- Issued:
- 2016-07-18
- Updated:
- 2016-07-18
RHSA-2016:1420 - Security Advisory
Synopsis
Important: httpd24-httpd security update
Type/Severity
Security Advisory: Important
Topic
An update for httpd24-httpd is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
- It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387)
Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable.
- A flaw was found in the way httpd performed client authentication using X.509 client certificates. When the HTTP/2 protocol was enabled, a remote attacker could use this flaw to access resources protected by certificate authentication without providing a valid client certificate. (CVE-2016-4979)
Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5387 and Apache Software Foundation for reporting CVE-2016-4979. Upstream acknowledges Erki Aring (Liewenthal Electronics Ltd) as the original reporter of CVE-2016-4979.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.2 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.1 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.6 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
Fixes
- BZ - 1352476 - CVE-2016-4979 httpd: X509 client certificate authentication bypass using HTTP/2
- BZ - 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header
CVEs
References
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4
| SRPM | |
|---|---|
| httpd24-httpd-2.4.18-11.el7.src.rpm | SHA-256: 96f731691b965059798a46f43612d3c5fdbbbfba47c468461ea34f0b0ab4adf6 |
| x86_64 | |
| httpd24-httpd-2.4.18-11.el7.x86_64.rpm | SHA-256: 6608d3990c1c79f9219a5bebe7440d012aed55d925131351ddc7087fed2e1d87 |
| httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm | SHA-256: 2251a7270858dbc5edccdda0b080f773cdb938adc646ed0537b8e264651ebabb |
| httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm | SHA-256: 938a96bd3553008ed9511e6adad9988ccb08910988e61e1f12bbc3cfc47a41b2 |
| httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm | SHA-256: 1c6a5d57fc55c9588ba1c1e424d58a6b03b34aad1386b99442c5b58225f88ec7 |
| httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm | SHA-256: 90046a3582889ed0143a374b547c03c45c35040c6fc526cea2a536fd74b36e92 |
| httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm | SHA-256: 78d7e8d66b4f49f4f57d109dd559121680badeb6f60f21ee948e3cdef498ea5a |
| httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm | SHA-256: 8d66b8d8e1384a3e93cc47a0284d42b109e624a92fd816d1e6667ca0544b70c7 |
| httpd24-mod_session-2.4.18-11.el7.x86_64.rpm | SHA-256: e6c877ad9ce000cc514f93792b9930813abbb5884a742cf038f7d1a471151ec8 |
| httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm | SHA-256: c24d9a4f2a2d249b4224813832bcc3e48cb2061c9b1d6a2eb6b2d91516276926 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3
| SRPM | |
|---|---|
| httpd24-httpd-2.4.18-11.el7.src.rpm | SHA-256: 96f731691b965059798a46f43612d3c5fdbbbfba47c468461ea34f0b0ab4adf6 |
| x86_64 | |
| httpd24-httpd-2.4.18-11.el7.x86_64.rpm | SHA-256: 6608d3990c1c79f9219a5bebe7440d012aed55d925131351ddc7087fed2e1d87 |
| httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm | SHA-256: 2251a7270858dbc5edccdda0b080f773cdb938adc646ed0537b8e264651ebabb |
| httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm | SHA-256: 938a96bd3553008ed9511e6adad9988ccb08910988e61e1f12bbc3cfc47a41b2 |
| httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm | SHA-256: 1c6a5d57fc55c9588ba1c1e424d58a6b03b34aad1386b99442c5b58225f88ec7 |
| httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm | SHA-256: 90046a3582889ed0143a374b547c03c45c35040c6fc526cea2a536fd74b36e92 |
| httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm | SHA-256: 78d7e8d66b4f49f4f57d109dd559121680badeb6f60f21ee948e3cdef498ea5a |
| httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm | SHA-256: 8d66b8d8e1384a3e93cc47a0284d42b109e624a92fd816d1e6667ca0544b70c7 |
| httpd24-mod_session-2.4.18-11.el7.x86_64.rpm | SHA-256: e6c877ad9ce000cc514f93792b9930813abbb5884a742cf038f7d1a471151ec8 |
| httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm | SHA-256: c24d9a4f2a2d249b4224813832bcc3e48cb2061c9b1d6a2eb6b2d91516276926 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.2
| SRPM | |
|---|---|
| httpd24-httpd-2.4.18-11.el7.src.rpm | SHA-256: 96f731691b965059798a46f43612d3c5fdbbbfba47c468461ea34f0b0ab4adf6 |
| x86_64 | |
| httpd24-httpd-2.4.18-11.el7.x86_64.rpm | SHA-256: 6608d3990c1c79f9219a5bebe7440d012aed55d925131351ddc7087fed2e1d87 |
| httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm | SHA-256: 2251a7270858dbc5edccdda0b080f773cdb938adc646ed0537b8e264651ebabb |
| httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm | SHA-256: 938a96bd3553008ed9511e6adad9988ccb08910988e61e1f12bbc3cfc47a41b2 |
| httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm | SHA-256: 1c6a5d57fc55c9588ba1c1e424d58a6b03b34aad1386b99442c5b58225f88ec7 |
| httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm | SHA-256: 90046a3582889ed0143a374b547c03c45c35040c6fc526cea2a536fd74b36e92 |
| httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm | SHA-256: 78d7e8d66b4f49f4f57d109dd559121680badeb6f60f21ee948e3cdef498ea5a |
| httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm | SHA-256: 8d66b8d8e1384a3e93cc47a0284d42b109e624a92fd816d1e6667ca0544b70c7 |
| httpd24-mod_session-2.4.18-11.el7.x86_64.rpm | SHA-256: e6c877ad9ce000cc514f93792b9930813abbb5884a742cf038f7d1a471151ec8 |
| httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm | SHA-256: c24d9a4f2a2d249b4224813832bcc3e48cb2061c9b1d6a2eb6b2d91516276926 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.1
| SRPM | |
|---|---|
| httpd24-httpd-2.4.18-11.el7.src.rpm | SHA-256: 96f731691b965059798a46f43612d3c5fdbbbfba47c468461ea34f0b0ab4adf6 |
| x86_64 | |
| httpd24-httpd-2.4.18-11.el7.x86_64.rpm | SHA-256: 6608d3990c1c79f9219a5bebe7440d012aed55d925131351ddc7087fed2e1d87 |
| httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm | SHA-256: 2251a7270858dbc5edccdda0b080f773cdb938adc646ed0537b8e264651ebabb |
| httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm | SHA-256: 938a96bd3553008ed9511e6adad9988ccb08910988e61e1f12bbc3cfc47a41b2 |
| httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm | SHA-256: 1c6a5d57fc55c9588ba1c1e424d58a6b03b34aad1386b99442c5b58225f88ec7 |
| httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm | SHA-256: 90046a3582889ed0143a374b547c03c45c35040c6fc526cea2a536fd74b36e92 |
| httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm | SHA-256: 78d7e8d66b4f49f4f57d109dd559121680badeb6f60f21ee948e3cdef498ea5a |
| httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm | SHA-256: 8d66b8d8e1384a3e93cc47a0284d42b109e624a92fd816d1e6667ca0544b70c7 |
| httpd24-mod_session-2.4.18-11.el7.x86_64.rpm | SHA-256: e6c877ad9ce000cc514f93792b9930813abbb5884a742cf038f7d1a471151ec8 |
| httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm | SHA-256: c24d9a4f2a2d249b4224813832bcc3e48cb2061c9b1d6a2eb6b2d91516276926 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
| SRPM | |
|---|---|
| httpd24-httpd-2.4.18-11.el7.src.rpm | SHA-256: 96f731691b965059798a46f43612d3c5fdbbbfba47c468461ea34f0b0ab4adf6 |
| x86_64 | |
| httpd24-httpd-2.4.18-11.el7.x86_64.rpm | SHA-256: 6608d3990c1c79f9219a5bebe7440d012aed55d925131351ddc7087fed2e1d87 |
| httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm | SHA-256: 2251a7270858dbc5edccdda0b080f773cdb938adc646ed0537b8e264651ebabb |
| httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm | SHA-256: 938a96bd3553008ed9511e6adad9988ccb08910988e61e1f12bbc3cfc47a41b2 |
| httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm | SHA-256: 1c6a5d57fc55c9588ba1c1e424d58a6b03b34aad1386b99442c5b58225f88ec7 |
| httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm | SHA-256: 90046a3582889ed0143a374b547c03c45c35040c6fc526cea2a536fd74b36e92 |
| httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm | SHA-256: 78d7e8d66b4f49f4f57d109dd559121680badeb6f60f21ee948e3cdef498ea5a |
| httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm | SHA-256: 8d66b8d8e1384a3e93cc47a0284d42b109e624a92fd816d1e6667ca0544b70c7 |
| httpd24-mod_session-2.4.18-11.el7.x86_64.rpm | SHA-256: e6c877ad9ce000cc514f93792b9930813abbb5884a742cf038f7d1a471151ec8 |
| httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm | SHA-256: c24d9a4f2a2d249b4224813832bcc3e48cb2061c9b1d6a2eb6b2d91516276926 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7
| SRPM | |
|---|---|
| httpd24-httpd-2.4.18-11.el6.src.rpm | SHA-256: 620e3d51ab30f6f7bb72e154146c37ad0a389246124a0e4f312a06ec29b3983d |
| x86_64 | |
| httpd24-httpd-2.4.18-11.el6.x86_64.rpm | SHA-256: 8fb1a00ddac3e908ab0c6f9c6665d08e6ef59ada7e9f5d5c6855bc4107ee9a77 |
| httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm | SHA-256: 20824356af0ee4e76c2d89567081129d91492e824a884402add7ce95f67a2d15 |
| httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm | SHA-256: 0413df177ac391ad1769e43d7deac8cda0c2642339208c864d64aeb5a6389f97 |
| httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm | SHA-256: 4a5483f91c4c90b7c9752356c1dfc8032624c18b969bac8cefc42a0811af361c |
| httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm | SHA-256: bb063e37ce8bb6aaabeb4d86566be1dc3057f40a8b471adb7973680de117505a |
| httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm | SHA-256: c46a19feb86cff7eff50522493bac75d9d57875007c54bc68b8193f040af8873 |
| httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm | SHA-256: 5302a4d32976f72c483ebc6b9924f5b14e8f734e85202b0edd3330bcae012c05 |
| httpd24-mod_session-2.4.18-11.el6.x86_64.rpm | SHA-256: 21e7e76af00d98d53aa513202e1a011f703841b1c4f220ca5bcc3768e5141471 |
| httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm | SHA-256: 1447f55251a3ed7f832c540daf95f6ef350da186cb0f0f3002d1b9dc7df878b6 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.6
| SRPM | |
|---|---|
| httpd24-httpd-2.4.18-11.el6.src.rpm | SHA-256: 620e3d51ab30f6f7bb72e154146c37ad0a389246124a0e4f312a06ec29b3983d |
| x86_64 | |
| httpd24-httpd-2.4.18-11.el6.x86_64.rpm | SHA-256: 8fb1a00ddac3e908ab0c6f9c6665d08e6ef59ada7e9f5d5c6855bc4107ee9a77 |
| httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm | SHA-256: 20824356af0ee4e76c2d89567081129d91492e824a884402add7ce95f67a2d15 |
| httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm | SHA-256: 0413df177ac391ad1769e43d7deac8cda0c2642339208c864d64aeb5a6389f97 |
| httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm | SHA-256: 4a5483f91c4c90b7c9752356c1dfc8032624c18b969bac8cefc42a0811af361c |
| httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm | SHA-256: bb063e37ce8bb6aaabeb4d86566be1dc3057f40a8b471adb7973680de117505a |
| httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm | SHA-256: c46a19feb86cff7eff50522493bac75d9d57875007c54bc68b8193f040af8873 |
| httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm | SHA-256: 5302a4d32976f72c483ebc6b9924f5b14e8f734e85202b0edd3330bcae012c05 |
| httpd24-mod_session-2.4.18-11.el6.x86_64.rpm | SHA-256: 21e7e76af00d98d53aa513202e1a011f703841b1c4f220ca5bcc3768e5141471 |
| httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm | SHA-256: 1447f55251a3ed7f832c540daf95f6ef350da186cb0f0f3002d1b9dc7df878b6 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6
| SRPM | |
|---|---|
| httpd24-httpd-2.4.18-11.el6.src.rpm | SHA-256: 620e3d51ab30f6f7bb72e154146c37ad0a389246124a0e4f312a06ec29b3983d |
| x86_64 | |
| httpd24-httpd-2.4.18-11.el6.x86_64.rpm | SHA-256: 8fb1a00ddac3e908ab0c6f9c6665d08e6ef59ada7e9f5d5c6855bc4107ee9a77 |
| httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm | SHA-256: 20824356af0ee4e76c2d89567081129d91492e824a884402add7ce95f67a2d15 |
| httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm | SHA-256: 0413df177ac391ad1769e43d7deac8cda0c2642339208c864d64aeb5a6389f97 |
| httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm | SHA-256: 4a5483f91c4c90b7c9752356c1dfc8032624c18b969bac8cefc42a0811af361c |
| httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm | SHA-256: bb063e37ce8bb6aaabeb4d86566be1dc3057f40a8b471adb7973680de117505a |
| httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm | SHA-256: c46a19feb86cff7eff50522493bac75d9d57875007c54bc68b8193f040af8873 |
| httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm | SHA-256: 5302a4d32976f72c483ebc6b9924f5b14e8f734e85202b0edd3330bcae012c05 |
| httpd24-mod_session-2.4.18-11.el6.x86_64.rpm | SHA-256: 21e7e76af00d98d53aa513202e1a011f703841b1c4f220ca5bcc3768e5141471 |
| httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm | SHA-256: 1447f55251a3ed7f832c540daf95f6ef350da186cb0f0f3002d1b9dc7df878b6 |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
| SRPM | |
|---|---|
| httpd24-httpd-2.4.18-11.el7.src.rpm | SHA-256: 96f731691b965059798a46f43612d3c5fdbbbfba47c468461ea34f0b0ab4adf6 |
| x86_64 | |
| httpd24-httpd-2.4.18-11.el7.x86_64.rpm | SHA-256: 6608d3990c1c79f9219a5bebe7440d012aed55d925131351ddc7087fed2e1d87 |
| httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm | SHA-256: 2251a7270858dbc5edccdda0b080f773cdb938adc646ed0537b8e264651ebabb |
| httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm | SHA-256: 938a96bd3553008ed9511e6adad9988ccb08910988e61e1f12bbc3cfc47a41b2 |
| httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm | SHA-256: 1c6a5d57fc55c9588ba1c1e424d58a6b03b34aad1386b99442c5b58225f88ec7 |
| httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm | SHA-256: 90046a3582889ed0143a374b547c03c45c35040c6fc526cea2a536fd74b36e92 |
| httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm | SHA-256: 78d7e8d66b4f49f4f57d109dd559121680badeb6f60f21ee948e3cdef498ea5a |
| httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm | SHA-256: 8d66b8d8e1384a3e93cc47a0284d42b109e624a92fd816d1e6667ca0544b70c7 |
| httpd24-mod_session-2.4.18-11.el7.x86_64.rpm | SHA-256: e6c877ad9ce000cc514f93792b9930813abbb5884a742cf038f7d1a471151ec8 |
| httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm | SHA-256: c24d9a4f2a2d249b4224813832bcc3e48cb2061c9b1d6a2eb6b2d91516276926 |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6
| SRPM | |
|---|---|
| httpd24-httpd-2.4.18-11.el6.src.rpm | SHA-256: 620e3d51ab30f6f7bb72e154146c37ad0a389246124a0e4f312a06ec29b3983d |
| x86_64 | |
| httpd24-httpd-2.4.18-11.el6.x86_64.rpm | SHA-256: 8fb1a00ddac3e908ab0c6f9c6665d08e6ef59ada7e9f5d5c6855bc4107ee9a77 |
| httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm | SHA-256: 20824356af0ee4e76c2d89567081129d91492e824a884402add7ce95f67a2d15 |
| httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm | SHA-256: 0413df177ac391ad1769e43d7deac8cda0c2642339208c864d64aeb5a6389f97 |
| httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm | SHA-256: 4a5483f91c4c90b7c9752356c1dfc8032624c18b969bac8cefc42a0811af361c |
| httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm | SHA-256: bb063e37ce8bb6aaabeb4d86566be1dc3057f40a8b471adb7973680de117505a |
| httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm | SHA-256: c46a19feb86cff7eff50522493bac75d9d57875007c54bc68b8193f040af8873 |
| httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm | SHA-256: 5302a4d32976f72c483ebc6b9924f5b14e8f734e85202b0edd3330bcae012c05 |
| httpd24-mod_session-2.4.18-11.el6.x86_64.rpm | SHA-256: 21e7e76af00d98d53aa513202e1a011f703841b1c4f220ca5bcc3768e5141471 |
| httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm | SHA-256: 1447f55251a3ed7f832c540daf95f6ef350da186cb0f0f3002d1b9dc7df878b6 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.