.el6.x86_64.rpm
    jbcs-httpd24-mod_ssl-2.4.37-52.jbcs.el6.x86_64.rpm
    jbcs-httpd24-openssl-1.1.1c-16.jbcs.el6.x86_64.rpm
    jbcs-httpd24-openssl-debuginfo-1.1.1c-16.jbcs.el6.x86_64.rpm
    jbcs-httpd24-openssl-devel-1.1.1c-16.jbcs.el6.x86_64.rpm
    jbcs-httpd24-openssl-libs-1.1.1c-16.jbcs.el6.x86_64.rpm
    jbcs-httpd24-openssl-perl-1.1.1c-16.jbcs.el6.x86_64.rpm
    jbcs-httpd24-openssl-static-1.1.1c-16.jbcs.el6.x86_64.rpm
    
    Red Hat JBoss Core Services on RHEL 7 Server:
    
    Source:
    jbcs-httpd24-apr-1.6.3-86.jbcs.el7.src.rpm
    jbcs-httpd24-brotli-1.0.6-21.jbcs.el7.src.rpm
    jbcs-httpd24-httpd-2.4.37-52.jbcs.el7.src.rpm
    jbcs-httpd24-mod_cluster-native-1.3.12-41.Final_redhat_2.jbcs.el7.src.rpm
    jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el7.src.rpm
    jbcs-httpd24-openssl-1.1.1c-16.jbcs.el7.src.rpm
    
    noarch:
    jbcs-httpd24-httpd-manual-2.4.37-52.jbcs.el7.noarch.rpm
    
    ppc64:
    jbcs-httpd24-brotli-1.0.6-21.jbcs.el7.ppc64.rpm
    jbcs-httpd24-brotli-debuginfo-1.0.6-21.jbcs.el7.ppc64.rpm
    jbcs-httpd24-brotli-devel-1.0.6-21.jbcs.el7.ppc64.rpm
    jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el7.ppc64.rpm
    jbcs-httpd24-mod_http2-debuginfo-1.11.3-22.jbcs.el7.ppc64.rpm
    
    x86_64:
    jbcs-httpd24-apr-1.6.3-86.jbcs.el7.x86_64.rpm
    jbcs-httpd24-apr-debuginfo-1.6.3-86.jbcs.el7.x86_64.rpm
    jbcs-httpd24-apr-devel-1.6.3-86.jbcs.el7.x86_64.rpm
    jbcs-httpd24-brotli-1.0.6-21.jbcs.el7.x86_64.rpm
    jbcs-httpd24-brotli-debuginfo-1.0.6-21.jbcs.el7.x86_64.rpm
    jbcs-httpd24-brotli-devel-1.0.6-21.jbcs.el7.x86_64.rpm
    jbcs-httpd24-httpd-2.4.37-52.jbcs.el7.x86_64.rpm
    jbcs-httpd24-httpd-debuginfo-2.4.37-52.jbcs.el7.x86_64.rpm
    jbcs-httpd24-httpd-devel-2.4.37-52.jbcs.el7.x86_64.rpm
    jbcs-httpd24-httpd-selinux-2.4.37-52.jbcs.el7.x86_64.rpm
    jbcs-httpd24-httpd-tools-2.4.37-52.jbcs.el7.x86_64.rpm
    jbcs-httpd24-mod_cluster-native-1.3.12-41.Final_redhat_2.jbcs.el7.x86_64.rpm
    jbcs-httpd24-mod_cluster-native-debuginfo-1.3.12-41.Final_redhat_2.jbcs.el7.x86_64.rpm
    jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el7.x86_64.rpm
    jbcs-httpd24-mod_http2-debuginfo-1.11.3-22.jbcs.el7.x86_64.rpm
    jbcs-httpd24-mod_ldap-2.4.37-52.jbcs.el7.x86_64.rpm
    jbcs-httpd24-mod_proxy_html-2.4.37-52.jbcs.el7.x86_64.rpm
    jbcs-httpd24-mod_session-2.4.37-52.jbcs.el7.x86_64.rpm
    jbcs-httpd24-mod_ssl-2.4.37-52.jbcs.el7.x86_64.rpm
    jbcs-httpd24-openssl-1.1.1c-16.jbcs.el7.x86_64.rpm
    jbcs-httpd24-openssl-debuginfo-1.1.1c-16.jbcs.el7.x86_64.rpm
    jbcs-httpd24-openssl-devel-1.1.1c-16.jbcs.el7.x86_64.rpm
    jbcs-httpd24-openssl-libs-1.1.1c-16.jbcs.el7.x86_64.rpm
    jbcs-httpd24-openssl-perl-1.1.1c-16.jbcs.el7.x86_64.rpm
    jbcs-httpd24-openssl-static-1.1.1c-16.jbcs.el7.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2019-1547
    https://access.redhat.com/security/cve/CVE-2019-1549
    https://access.redhat.com/security/cve/CVE-2019-1563
    https://access.redhat.com/security/cve/CVE-2019-10081
    https://access.redhat.com/security/cve/CVE-2019-10082
    https://access.redhat.com/security/cve/CVE-2019-10092
    https://access.redhat.com/security/cve/CVE-2019-10097
    https://access.redhat.com/security/cve/CVE-2019-10098
    https://access.redhat.com/security/updates/classification/#moderate
    https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.37/
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXouCx9zjgjWX9erEAQg57RAAni5W7SYIMdXwBveY7LVVU8HUzHhrOSH0
    H6dPGPAhcfR2XehGfODuqax7Ma94mZKE2PXxujpmxlA1Scg+IvpG9Mrj4QllKgEU
    v+Gsq8Hs3LtZS7B1sytl2vIKUOuUhjR8W+61Zh5X8oG5POhQbaavjTakGjPHt8AU
    mXWraZevjvIzHWKitg9dhAbCerEy+aaf4yhgrXadqv5kwT1ud2TNqDqR4ayAx4Gm
    UjOTvhg04eMExzTIUjabpN1khA70tMljxWWTwwejj2uCXeGEggImkL4hM882FwVZ
    Z9FTyQjY92r8S8jbxmQxo7MC7bSoZGrl//Dg+4EA+60j1p7OjXISLKXBZYoQcrtr
    c+CZXbUVPXH8vBcGF5TixrfbpZnF2GYq4S0XajhhXWJ0kskAR4zAjTmD5w8vVIBr
    PJ/yPeAYSFjkDuKaKnbvrXN8YS4hLfcW5EbwsSD5GXF1bgC9pftdpJJ321ElSYIW
    zdqujswl6NbMozTXBPbxF3lmNY+DpDeJZ9FZy5nfDxpGNNzkk9kdkrQlUZ5Uy/78
    1/kEmhhAnr0s19WPsbhAk4mdzFr+pcRYZcJTtsOVTH3CoVO2+g9icZOLmmkk3lx3
    L4GcquyY7qYsn2frT5HuGME/iXpkKjlJlY0EjUEjvPCO9IzLWlGMWDvKXNG/Ma7L
    i1VWpzjNjpU=
    =uXCZ
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    Do you agree with Linus Torvalds' decision to reject the controversial patch mitigating the Snoop attack on Intel CPUs?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/28-do-you-agree-with-linus-torvalds-decision-to-reject-the-controversial-patch-mitigating-the-snoop-attack-on-intel-cpus?task=poll.vote&format=json
    28
    radio
    [{"id":"100","title":"Yes - this was undoubtedly the right decision.","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"101","title":"Not sure...","votes":"1","type":"x","order":"2","pct":100,"resources":[]},{"id":"102","title":"No - he made a big mistake here.","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.