Red Hat Product Errata RHSA-2017:2972 - Security Advisory

Issued:: 2017-10-19
Updated:: 2017-10-19

RHSA-2017:2972 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: httpd security update

Type/Severity

Security Advisory: Moderate

Topic

An update for httpd is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)
A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP resource. (CVE-2017-12171)

Red Hat would like to thank Hanno Böck for reporting CVE-2017-9798 and KAWAHARA Masashi for reporting CVE-2017-12171.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

Red Hat Enterprise Linux Server 6 x86_64
Red Hat Enterprise Linux Server 6 i386
Red Hat Enterprise Linux Workstation 6 x86_64
Red Hat Enterprise Linux Workstation 6 i386
Red Hat Enterprise Linux Desktop 6 x86_64
Red Hat Enterprise Linux Desktop 6 i386
Red Hat Enterprise Linux for IBM z Systems 6 s390x
Red Hat Enterprise Linux for Power, big endian 6 ppc64
Red Hat Enterprise Linux for Scientific Computing 6 x86_64

Fixes

BZ - 1490344 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)
BZ - 1493056 - CVE-2017-12171 httpd: # character matches all IPs

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 6

SRPM
httpd-2.2.15-60.el6_9.6.src.rpm	SHA-256: 328aeab280eebb9d347ce5431f9e8d8a36b3c1e0054738ee8738518e5ab45438
x86_64
httpd-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 04c4625a8a3ac4e4dffb6acb0287dc7339db8cb703d5e860c981a301a67f17fb
httpd-debuginfo-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 7c93c4de01bc9e4e5141bdc670f1e98ed23c941a3b6ccbed421cbe3e3a69ef9b
httpd-debuginfo-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 84e32f93b8c2c8703dfdcafbcd50f599795e97bef8a6ecea677005f93b7285c9
httpd-devel-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 21c9886a4038da0e61e438bee715b4fd7691aea65267bdeb596d2238213d1af6
httpd-devel-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 73f26e438bdd69931ee0445ab629252274590998626163d7ca2011d0b61f405c
httpd-manual-2.2.15-60.el6_9.6.noarch.rpm	SHA-256: 9e1cfd97a206153a5a4d5c718cfa0d761094001cdf2569874086a108830bda70
httpd-tools-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 9070e4df86ff8a143fd89cad0fc498e9f150aa0871edaf7e63961b20b77f06d2
mod_ssl-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 87844fd6725f8b39be2ed5c19aae91f1c9da42c2964765404443801c95227cbd
i386
httpd-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 4437b8ff1aa1d6f76b00f4083b86f0a7e6a1ad854566de698ab705472625845e
httpd-debuginfo-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 7c93c4de01bc9e4e5141bdc670f1e98ed23c941a3b6ccbed421cbe3e3a69ef9b
httpd-devel-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 21c9886a4038da0e61e438bee715b4fd7691aea65267bdeb596d2238213d1af6
httpd-manual-2.2.15-60.el6_9.6.noarch.rpm	SHA-256: 9e1cfd97a206153a5a4d5c718cfa0d761094001cdf2569874086a108830bda70
httpd-tools-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 67c281e4324f29781062789caafe5fde4aaddafa81d524fa6929763393eb15ad
mod_ssl-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 8e6b910bdd183534bf70e766a01569e99880c5d5a11ca8443f2335f05189902d

Red Hat Enterprise Linux Workstation 6

SRPM
httpd-2.2.15-60.el6_9.6.src.rpm	SHA-256: 328aeab280eebb9d347ce5431f9e8d8a36b3c1e0054738ee8738518e5ab45438
x86_64
httpd-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 04c4625a8a3ac4e4dffb6acb0287dc7339db8cb703d5e860c981a301a67f17fb
httpd-debuginfo-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 7c93c4de01bc9e4e5141bdc670f1e98ed23c941a3b6ccbed421cbe3e3a69ef9b
httpd-debuginfo-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 84e32f93b8c2c8703dfdcafbcd50f599795e97bef8a6ecea677005f93b7285c9
httpd-devel-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 21c9886a4038da0e61e438bee715b4fd7691aea65267bdeb596d2238213d1af6
httpd-devel-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 73f26e438bdd69931ee0445ab629252274590998626163d7ca2011d0b61f405c
httpd-manual-2.2.15-60.el6_9.6.noarch.rpm	SHA-256: 9e1cfd97a206153a5a4d5c718cfa0d761094001cdf2569874086a108830bda70
httpd-tools-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 9070e4df86ff8a143fd89cad0fc498e9f150aa0871edaf7e63961b20b77f06d2
mod_ssl-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 87844fd6725f8b39be2ed5c19aae91f1c9da42c2964765404443801c95227cbd
i386
httpd-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 4437b8ff1aa1d6f76b00f4083b86f0a7e6a1ad854566de698ab705472625845e
httpd-debuginfo-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 7c93c4de01bc9e4e5141bdc670f1e98ed23c941a3b6ccbed421cbe3e3a69ef9b
httpd-devel-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 21c9886a4038da0e61e438bee715b4fd7691aea65267bdeb596d2238213d1af6
httpd-manual-2.2.15-60.el6_9.6.noarch.rpm	SHA-256: 9e1cfd97a206153a5a4d5c718cfa0d761094001cdf2569874086a108830bda70
httpd-tools-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 67c281e4324f29781062789caafe5fde4aaddafa81d524fa6929763393eb15ad
mod_ssl-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 8e6b910bdd183534bf70e766a01569e99880c5d5a11ca8443f2335f05189902d

