Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2016:2957 - Security Advisory
Issued:
2016-12-15
Updated:
2016-12-15

RHSA-2016:2957 - Security Advisory

  • Overview

Synopsis

Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release

Type/Severity

Security Advisory: Important

Topic

Red Hat JBoss Core Services httpd 2.4.23 is now available from the Red Hat Customer Portal for Solaris and Microsoft Windows systems.

Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release of Red Hat JBoss Core Services httpd 2.4.23 serves as a replacement for JBoss Core Services Apache HTTP Server 2.4.6.

Security Fix(es):

  • This update fixes several flaws in OpenSSL. (CVE-2014-8176, CVE-2015-0209, CVE-2015-0286, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-3216, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2177, CVE-2016-2178, CVE-2016-2842)
  • This update fixes several flaws in libxml2. (CVE-2016-1762, CVE-2016-1833, CVE-2016-1834, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2016-1840, CVE-2016-3627, CVE-2016-3705, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, CVE-2016-4483)
  • This update fixes three flaws in curl. (CVE-2016-5419, CVE-2016-5420, CVE-2016-7141)
  • This update fixes two flaws in httpd. (CVE-2014-3523, CVE-2015-3185)
  • This update fixes two flaws in mod_cluster. (CVE-2016-4459, CVE-2016-8612)
  • A buffer overflow flaw when concatenating virtual host names and URIs was fixed in mod_jk. (CVE-2016-6808)
  • A memory leak flaw was fixed in expat. (CVE-2012-1148)

Red Hat would like to thank the OpenSSL project for reporting CVE-2014-8176, CVE-2015-0286, CVE-2016-2108, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842. The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat). Upstream acknowledges Stephen Henson (OpenSSL development team) as the original reporter of CVE-2015-0286; Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken as the original reporter of CVE-2016-2105, CVE-2016-2106, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842; Juraj Somorovsky as the original reporter of CVE-2016-2107; Yuval Yarom (University of Adelaide and NICTA), Daniel Genkin (Technion and Tel Aviv University), and Nadia Heninger (University of Pennsylvania) as the original reporters of CVE-2016-0702; and Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705.

See the corresponding CVE pages linked to in the References section for more information about each of the flaws listed in this advisory.

Solution

The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • Red Hat JBoss Core Services Text-Only Advisories x86_64

Fixes

  • BZ - 801648 - CVE-2012-1148 expat: Memory leak in poolGrow
  • BZ - 1121519 - CVE-2014-3523 httpd: WinNT MPM denial of service
  • BZ - 1196737 - CVE-2015-0209 openssl: use-after-free on invalid EC private key import
  • BZ - 1202366 - CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp()
  • BZ - 1227574 - CVE-2015-3216 openssl: Crash in ssleay_rand_bytes due to locking regression
  • BZ - 1228611 - CVE-2014-8176 OpenSSL: Invalid free in DTLS
  • BZ - 1243888 - CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4
  • BZ - 1288320 - CVE-2015-3194 OpenSSL: Certificate verify crash with missing PSS parameter
  • BZ - 1288322 - CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak
  • BZ - 1288326 - CVE-2015-3196 OpenSSL: Race condition handling PSK identify hint
  • BZ - 1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code
  • BZ - 1310599 - CVE-2016-0702 OpenSSL: Side channel attack on modular exponentiation
  • BZ - 1311880 - CVE-2016-0797 OpenSSL: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
  • BZ - 1312219 - CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions
  • BZ - 1314757 - CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds
  • BZ - 1319829 - CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode
  • BZ - 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data
  • BZ - 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder
  • BZ - 1331426 - CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check
  • BZ - 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow
  • BZ - 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow
  • BZ - 1332443 - CVE-2016-3705 libxml2: stack overflow before detecting invalid XML file
  • BZ - 1332820 - CVE-2016-4483 libxml2: out-of-bounds read
  • BZ - 1338682 - CVE-2016-1833 libxml2: Heap-based buffer overread in htmlCurrentChar
  • BZ - 1338686 - CVE-2016-4447 libxml2: Heap-based buffer underreads due to xmlParseName
  • BZ - 1338691 - CVE-2016-1835 libxml2: Heap use-after-free in xmlSAX2AttributeNs
  • BZ - 1338696 - CVE-2016-1837 libxml2: Heap use-after-free in htmlPArsePubidLiteral and htmlParseSystemiteral
  • BZ - 1338700 - CVE-2016-4448 libxml2: Format string vulnerability
  • BZ - 1338701 - CVE-2016-4449 libxml2: Inappropriate fetch of entities content
  • BZ - 1338702 - CVE-2016-1836 libxml2: Heap use-after-free in xmlDictComputeFastKey
  • BZ - 1338703 - CVE-2016-1839 libxml2: Heap-based buffer overread in xmlDictAddString
  • BZ - 1338705 - CVE-2016-1838 libxml2: Heap-based buffer overread in xmlPArserPrintFileContextInternal
  • BZ - 1338706 - CVE-2016-1840 libxml2: Heap-buffer-overflow in xmlFAParserPosCharGroup
  • BZ - 1338708 - CVE-2016-1834 libxml2: Heap-buffer-overflow in xmlStrncat
  • BZ - 1338711 - CVE-2016-1762 libxml2: Heap-based buffer-overread in xmlNextChar
  • BZ - 1341583 - CVE-2016-4459 mod_cluster: Buffer overflow in mod_manager when sending request with long JVMRoute
  • BZ - 1341705 - CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
  • BZ - 1343400 - CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation
  • BZ - 1362183 - CVE-2016-5419 curl: TLS session resumption client cert bypass
  • BZ - 1362190 - CVE-2016-5420 curl: Re-using connection with wrong client cert
  • BZ - 1373229 - CVE-2016-7141 curl: Incorrect reuse of client certificates
  • BZ - 1382352 - CVE-2016-6808 mod_jk: Buffer overflow when concatenating virtual host name and URI
  • BZ - 1387605 - CVE-2016-8612 JBCS mod_cluster: Protocol parsing logic error

CVEs

  • CVE-2012-0876
  • CVE-2012-1148
  • CVE-2014-3523
  • CVE-2014-8176
  • CVE-2015-0209
  • CVE-2015-0286
  • CVE-2015-3185
  • CVE-2015-3194
  • CVE-2015-3195
  • CVE-2015-3196
  • CVE-2015-3216
  • CVE-2016-0702
  • CVE-2016-0705
  • CVE-2016-0797
  • CVE-2016-0799
  • CVE-2016-1762
  • CVE-2016-1833
  • CVE-2016-1834
  • CVE-2016-1835
  • CVE-2016-1836
  • CVE-2016-1837
  • CVE-2016-1838
  • CVE-2016-1839
  • CVE-2016-1840
  • CVE-2016-2105
  • CVE-2016-2106
  • CVE-2016-2107
  • CVE-2016-2108
  • CVE-2016-2109
  • CVE-2016-2177
  • CVE-2016-2178
  • CVE-2016-2842
  • CVE-2016-3627
  • CVE-2016-3705
  • CVE-2016-4447
  • CVE-2016-4448
  • CVE-2016-4449
  • CVE-2016-4459
  • CVE-2016-4483
  • CVE-2016-5419
  • CVE-2016-5420
  • CVE-2016-6808
  • CVE-2016-7141
  • CVE-2016-8612

References

  • https://access.redhat.com/security/updates/classification/#important
  • https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=distributions&version=2.4.23
  • https://access.redhat.com/documentation/en/red-hat-jboss-core-services-apache-http-server/version-2.4.23/apache-http-server-2423-release-notes/

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility