- Issued:
- 2017-08-15
- Updated:
- 2017-08-15
RHSA-2017:2478 - Security Advisory
Synopsis
Important: httpd security update
Type/Severity
Security Advisory: Important
Topic
An update for httpd is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
- It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)
- It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167)
- A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)
- A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
Affected Products
- Red Hat Enterprise Linux Server 6 x86_64
- Red Hat Enterprise Linux Server 6 i386
- Red Hat Enterprise Linux Workstation 6 x86_64
- Red Hat Enterprise Linux Workstation 6 i386
- Red Hat Enterprise Linux Desktop 6 x86_64
- Red Hat Enterprise Linux Desktop 6 i386
- Red Hat Enterprise Linux for IBM z Systems 6 s390x
- Red Hat Enterprise Linux for Power, big endian 6 ppc64
- Red Hat Enterprise Linux for Scientific Computing 6 x86_64
Fixes
- BZ - 1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
- BZ - 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
- BZ - 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
- BZ - 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
CVEs
References
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux Server 6
| SRPM | |
|---|---|
| httpd-2.2.15-60.el6_9.5.src.rpm | SHA-256: 624923154c7b57ac73c69492f8e98935a48f205a8442ffcca89dce69eb4d8ebf |
| x86_64 | |
| httpd-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: 9aeedda5f14c3e4d7b8d997839c4491c5c11e9a29c03aab30dffb4dbdee65bfb |
| httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 2768b8e4067b70e45a4a1c3d8d810ccfc15a7a5fb06a6503ca288a42c78d386a |
| httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: a7f6c0c47aae028c90c700d70b1b61b39352465a87dff1187cf73beaf2c8ceea |
| httpd-devel-2.2.15-60.el6_9.5.i686.rpm | SHA-256: ccc525895e48a053373ba46faf1986eaac5cd7da955b45874f21ab6f89c08a72 |
| httpd-devel-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: bfe95025aba8ffb07c8983f12daa141969973e27a55fa748c566853f5ac25a8f |
| httpd-manual-2.2.15-60.el6_9.5.noarch.rpm | SHA-256: cf663fa513cd9f1b57c10e9c83c681f2f6b1e1eff1e133f78ea2e7912a21fe48 |
| httpd-tools-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: cbb32bbacc24ad24bdeb8ca90ee42f361120bd65d44e8a4b1f15dae804908b38 |
| mod_ssl-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: 9f17522dda5b8dfeb79e45591e6e627f43ea3d58c5610f86131fab131f1a93cd |
| i386 | |
| httpd-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 85fe2b4fcf5f1d698b73bc0587d5faa12d26be8abd510d6bea354fce2a018059 |
| httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 2768b8e4067b70e45a4a1c3d8d810ccfc15a7a5fb06a6503ca288a42c78d386a |
| httpd-devel-2.2.15-60.el6_9.5.i686.rpm | SHA-256: ccc525895e48a053373ba46faf1986eaac5cd7da955b45874f21ab6f89c08a72 |
| httpd-manual-2.2.15-60.el6_9.5.noarch.rpm | SHA-256: cf663fa513cd9f1b57c10e9c83c681f2f6b1e1eff1e133f78ea2e7912a21fe48 |
| httpd-tools-2.2.15-60.el6_9.5.i686.rpm | SHA-256: b223fcb40ae17d84568ab4e5e1638c7a5445391575c166f072570d9e532a130c |
| mod_ssl-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 5346d920a7fecdd223d894335d6bf073678f99a995fc8d59ae2317a18a7ae5b9 |
Red Hat Enterprise Linux Workstation 6
| SRPM | |
|---|---|
| httpd-2.2.15-60.el6_9.5.src.rpm | SHA-256: 624923154c7b57ac73c69492f8e98935a48f205a8442ffcca89dce69eb4d8ebf |
| x86_64 | |
| httpd-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: 9aeedda5f14c3e4d7b8d997839c4491c5c11e9a29c03aab30dffb4dbdee65bfb |
| httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 2768b8e4067b70e45a4a1c3d8d810ccfc15a7a5fb06a6503ca288a42c78d386a |
| httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: a7f6c0c47aae028c90c700d70b1b61b39352465a87dff1187cf73beaf2c8ceea |
| httpd-devel-2.2.15-60.el6_9.5.i686.rpm | SHA-256: ccc525895e48a053373ba46faf1986eaac5cd7da955b45874f21ab6f89c08a72 |
| httpd-devel-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: bfe95025aba8ffb07c8983f12daa141969973e27a55fa748c566853f5ac25a8f |
| httpd-manual-2.2.15-60.el6_9.5.noarch.rpm | SHA-256: cf663fa513cd9f1b57c10e9c83c681f2f6b1e1eff1e133f78ea2e7912a21fe48 |
| httpd-tools-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: cbb32bbacc24ad24bdeb8ca90ee42f361120bd65d44e8a4b1f15dae804908b38 |
| mod_ssl-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: 9f17522dda5b8dfeb79e45591e6e627f43ea3d58c5610f86131fab131f1a93cd |
| i386 | |
| httpd-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 85fe2b4fcf5f1d698b73bc0587d5faa12d26be8abd510d6bea354fce2a018059 |
| httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 2768b8e4067b70e45a4a1c3d8d810ccfc15a7a5fb06a6503ca288a42c78d386a |
| httpd-devel-2.2.15-60.el6_9.5.i686.rpm | SHA-256: ccc525895e48a053373ba46faf1986eaac5cd7da955b45874f21ab6f89c08a72 |
| httpd-manual-2.2.15-60.el6_9.5.noarch.rpm | SHA-256: cf663fa513cd9f1b57c10e9c83c681f2f6b1e1eff1e133f78ea2e7912a21fe48 |
| httpd-tools-2.2.15-60.el6_9.5.i686.rpm | SHA-256: b223fcb40ae17d84568ab4e5e1638c7a5445391575c166f072570d9e532a130c |
| mod_ssl-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 5346d920a7fecdd223d894335d6bf073678f99a995fc8d59ae2317a18a7ae5b9 |
Red Hat Enterprise Linux Desktop 6
| SRPM | |
|---|---|
| httpd-2.2.15-60.el6_9.5.src.rpm | SHA-256: 624923154c7b57ac73c69492f8e98935a48f205a8442ffcca89dce69eb4d8ebf |
| x86_64 | |
| httpd-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: 9aeedda5f14c3e4d7b8d997839c4491c5c11e9a29c03aab30dffb4dbdee65bfb |
| httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 2768b8e4067b70e45a4a1c3d8d810ccfc15a7a5fb06a6503ca288a42c78d386a |
| httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: a7f6c0c47aae028c90c700d70b1b61b39352465a87dff1187cf73beaf2c8ceea |
| httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: a7f6c0c47aae028c90c700d70b1b61b39352465a87dff1187cf73beaf2c8ceea |
| httpd-devel-2.2.15-60.el6_9.5.i686.rpm | SHA-256: ccc525895e48a053373ba46faf1986eaac5cd7da955b45874f21ab6f89c08a72 |
| httpd-devel-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: bfe95025aba8ffb07c8983f12daa141969973e27a55fa748c566853f5ac25a8f |
| httpd-manual-2.2.15-60.el6_9.5.noarch.rpm | SHA-256: cf663fa513cd9f1b57c10e9c83c681f2f6b1e1eff1e133f78ea2e7912a21fe48 |
| httpd-tools-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: cbb32bbacc24ad24bdeb8ca90ee42f361120bd65d44e8a4b1f15dae804908b38 |
| mod_ssl-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: 9f17522dda5b8dfeb79e45591e6e627f43ea3d58c5610f86131fab131f1a93cd |
| i386 | |
| httpd-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 85fe2b4fcf5f1d698b73bc0587d5faa12d26be8abd510d6bea354fce2a018059 |
| httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 2768b8e4067b70e45a4a1c3d8d810ccfc15a7a5fb06a6503ca288a42c78d386a |
| httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 2768b8e4067b70e45a4a1c3d8d810ccfc15a7a5fb06a6503ca288a42c78d386a |
| httpd-devel-2.2.15-60.el6_9.5.i686.rpm | SHA-256: ccc525895e48a053373ba46faf1986eaac5cd7da955b45874f21ab6f89c08a72 |
| httpd-manual-2.2.15-60.el6_9.5.noarch.rpm | SHA-256: cf663fa513cd9f1b57c10e9c83c681f2f6b1e1eff1e133f78ea2e7912a21fe48 |
| httpd-tools-2.2.15-60.el6_9.5.i686.rpm | SHA-256: b223fcb40ae17d84568ab4e5e1638c7a5445391575c166f072570d9e532a130c |
| mod_ssl-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 5346d920a7fecdd223d894335d6bf073678f99a995fc8d59ae2317a18a7ae5b9 |