Red Hat Enterprise Linux Desktop 6

SRPM
httpd-2.2.15-60.el6_9.6.src.rpm	SHA-256: 328aeab280eebb9d347ce5431f9e8d8a36b3c1e0054738ee8738518e5ab45438
x86_64
httpd-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 04c4625a8a3ac4e4dffb6acb0287dc7339db8cb703d5e860c981a301a67f17fb
httpd-debuginfo-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 7c93c4de01bc9e4e5141bdc670f1e98ed23c941a3b6ccbed421cbe3e3a69ef9b
httpd-debuginfo-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 84e32f93b8c2c8703dfdcafbcd50f599795e97bef8a6ecea677005f93b7285c9
httpd-debuginfo-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 84e32f93b8c2c8703dfdcafbcd50f599795e97bef8a6ecea677005f93b7285c9
httpd-devel-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 21c9886a4038da0e61e438bee715b4fd7691aea65267bdeb596d2238213d1af6
httpd-devel-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 73f26e438bdd69931ee0445ab629252274590998626163d7ca2011d0b61f405c
httpd-manual-2.2.15-60.el6_9.6.noarch.rpm	SHA-256: 9e1cfd97a206153a5a4d5c718cfa0d761094001cdf2569874086a108830bda70
httpd-tools-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 9070e4df86ff8a143fd89cad0fc498e9f150aa0871edaf7e63961b20b77f06d2
mod_ssl-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 87844fd6725f8b39be2ed5c19aae91f1c9da42c2964765404443801c95227cbd
i386
httpd-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 4437b8ff1aa1d6f76b00f4083b86f0a7e6a1ad854566de698ab705472625845e
httpd-debuginfo-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 7c93c4de01bc9e4e5141bdc670f1e98ed23c941a3b6ccbed421cbe3e3a69ef9b
httpd-debuginfo-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 7c93c4de01bc9e4e5141bdc670f1e98ed23c941a3b6ccbed421cbe3e3a69ef9b
httpd-devel-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 21c9886a4038da0e61e438bee715b4fd7691aea65267bdeb596d2238213d1af6
httpd-manual-2.2.15-60.el6_9.6.noarch.rpm	SHA-256: 9e1cfd97a206153a5a4d5c718cfa0d761094001cdf2569874086a108830bda70
httpd-tools-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 67c281e4324f29781062789caafe5fde4aaddafa81d524fa6929763393eb15ad
mod_ssl-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 8e6b910bdd183534bf70e766a01569e99880c5d5a11ca8443f2335f05189902d

