-
Language:
English
-
Language:
English
Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Service Pack 3 Release Notes
For Use with the Red Hat JBoss Core Services Apache HTTP Server 2.4.29
Abstract
Preface
Welcome to the Red Hat JBoss Core Services version 2.4.29 Service Pack 3 release.
The purpose of release 2.4.29 Service Pack 3 is to cover an important security issue impacting JBCS 2.4.29.
This service pack for Red Hat JBoss Core Services Apache HTTP Server does NOT support Solaris.
Red Hat JBoss Core Services Apache HTTP Server is an open source web server developed by the Apache Software Foundation. Features of Apache HTTP Server include:
- Implements the current HTTP standards, including HTTP/1.1 and HTTP/2.
- Transport Layer Security (TLS) encryption support though OpenSSL, providing secure connections between the web server and web clients.
- Extendable though modules, some of which are included with the Red Hat JBoss Core Services Apache HTTP Server.
Chapter 1. Installing the Red Hat JBoss Core Services 2.4.29 Service Pack 3
The Apache HTTP Server 2.4.29 Service Pack 3 can be installed using one of the following sections of the installation guide:
For installation instructions for Red Hat Enterprise Linux systems, see:
- For installation instructions for Microsoft Windows systems, see: Installing JBoss Core Services Apache HTTP Server on Microsoft Windows.
Chapter 2. Upgrading to the Red Hat JBoss Core Services Apache HTTP Server 2.4.29
Where a Red Hat JBoss Core Services Apache HTTP Server 2.4.23 or earlier was installed from RPMs packages using yum, the Apache HTTP Server can be upgraded with yum upgrade.
For systems where an earlier version of the Red Hat JBoss Core Services Apache HTTP Server was installed from a .zip archive, upgrading to the Apache HTTP Server 2.4.29 Service Pack 3 requires:
- Installing the Apache HTTP Server 2.4.29.
- Setting up the Apache HTTP Server 2.4.29.
- Removing the earlier version of Apache HTTP Server.
Prerequisites
- Root user access (Red Hat Enterprise Linux)
- Administrative access (Windows Server)
- A system where the Red Hat JBoss Core Services Apache HTTP Server 2.4.23 or earlier was installed from a .zip archive.
Procedure
For systems using the Red Hat JBoss Core Services Apache HTTP Server 2.4.23, the recommended procedure for upgrading to the Apache HTTP Server 2.4.29 is:
- Shutdown any running instances of Red Hat JBoss Core Services Apache HTTP Server 2.4.23.
- Backup the Red Hat JBoss Core Services Apache HTTP Server 2.4.23 installation and configuration files.
- Install the Red Hat JBoss Core Services Apache HTTP Server 2.4.29 using the .zip installation method for the current system (see Additional Resources below).
Migrate your configuration from the Red Hat JBoss Core Services Apache HTTP Server version 2.4.23 to version 2.4.29.
NoteThe Apache HTTP Server configuration files may have changed since the Apache HTTP Server 2.4.23 release. It is recommended that you update the 2.4.29 version configuration files, rather than overwrite them with the configuration files from a different version (such as Apache HTTP Server 2.4.23).
- Remove the Red Hat JBoss Core Services Apache HTTP Server 2.4.23 root directory.
Additional Resources
For installation instructions for Red Hat Enterprise Linux systems, see:
- For installation instructions for Microsoft Windows systems, see: Installing JBoss Core Services Apache HTTP Server on Microsoft Windows.
Chapter 3. Security Fixes
This update includes fixes for the following security related issues:
| ID | Impact | Summary |
|---|---|---|
| Important | HTTP/2: large amount of data requests leads to denial of service | |
| Important | HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption | |
| Important | HTTP/2: 0-length headers lead to denial of service | |
| Important | HTTP/2: request for large response leads to denial of service |
Chapter 4. Resolved issues
The following are non-security issues resolved during this release:
| Issue | Description |
|---|---|
| JBCS-806 | CVE-2019-9513 nghttp2: HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption [jbcs-httpd-2.4.29-sp2-native] |
| JBCS-820 | CVE-2019-9511 nghttp2: HTTP/2: large amount of data request leads to denial of service [jbcs-httpd-2.4.29-sp2-native] |
| JBCS-822 | CVE-2019-9517 mod_http2: HTTP/2: request for large response leads to denial of service [jbcs-httpd-2.4.29-sp2-native] |
| JBCS-824 | CVE-2019-9516 mod_http2: HTTP/2: 0-length headers leads to denial of service [jbcs-httpd-2.4.29-sp2-native] |
| JBCS-828 | Rebase nghttp2 to 1.39.2 |
Chapter 5. Known issues
There are currently no known issues for this release
Chapter 6. Upgraded components
The components upgraded in this release are as follows:
| JBCS Component | Version | Operating System |
|---|---|---|
| nghttp2 | 1.39.2 | All |
