- Issued:
- 2017-08-16
- Updated:
- 2017-08-16
RHSA-2017:2483 - Security Advisory
Synopsis
Important: httpd24-httpd security update
Type/Severity
Security Advisory: Important
Topic
An update for httpd24-httpd is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
- It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)
- It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167)
- A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)
- A NULL pointer dereference flaw was found in the mod_http2 module of httpd. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP/2 request. (CVE-2017-7659)
- A buffer over-read flaw was found in the httpd's ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. (CVE-2017-7668)
- A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
Fixes
- BZ - 1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
- BZ - 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
- BZ - 1463199 - CVE-2017-7659 httpd: mod_http2 NULL pointer dereference
- BZ - 1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread
- BZ - 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
- BZ - 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
CVEs
References
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5
| SRPM | |
|---|---|
| httpd24-httpd-2.4.25-9.el7.1.src.rpm | SHA-256: f310766baec421c64ca07eef2b7b64b4753438e77be88d41c1e95fa4c65bb92d |
| x86_64 | |
| httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 8e301cef50dcc2501f8f86ec4cdd814d94bef0114a5231b5c314dddf16390b86 |
| httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm | SHA-256: d4b6fe73f60f93fe2eeb3a9194c022e4dbd3e8639e9419b85351f4ba0957dfec |
| httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 2364f4b0716157f4ea69036dc571467576867c155932163c0f0ae0c5d60f4f58 |
| httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm | SHA-256: 1f91f6068a7c491bdb281549753763219d18072750ababcdee4a8f6e853ea28f |
| httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 461e7e3ebb31a28a1d7633f62f2058ae9ad17492d2fb2f5ca5722906aeeb30d0 |
| httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 6b58e1c72cc1e86ce113ef1574e8999c57a9723b457f22f873f4500716f3332d |
| httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 82ac8decf4ec1080d917114a79db25f1c8cb632bfbb4875654b69c60af6e9a93 |
| httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm | SHA-256: d1b2b919249725a0c9854c40f20d582310eec548153b13bc7efc9171a41ef18e |
| httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 7fa415a3acf9edb98b7f209e6bd33a8959fbe614b722bcc09d233e5c3214ede0 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4
| SRPM | |
|---|---|
| httpd24-httpd-2.4.25-9.el7.1.src.rpm | SHA-256: f310766baec421c64ca07eef2b7b64b4753438e77be88d41c1e95fa4c65bb92d |
| x86_64 | |
| httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 8e301cef50dcc2501f8f86ec4cdd814d94bef0114a5231b5c314dddf16390b86 |
| httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm | SHA-256: d4b6fe73f60f93fe2eeb3a9194c022e4dbd3e8639e9419b85351f4ba0957dfec |
| httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 2364f4b0716157f4ea69036dc571467576867c155932163c0f0ae0c5d60f4f58 |
| httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm | SHA-256: 1f91f6068a7c491bdb281549753763219d18072750ababcdee4a8f6e853ea28f |
| httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 461e7e3ebb31a28a1d7633f62f2058ae9ad17492d2fb2f5ca5722906aeeb30d0 |
| httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 6b58e1c72cc1e86ce113ef1574e8999c57a9723b457f22f873f4500716f3332d |
| httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 82ac8decf4ec1080d917114a79db25f1c8cb632bfbb4875654b69c60af6e9a93 |
| httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm | SHA-256: d1b2b919249725a0c9854c40f20d582310eec548153b13bc7efc9171a41ef18e |
| httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 7fa415a3acf9edb98b7f209e6bd33a8959fbe614b722bcc09d233e5c3214ede0 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3
| SRPM | |
|---|---|
| httpd24-httpd-2.4.25-9.el7.1.src.rpm | SHA-256: f310766baec421c64ca07eef2b7b64b4753438e77be88d41c1e95fa4c65bb92d |
| x86_64 | |
| httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 8e301cef50dcc2501f8f86ec4cdd814d94bef0114a5231b5c314dddf16390b86 |
| httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm | SHA-256: d4b6fe73f60f93fe2eeb3a9194c022e4dbd3e8639e9419b85351f4ba0957dfec |
| httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 2364f4b0716157f4ea69036dc571467576867c155932163c0f0ae0c5d60f4f58 |
| httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm | SHA-256: 1f91f6068a7c491bdb281549753763219d18072750ababcdee4a8f6e853ea28f |
| httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 461e7e3ebb31a28a1d7633f62f2058ae9ad17492d2fb2f5ca5722906aeeb30d0 |
| httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 6b58e1c72cc1e86ce113ef1574e8999c57a9723b457f22f873f4500716f3332d |
| httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 82ac8decf4ec1080d917114a79db25f1c8cb632bfbb4875654b69c60af6e9a93 |
| httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm | SHA-256: d1b2b919249725a0c9854c40f20d582310eec548153b13bc7efc9171a41ef18e |
| httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 7fa415a3acf9edb98b7f209e6bd33a8959fbe614b722bcc09d233e5c3214ede0 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
| SRPM | |
|---|---|
| httpd24-httpd-2.4.25-9.el7.1.src.rpm | SHA-256: f310766baec421c64ca07eef2b7b64b4753438e77be88d41c1e95fa4c65bb92d |
| x86_64 | |
| httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 8e301cef50dcc2501f8f86ec4cdd814d94bef0114a5231b5c314dddf16390b86 |
| httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm | SHA-256: d4b6fe73f60f93fe2eeb3a9194c022e4dbd3e8639e9419b85351f4ba0957dfec |
| httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 2364f4b0716157f4ea69036dc571467576867c155932163c0f0ae0c5d60f4f58 |
| httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm | SHA-256: 1f91f6068a7c491bdb281549753763219d18072750ababcdee4a8f6e853ea28f |
| httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 461e7e3ebb31a28a1d7633f62f2058ae9ad17492d2fb2f5ca5722906aeeb30d0 |
| httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 6b58e1c72cc1e86ce113ef1574e8999c57a9723b457f22f873f4500716f3332d |
| httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 82ac8decf4ec1080d917114a79db25f1c8cb632bfbb4875654b69c60af6e9a93 |
| httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm | SHA-256: d1b2b919249725a0c9854c40f20d582310eec548153b13bc7efc9171a41ef18e |
| httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 7fa415a3acf9edb98b7f209e6bd33a8959fbe614b722bcc09d233e5c3214ede0 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7
| SRPM | |
|---|---|
| httpd24-httpd-2.4.25-9.el6.1.src.rpm | SHA-256: 42ec3fb06615342ab3d6006e5ad44df74d11a1d9d91c7db69f2704e718e4a126 |
| x86_64 | |
| httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm | SHA-256: d0b6ec4e0e1a3465f82eeb2ea55cffed8889bbe838def40e8d0ffeb56ea28c95 |
| httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm | SHA-256: e346144f54be401856aec4b4c7f3d2c773ed45e2e422294a2e3b5c074c542d77 |
| httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 305572ba5c04484c864e92465d3b32b4d844764c4821cb9413c92cf0daecfc2a |
| httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm | SHA-256: 404352d2ad9b7abf6569676776038f9b5e3f70e050468bbc3f3b0564c37fb051 |
| httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 58c66259099b8e556cf31e833c4eb45cd590f3f6e39bbd829ce151cfd089882c |
| httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 73f22171005de5ceda9af14cab66c0dca45d22239050b218e065b74297730f12 |
| httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 37ad36f8c73efc0b740951ff42a4f998820ea3a2e1e89f025527f822892c5d4c |
| httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm | SHA-256: a383d0e53cd30d45bf36fab60ad289ae56bac0eb1f684c3402b54f0a1738b7a4 |
| httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 9a798649330f4ab5ec20c008a50bd2ea4eab8fb6c1ff0631e146039eb28c19fc |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6
| SRPM | |
|---|---|