Red Hat Enterprise Linux for IBM z Systems 6
| SRPM | |
|---|---|
| httpd-2.2.15-60.el6_9.5.src.rpm | SHA-256: 624923154c7b57ac73c69492f8e98935a48f205a8442ffcca89dce69eb4d8ebf |
| s390x | |
| httpd-2.2.15-60.el6_9.5.s390x.rpm | SHA-256: 0075a032ca6a8653ae30b520ebb24645151c73881046165343ad6cfda62ba3ac |
| httpd-debuginfo-2.2.15-60.el6_9.5.s390.rpm | SHA-256: 3fa18a4a89990b4bebb324032ae0d66deb17c9de5d1501e9a5d0243c0d3fadc8 |
| httpd-debuginfo-2.2.15-60.el6_9.5.s390x.rpm | SHA-256: b2c87a17d9b16adbab71bff66f150437ee96a386533336ecfec6ab159fe370d3 |
| httpd-devel-2.2.15-60.el6_9.5.s390.rpm | SHA-256: 2727475c1d92540ec7d82e4b3d1cffc42badf53435a816740831625ba35cfef4 |
| httpd-devel-2.2.15-60.el6_9.5.s390x.rpm | SHA-256: 20537cb5094a29a31bbcdc6afe9fa31eb20e677769efcb172ae46f42ef1226a7 |
| httpd-manual-2.2.15-60.el6_9.5.noarch.rpm | SHA-256: cf663fa513cd9f1b57c10e9c83c681f2f6b1e1eff1e133f78ea2e7912a21fe48 |
| httpd-tools-2.2.15-60.el6_9.5.s390x.rpm | SHA-256: bd9d79a5813881aa9132a5173da554df047ccfdd544290d9d7b96da29faf1453 |
| mod_ssl-2.2.15-60.el6_9.5.s390x.rpm | SHA-256: 6928f51cf888ef13e19bc98c4f8694425704f9cb2e8e6141814b68577df8ee2e |
Red Hat Enterprise Linux for Power, big endian 6
| SRPM | |
|---|---|
| httpd-2.2.15-60.el6_9.5.src.rpm | SHA-256: 624923154c7b57ac73c69492f8e98935a48f205a8442ffcca89dce69eb4d8ebf |
| ppc64 | |
| httpd-2.2.15-60.el6_9.5.ppc64.rpm | SHA-256: 4cf5eb3271ca68c2e513ed6166da408ed4de379295d1f15e5dd8ece39be3e907 |
| httpd-debuginfo-2.2.15-60.el6_9.5.ppc.rpm | SHA-256: 3ee669656eb3468a8d35f8f47679f5e9f2ef1dc7f00807e291ab4576e953ad6e |
| httpd-debuginfo-2.2.15-60.el6_9.5.ppc64.rpm | SHA-256: 0dfff869545e32d93e8e2c6ab6cb38e587966de89891cf137fa3914e41af8f9b |
| httpd-devel-2.2.15-60.el6_9.5.ppc.rpm | SHA-256: f4c76f442f7381f220865b9c64439b4ff6e51826d42f2f3cf28e4dfe8145851f |
| httpd-devel-2.2.15-60.el6_9.5.ppc64.rpm | SHA-256: f92dad79f340d660c6f42555ef0077476cb63dba98df3f6fd48769866482fca2 |
| httpd-manual-2.2.15-60.el6_9.5.noarch.rpm | SHA-256: cf663fa513cd9f1b57c10e9c83c681f2f6b1e1eff1e133f78ea2e7912a21fe48 |
| httpd-tools-2.2.15-60.el6_9.5.ppc64.rpm | SHA-256: 0504ae57e6791e6b605611d8bec53830428fd6bc6b23a7a646b87295dd2cded4 |
| mod_ssl-2.2.15-60.el6_9.5.ppc64.rpm | SHA-256: fadf97879ed3c3eb89545e0c48434d2d354f9d9727bf93980f82a8777146bc8d |
Red Hat Enterprise Linux for Scientific Computing 6
| SRPM | |
|---|---|
| httpd-2.2.15-60.el6_9.5.src.rpm | SHA-256: 624923154c7b57ac73c69492f8e98935a48f205a8442ffcca89dce69eb4d8ebf |
| x86_64 | |
| httpd-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: 9aeedda5f14c3e4d7b8d997839c4491c5c11e9a29c03aab30dffb4dbdee65bfb |
| httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm | SHA-256: 2768b8e4067b70e45a4a1c3d8d810ccfc15a7a5fb06a6503ca288a42c78d386a |
| httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: a7f6c0c47aae028c90c700d70b1b61b39352465a87dff1187cf73beaf2c8ceea |
| httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: a7f6c0c47aae028c90c700d70b1b61b39352465a87dff1187cf73beaf2c8ceea |
| httpd-devel-2.2.15-60.el6_9.5.i686.rpm | SHA-256: ccc525895e48a053373ba46faf1986eaac5cd7da955b45874f21ab6f89c08a72 |
| httpd-devel-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: bfe95025aba8ffb07c8983f12daa141969973e27a55fa748c566853f5ac25a8f |
| httpd-manual-2.2.15-60.el6_9.5.noarch.rpm | SHA-256: cf663fa513cd9f1b57c10e9c83c681f2f6b1e1eff1e133f78ea2e7912a21fe48 |
| httpd-tools-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: cbb32bbacc24ad24bdeb8ca90ee42f361120bd65d44e8a4b1f15dae804908b38 |
| mod_ssl-2.2.15-60.el6_9.5.x86_64.rpm | SHA-256: 9f17522dda5b8dfeb79e45591e6e627f43ea3d58c5610f86131fab131f1a93cd |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.