Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Release Notes

Red Hat JBoss Core Services 2.4.29

For Use with the Red Hat JBoss Core Services Apache HTTP Server 2.4.29

Red Hat Customer Content Services

Abstract

These release notes contain important information related to the Red Hat JBoss Core Services Apache HTTP Server 2.4.29.

Preface

Welcome to the Red Hat JBoss Core Services version 2.4.29 release.

Red Hat JBoss Core Services Apache HTTP Server is an open source web server developed by the Apache Software Foundation. Features of Apache HTTP Server include:

  • Implements the current HTTP standards, including HTTP/1.1 and HTTP/2.
  • Transport Layer Security (TLS) encryption support though OpenSSL, providing secure connections between the web server and web clients.
  • Extendable though modules, some of which are included with the Red Hat JBoss Core Services Apache HTTP Server.

Chapter 1. Installing the Red Hat JBoss Core Services 2.4.29

The Apache HTTP Server 2.4.29 can be installed using one of the following sections of the installation guide:

Chapter 2. Upgrading to the Red Hat JBoss Core Services Apache HTTP Server 2.4.29

Note

Where a Red Hat JBoss Core Services Apache HTTP Server 2.4.23 or earlier was installed from RPMs packages using yum, the Apache HTTP Server can be upgraded with yum upgrade.

For systems where an earlier version of the Red Hat JBoss Core Services Apache HTTP Server was installed from a .zip archive, upgrading to the Apache HTTP Server 2.4.29 requires:

  1. Installing the Apache HTTP Server 2.4.29.
  2. Setting up the Apache HTTP Server 2.4.29.
  3. Removing the earlier version of Apache HTTP Server.

Prerequisites

  • Root user access (Red Hat Enterprise Linux and Solaris systems)
  • Administrative access (Windows Server)
  • A system where the Red Hat JBoss Core Services Apache HTTP Server 2.4.23 or earlier was installed from a .zip archive.

Procedure

For systems using the Red Hat JBoss Core Services Apache HTTP Server 2.4.23, the recommended procedure for upgrading to the Apache HTTP Server 2.4.29 is:

  1. Shutdown any running instances of Red Hat JBoss Core Services Apache HTTP Server 2.4.23.
  2. Backup the Red Hat JBoss Core Services Apache HTTP Server 2.4.23 installation and configuration files.
  3. Install the Red Hat JBoss Core Services Apache HTTP Server 2.4.29 using the .zip installation method for the current system (see Additional Resources below).
  4. Migrate your configuration from the Red Hat JBoss Core Services Apache HTTP Server version 2.4.23 to version 2.4.29.

    Note

    The Apache HTTP Server configuration files may have changed since the Apache HTTP Server 2.4.23 release. It is recommended that you update the 2.4.29 version configuration files, rather than overwrite them with the configuration files from a different version (such as Apache HTTP Server 2.4.23).

  5. Remove the Red Hat JBoss Core Services Apache HTTP Server 2.4.23 root directory.

Additional Resources

Chapter 3. Security Fixes

This update includes fixes for the following security related issues:

IDImpactSummary

CVE-2016-0718

Moderate

expat: Out-of-bounds heap read on crafted input causing crash

CVE-2016-7167

Low

curl: escape and unescape integer overflows

CVE-2016-8615

Moderate

curl: Cookie injection for other servers

CVE-2016-8616

Low

curl: Case insensitive password comparison

CVE-2016-8617

Moderate

curl: Out-of-bounds write via unchecked multiplication

CVE-2016-8618

Moderate

curl: Double-free in curl_maprintf

CVE-2016-8619

Moderate

curl: Double-free in krb5 code

CVE-2016-8621

Low

curl: curl_getdate out-of-bounds read

CVE-2016-8622

Low

curl: URL unescape heap overflow via integer truncation

CVE-2016-8623

Low

curl: Use-after-free via shared cookies

CVE-2016-8624

Moderate

curl: Invalid URL parsing with '#'

CVE-2016-8625

Moderate

curl: IDNA 2003 makes curl use wrong host

CVE-2016-9598

Moderate

libxml2: out-of-bounds read (unfixed CVE-2016-4483 in JBCS)

CVE-2017-6004

Moderate

pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3)

CVE-2017-7186

Moderate

pcre: Invalid Unicode property lookup (8.41/7, 10.24/2)

CVE-2017-7244

Low

pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)

CVE-2017-7245

Low

pcre: stack-based buffer overflow write in pcre32_copy_substring

CVE-2017-7246

Low

pcre: stack-based buffer overflow write in pcre32_copy_substring

CVE-2017-1000254

Moderate

curl: FTP PWD response parser out of bounds read

CVE-2017-1000257

Moderate

curl: IMAP FETCH response out of bounds read

CVE-2018-0500

Moderate

curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP

Chapter 4. Resolved issues

See the JBoss Developer bug tracking software for a list of the resolved issues for Red Hat JBoss Core Services 2.4.29.

Chapter 5. Known issues

See the JBoss Developer bug tracking software for a list of the known issues for Red Hat JBoss Core Services 2.4.29.

Chapter 6. Upgraded components

This release includes upgraded versions of the following packages:

ComponentVersionOperating Systems

jsvc

1.1.0

All

mod_jk

1.2.43

All

expat

2.2.5

Microsoft Windows and Solaris

nghttp2

1.29.0

All

libxml2

2.9.7

Microsoft Windows and Solaris

openssl

1.0.2.n

All

pcre

8.41

Microsoft Windows and Solaris

curl

7.57.0

Microsoft Windows and Solaris

Chapter 7. Component versions for this release

This release includes the following components:

JBCS ComponentOperating System(s)VersionComment

Apache HTTP Server

All

2.4.29

Web server with libraries and tools

JSVC

All

1.1.0

Also known as Apache Commons Daemons

mod_jk

All

1.2.43

Apache HTTP Server load balancer

ISAPI

Microsoft Windows

1.2.43

Microsoft IIS load balancer

NSAPI

Solaris

1.2.43

Oracle iPlanet load balancer

mod_cluster

All

1.3.8

Apache HTTP Server load balancer

curl

Microsoft Windows, Solaris

7.57.0

HTTP client tool

libapr

All

1.6.3

Apache Portable Runtime

libaprutil

All

1.6.1

Apache Portable Runtime Util

Lua

Microsoft Windows, Solaris

5.1.4

Lua scripting language interpreter

OpenSSL

All

1.0.2n

Crypto libraries and openssl executable tool

LibXML

Microsoft Windows, Solaris

2.9.7

XML processing library and xmllint validator

mod_bmx

All

0.9.6-2.GA

JMX API for monitoring httpd

awk (nawk)

Microsoft Windows

2012.07.14

Text processing interpreter

ModSecurity

All

2.9.1-23.GA

Application layer firewall

nghttp2

All

1.29.0

HTTP/2.0 client/server library

libdb

Microsoft Windows, Solaris

4.8.30

Berkeley DB 4.8.30: (April 9, 2010)

krb5

Solaris

1.9.final

krb and gssapi utils with httpd

pcre

Microsoft Windows, Solaris

8.41

Regular expressions engine

expat

Microsoft Windows, Solaris

2.2.5

XML parser

iconv

Microsoft Windows

1.14

Charset encodings and conversions

zlib

Microsoft Windows, Solaris

1.2.7

Compression library

Legal Notice

Copyright © 2018 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.