Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
This release adds the new Apache HTTP Server 2.4.37 Service Pack 5 packages
that are part of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services Pack
Apache Server 2.4.37 Service Pack 3 and includes bug fixes and
enhancements. Refer to the Release Notes for information on the most
significant bug fixes and enhancements included in this release.
Security fix(es):
* curl: Integer overflows in curl_url_set() function (CVE-2019-5435)
* openssl: Integer overflow in RSAZ modular exponentiation on x86_64
(CVE-2019-1551)
* httpd: mod_http2 concurrent pool usage (CVE-2020-11993)
* httpd: mod_proxy_uswgi buffer overflow (CVE-2020-11984)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
https://access.redhat.com/security/cve/CVE-2019-1551 https://access.redhat.com/security/cve/CVE-2019-5435 https://access.redhat.com/security/cve/CVE-2020-11984 https://access.redhat.com/security/cve/CVE-2020-11993 https://access.redhat.com/security/updates/classification/#moderate
Red Hat JBoss Core Services on RHEL 6 Server:
Source:
jbcs-httpd24-apr-1.6.3-104.jbcs.el6.src.rpm
jbcs-httpd24-apr-util-1.6.1-75.jbcs.el6.src.rpm
jbcs-httpd24-brotli-1.0.6-38.jbcs.el6.src.rpm
jbcs-httpd24-curl-7.64.1-44.jbcs.el6.src.rpm
jbcs-httpd24-httpd-2.4.37-64.jbcs.el6.src.rpm
jbcs-httpd24-jansson-2.11-53.jbcs.el6.src.rpm
jbcs-httpd24-mod_cluster-native-1.3.14-11.Final_redhat_2.jbcs.el6.src.rpm
jbcs-httpd24-mod_http2-1.15.7-11.jbcs.el6.src.rpm
jbcs-httpd24-mod_jk-1.2.48-10.redhat_1.jbcs.el6.src.rpm
jbcs-httpd24-mod_md-2.0.8-30.jbcs.el6.src.rpm
jbcs-httpd24-mod_security-2.9.2-57.GA.jbcs.el6.src.rpm
jbcs-httpd24-nghttp2-1.39.2-34.jbcs.el6.src.rpm
jbcs-httpd24-openssl-1.1.1c-32.jbcs.el6.src.rpm
i386:
jbcs-httpd24-apr-1.6.3-104.jbcs.el6.i686.rpm
jbcs-httpd24-apr-debuginfo-1.6.3-104.jbcs.el6.i686.rpm
jbcs-httpd24-apr-devel-1.6.3-104.jbcs.el6.i686.rpm
jbcs-httpd24-apr-util-1.6.1-75.jbcs.el6.i686.rpm
jbcs-httpd24-apr-util-debuginfo-1.6.1-75.jbcs.el6.i686.rpm
jbcs-httpd24-apr-util-devel-1.6.1-75.jbcs.el6.i686.rpm
jbcs-httpd24-apr-util-ldap-1.6.1-75.jbcs.el6.i686.rpm
jbcs-httpd24-apr-util-mysql-1.6.1-75.jbcs.el6.i686.rpm
jbcs-httpd24-apr-util-nss-1.6.1-75.jbcs.el6.i686.rpm
jbcs-httpd24-apr-util-odbc-1.6.1-75.jbcs.el6.i686.rpm
Read the Full Advisory
Updated packages that provide Red Hat JBoss Core Services Pack ApacheServer 2.4.37 and fix several bugs, and add various enhancements are nowavailable for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Red Hat JBoss Core Services on RHEL 6 Server - i386, noarch, ppc64, x86_64
Red Hat JBoss Core Services on RHEL 7 Server - noarch, ppc64, x86_64
1710609 - CVE-2019-5435 curl: Integer overflows in curl_url_set() function
1780995 - CVE-2019-1551 openssl: Integer overflow in RSAZ modular exponentiation on x86_64
1866563 - CVE-2020-11984 httpd: mod_proxy_uwsgi buffer overflow
1866564 - CVE-2020-11993 httpd: mod_http2 concurrent pool usage
Get the latest Linux and open source security news straight to your inbox.