-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for Red Hat JBoss Core Services
Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Release Notes
For Use with the Red Hat JBoss Core Services Apache HTTP Server 2.4.29
Abstract
Preface
Welcome to the Red Hat JBoss Core Services version 2.4.29 release.
Red Hat JBoss Core Services Apache HTTP Server is an open source web server developed by the Apache Software Foundation. Features of Apache HTTP Server include:
- Implements the current HTTP standards, including HTTP/1.1 and HTTP/2.
- Transport Layer Security (TLS) encryption support though OpenSSL, providing secure connections between the web server and web clients.
- Extendable though modules, some of which are included with the Red Hat JBoss Core Services Apache HTTP Server.
Chapter 1. Installing the Red Hat JBoss Core Services 2.4.29
The Apache HTTP Server 2.4.29 can be installed using one of the following sections of the installation guide:
For installation instructions for Red Hat Enterprise Linux systems, see:
- For installation instructions for Microsoft Windows systems, see: Installing JBoss Core Services Apache HTTP Server on Microsoft Windows.
- For installation instructions for Solaris systems, see: Installing Apache HTTP Server on Solaris.
Chapter 2. Upgrading to the Red Hat JBoss Core Services Apache HTTP Server 2.4.29
Where a Red Hat JBoss Core Services Apache HTTP Server 2.4.23 or earlier was installed from RPMs packages using yum
, the Apache HTTP Server can be upgraded with yum upgrade
.
For systems where an earlier version of the Red Hat JBoss Core Services Apache HTTP Server was installed from a .zip archive, upgrading to the Apache HTTP Server 2.4.29 requires:
- Installing the Apache HTTP Server 2.4.29.
- Setting up the Apache HTTP Server 2.4.29.
- Removing the earlier version of Apache HTTP Server.
Prerequisites
- Root user access (Red Hat Enterprise Linux and Solaris systems)
- Administrative access (Windows Server)
- A system where the Red Hat JBoss Core Services Apache HTTP Server 2.4.23 or earlier was installed from a .zip archive.
Procedure
For systems using the Red Hat JBoss Core Services Apache HTTP Server 2.4.23, the recommended procedure for upgrading to the Apache HTTP Server 2.4.29 is:
- Shutdown any running instances of Red Hat JBoss Core Services Apache HTTP Server 2.4.23.
- Backup the Red Hat JBoss Core Services Apache HTTP Server 2.4.23 installation and configuration files.
- Install the Red Hat JBoss Core Services Apache HTTP Server 2.4.29 using the .zip installation method for the current system (see Additional Resources below).
Migrate your configuration from the Red Hat JBoss Core Services Apache HTTP Server version 2.4.23 to version 2.4.29.
NoteThe Apache HTTP Server configuration files may have changed since the Apache HTTP Server 2.4.23 release. It is recommended that you update the 2.4.29 version configuration files, rather than overwrite them with the configuration files from a different version (such as Apache HTTP Server 2.4.23).
- Remove the Red Hat JBoss Core Services Apache HTTP Server 2.4.23 root directory.
Additional Resources
For installation instructions for Red Hat Enterprise Linux systems, see:
- For installation instructions for Microsoft Windows systems, see: Installing JBoss Core Services Apache HTTP Server on Microsoft Windows.
- For installation instructions for Solaris systems, see: Installing Apache HTTP Server on Solaris.
Chapter 3. Security Fixes
This update includes fixes for the following security related issues:
ID | Impact | Summary |
---|---|---|
Moderate | expat: Out-of-bounds heap read on crafted input causing crash | |
Low | curl: escape and unescape integer overflows | |
Moderate | curl: Cookie injection for other servers | |
Low | curl: Case insensitive password comparison | |
Moderate | curl: Out-of-bounds write via unchecked multiplication | |
Moderate | curl: Double-free in curl_maprintf | |
Moderate | curl: Double-free in krb5 code | |
Low | curl: curl_getdate out-of-bounds read | |
Low | curl: URL unescape heap overflow via integer truncation | |
Low | curl: Use-after-free via shared cookies | |
Moderate | curl: Invalid URL parsing with '#' | |
Moderate | curl: IDNA 2003 makes curl use wrong host | |
Moderate | libxml2: out-of-bounds read (unfixed CVE-2016-4483 in JBCS) | |
Moderate | pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3) | |
Moderate | pcre: Invalid Unicode property lookup (8.41/7, 10.24/2) | |
Low | pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c) | |
Low | pcre: stack-based buffer overflow write in pcre32_copy_substring | |
Low | pcre: stack-based buffer overflow write in pcre32_copy_substring | |
Moderate | curl: FTP PWD response parser out of bounds read | |
Moderate | curl: IMAP FETCH response out of bounds read | |
Moderate | curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP |
Chapter 4. Resolved issues
See the JBoss Developer bug tracking software for a list of the resolved issues for Red Hat JBoss Core Services 2.4.29.
Chapter 5. Known issues
See the JBoss Developer bug tracking software for a list of the known issues for Red Hat JBoss Core Services 2.4.29.
Chapter 6. Upgraded components
This release includes upgraded versions of the following packages:
Component | Version | Operating Systems |
---|---|---|
jsvc | 1.1.0 | All |
mod_jk | 1.2.43 | All |
expat | 2.2.5 | Microsoft Windows and Solaris |
nghttp2 | 1.29.0 | All |
libxml2 | 2.9.7 | Microsoft Windows and Solaris |
openssl | 1.0.2.n | All |
pcre | 8.41 | Microsoft Windows and Solaris |
curl | 7.57.0 | Microsoft Windows and Solaris |
Chapter 7. Component versions for this release
This release includes the following components:
JBCS Component | Operating System(s) | Version | Comment |
---|---|---|---|
Apache HTTP Server | All | 2.4.29 | Web server with libraries and tools |
JSVC | All | 1.1.0 | Also known as Apache Commons Daemons |
mod_jk | All | 1.2.43 | Apache HTTP Server load balancer |
ISAPI | Microsoft Windows | 1.2.43 | Microsoft IIS load balancer |
NSAPI | Solaris | 1.2.43 | Oracle iPlanet load balancer |
mod_cluster | All | 1.3.8 | Apache HTTP Server load balancer |
curl | Microsoft Windows, Solaris | 7.57.0 | HTTP client tool |
libapr | All | 1.6.3 | Apache Portable Runtime |
libaprutil | All | 1.6.1 | Apache Portable Runtime Util |
Lua | Microsoft Windows, Solaris | 5.1.4 | Lua scripting language interpreter |
OpenSSL | All | 1.0.2n | Crypto libraries and openssl executable tool |
LibXML | Microsoft Windows, Solaris | 2.9.7 | XML processing library and xmllint validator |
mod_bmx | All | 0.9.6-2.GA | JMX API for monitoring httpd |
awk (nawk) | Microsoft Windows | 2012.07.14 | Text processing interpreter |
ModSecurity | All | 2.9.1-23.GA | Application layer firewall |
nghttp2 | All | 1.29.0 | HTTP/2.0 client/server library |
libdb | Microsoft Windows, Solaris | 4.8.30 | Berkeley DB 4.8.30: (April 9, 2010) |
krb5 | Solaris | 1.9.final | krb and gssapi utils with httpd |
pcre | Microsoft Windows, Solaris | 8.41 | Regular expressions engine |
expat | Microsoft Windows, Solaris | 2.2.5 | XML parser |
iconv | Microsoft Windows | 1.14 | Charset encodings and conversions |
zlib | Microsoft Windows, Solaris | 1.2.7 | Compression library |