| httpd24-httpd-2.4.25-9.el6.1.src.rpm | SHA-256: 42ec3fb06615342ab3d6006e5ad44df74d11a1d9d91c7db69f2704e718e4a126 |
| x86_64 | |
| httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm | SHA-256: d0b6ec4e0e1a3465f82eeb2ea55cffed8889bbe838def40e8d0ffeb56ea28c95 |
| httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm | SHA-256: e346144f54be401856aec4b4c7f3d2c773ed45e2e422294a2e3b5c074c542d77 |
| httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 305572ba5c04484c864e92465d3b32b4d844764c4821cb9413c92cf0daecfc2a |
| httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm | SHA-256: 404352d2ad9b7abf6569676776038f9b5e3f70e050468bbc3f3b0564c37fb051 |
| httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 58c66259099b8e556cf31e833c4eb45cd590f3f6e39bbd829ce151cfd089882c |
| httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 73f22171005de5ceda9af14cab66c0dca45d22239050b218e065b74297730f12 |
| httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 37ad36f8c73efc0b740951ff42a4f998820ea3a2e1e89f025527f822892c5d4c |
| httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm | SHA-256: a383d0e53cd30d45bf36fab60ad289ae56bac0eb1f684c3402b54f0a1738b7a4 |
| httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 9a798649330f4ab5ec20c008a50bd2ea4eab8fb6c1ff0631e146039eb28c19fc |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
| SRPM | |
|---|---|
| httpd24-httpd-2.4.25-9.el7.1.src.rpm | SHA-256: f310766baec421c64ca07eef2b7b64b4753438e77be88d41c1e95fa4c65bb92d |
| x86_64 | |
| httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 8e301cef50dcc2501f8f86ec4cdd814d94bef0114a5231b5c314dddf16390b86 |
| httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm | SHA-256: d4b6fe73f60f93fe2eeb3a9194c022e4dbd3e8639e9419b85351f4ba0957dfec |
| httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 2364f4b0716157f4ea69036dc571467576867c155932163c0f0ae0c5d60f4f58 |
| httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm | SHA-256: 1f91f6068a7c491bdb281549753763219d18072750ababcdee4a8f6e853ea28f |
| httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 461e7e3ebb31a28a1d7633f62f2058ae9ad17492d2fb2f5ca5722906aeeb30d0 |
| httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 6b58e1c72cc1e86ce113ef1574e8999c57a9723b457f22f873f4500716f3332d |
| httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 82ac8decf4ec1080d917114a79db25f1c8cb632bfbb4875654b69c60af6e9a93 |
| httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm | SHA-256: d1b2b919249725a0c9854c40f20d582310eec548153b13bc7efc9171a41ef18e |
| httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm | SHA-256: 7fa415a3acf9edb98b7f209e6bd33a8959fbe614b722bcc09d233e5c3214ede0 |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6
| SRPM | |
|---|---|
| httpd24-httpd-2.4.25-9.el6.1.src.rpm | SHA-256: 42ec3fb06615342ab3d6006e5ad44df74d11a1d9d91c7db69f2704e718e4a126 |
| x86_64 | |
| httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm | SHA-256: d0b6ec4e0e1a3465f82eeb2ea55cffed8889bbe838def40e8d0ffeb56ea28c95 |
| httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm | SHA-256: e346144f54be401856aec4b4c7f3d2c773ed45e2e422294a2e3b5c074c542d77 |
| httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 305572ba5c04484c864e92465d3b32b4d844764c4821cb9413c92cf0daecfc2a |
| httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm | SHA-256: 404352d2ad9b7abf6569676776038f9b5e3f70e050468bbc3f3b0564c37fb051 |
| httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 58c66259099b8e556cf31e833c4eb45cd590f3f6e39bbd829ce151cfd089882c |
| httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 73f22171005de5ceda9af14cab66c0dca45d22239050b218e065b74297730f12 |
| httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 37ad36f8c73efc0b740951ff42a4f998820ea3a2e1e89f025527f822892c5d4c |
| httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm | SHA-256: a383d0e53cd30d45bf36fab60ad289ae56bac0eb1f684c3402b54f0a1738b7a4 |
| httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm | SHA-256: 9a798649330f4ab5ec20c008a50bd2ea4eab8fb6c1ff0631e146039eb28c19fc |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.