Red Hat Enterprise Linux for IBM z Systems 6

SRPM
httpd-2.2.15-60.el6_9.6.src.rpm	SHA-256: 328aeab280eebb9d347ce5431f9e8d8a36b3c1e0054738ee8738518e5ab45438
s390x
httpd-2.2.15-60.el6_9.6.s390x.rpm	SHA-256: fcbfeb9044d31691541448675a7e9ded45149046cd21c0ff9c7267ba9c61fdab
httpd-debuginfo-2.2.15-60.el6_9.6.s390.rpm	SHA-256: 3042ebc568b9e51c1968bc891e3807a7f973aa0bc8f9f682cb19db4d39a0bff8
httpd-debuginfo-2.2.15-60.el6_9.6.s390x.rpm	SHA-256: b129f5961aefa83bfde9078fd7f6b1f1f3e75d766e7c30a275eaac65afb82a0d
httpd-devel-2.2.15-60.el6_9.6.s390.rpm	SHA-256: fa1979c982ca1b8774672e1cf1fe6955a0d2a2406ba5432941899fdaf1384401
httpd-devel-2.2.15-60.el6_9.6.s390x.rpm	SHA-256: 3d40eb0366bef3309c761aa631500120c37fdbda10812c928c9c01d0c4397e9c
httpd-manual-2.2.15-60.el6_9.6.noarch.rpm	SHA-256: 9e1cfd97a206153a5a4d5c718cfa0d761094001cdf2569874086a108830bda70
httpd-tools-2.2.15-60.el6_9.6.s390x.rpm	SHA-256: 514e2f4624c3b496420c94e1e111b682434b272553ac9ae024b2e4f71e84a8b5
mod_ssl-2.2.15-60.el6_9.6.s390x.rpm	SHA-256: e25fe78532eeadd52843c6c5ac32957eac9c6afa7404985d69a3078b65e057bc

Red Hat Enterprise Linux for Power, big endian 6

SRPM
httpd-2.2.15-60.el6_9.6.src.rpm	SHA-256: 328aeab280eebb9d347ce5431f9e8d8a36b3c1e0054738ee8738518e5ab45438
ppc64
httpd-2.2.15-60.el6_9.6.ppc64.rpm	SHA-256: fd55597c36d420a6cecd037ea5116f075cd35857c80b10eb6bcf4742dfecff20
httpd-debuginfo-2.2.15-60.el6_9.6.ppc.rpm	SHA-256: 6519cf8052085480bbc6f0bce3cf2eb9afe5f0388f29a330c2d676f152faee3a
httpd-debuginfo-2.2.15-60.el6_9.6.ppc64.rpm	SHA-256: 222ebfd4f1ef341d665232a97f575b4ebc13fba0d06f88c2847a9ac6bad4a87c
httpd-devel-2.2.15-60.el6_9.6.ppc.rpm	SHA-256: f75be6faa6d3bf73cd8c6007bbc04011f8a51d931197c98bb3385f910d32462f
httpd-devel-2.2.15-60.el6_9.6.ppc64.rpm	SHA-256: c873dd8d19f6e3b6fadcf37b1db8665e65fe9f3b58dddf310e4bf701c325c3ef
httpd-manual-2.2.15-60.el6_9.6.noarch.rpm	SHA-256: 9e1cfd97a206153a5a4d5c718cfa0d761094001cdf2569874086a108830bda70
httpd-tools-2.2.15-60.el6_9.6.ppc64.rpm	SHA-256: 96acd2db0915e984d728a4dedefe60d70e0970944ba7798a471e55e6cc3b1dcb
mod_ssl-2.2.15-60.el6_9.6.ppc64.rpm	SHA-256: 911de43bec6223f763fe22153e247ff36d2c29c3164779783a3b51c47a408c2f

Red Hat Enterprise Linux for Scientific Computing 6

SRPM
httpd-2.2.15-60.el6_9.6.src.rpm	SHA-256: 328aeab280eebb9d347ce5431f9e8d8a36b3c1e0054738ee8738518e5ab45438
x86_64
httpd-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 04c4625a8a3ac4e4dffb6acb0287dc7339db8cb703d5e860c981a301a67f17fb
httpd-debuginfo-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 7c93c4de01bc9e4e5141bdc670f1e98ed23c941a3b6ccbed421cbe3e3a69ef9b
httpd-debuginfo-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 84e32f93b8c2c8703dfdcafbcd50f599795e97bef8a6ecea677005f93b7285c9
httpd-debuginfo-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 84e32f93b8c2c8703dfdcafbcd50f599795e97bef8a6ecea677005f93b7285c9
httpd-devel-2.2.15-60.el6_9.6.i686.rpm	SHA-256: 21c9886a4038da0e61e438bee715b4fd7691aea65267bdeb596d2238213d1af6
httpd-devel-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 73f26e438bdd69931ee0445ab629252274590998626163d7ca2011d0b61f405c
httpd-manual-2.2.15-60.el6_9.6.noarch.rpm	SHA-256: 9e1cfd97a206153a5a4d5c718cfa0d761094001cdf2569874086a108830bda70
httpd-tools-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 9070e4df86ff8a143fd89cad0fc498e9f150aa0871edaf7e63961b20b77f06d2
mod_ssl-2.2.15-60.el6_9.6.x86_64.rpm	SHA-256: 87844fd6725f8b39be2ed5c19aae91f1c9da42c2964765404443801c95227cbd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories