- Issued:
- 2017-11-13
- Updated:
- 2017-11-13
RHSA-2017:3193 - Security Advisory
Synopsis
Important: httpd security update
Type/Severity
Security Advisory: Important
Topic
An update for httpd is now available for Red Hat Enterprise Linux 7.2 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
- It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)
- It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167)
- A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)
- A buffer over-read flaw was found in the httpd's ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. (CVE-2017-7668)
- A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679)
- A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)
Red Hat would like to thank Hanno Böck for reporting CVE-2017-9798.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
Affected Products
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.2 x86_64
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.2 s390x
- Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.2 ppc64
- Red Hat Enterprise Linux EUS Compute Node 7.2 x86_64
- Red Hat Enterprise Linux Server - AUS 7.2 x86_64
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.2 ppc64le
- Red Hat Enterprise Linux Server - TUS 7.2 x86_64
- Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.2 x86_64
Fixes
- BZ - 1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
- BZ - 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
- BZ - 1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread
- BZ - 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
- BZ - 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
- BZ - 1490344 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)
CVEs
References
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.2
| SRPM | |
|---|---|
| httpd-2.4.6-40.el7_2.6.src.rpm | SHA-256: ee633b44d4dace579fc7bb64e4d4b975c086d303d3972100724a4bd261d0f6b0 |
| x86_64 | |
| httpd-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 67f20276a9944d0d41e773c486206ddb383f30caeca8f40cf0c55a4d4aadd732 |
| httpd-debuginfo-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 90fbb52e10f6f1f0eaa9710564b80816dfa445f29fcb27f21f0a6348cf9f3eb4 |
| httpd-debuginfo-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 90fbb52e10f6f1f0eaa9710564b80816dfa445f29fcb27f21f0a6348cf9f3eb4 |
| httpd-devel-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 11842aa45a6ae4301d56d3d13550206e270dfcafa00d5b37d0c3b4427c051bfc |
| httpd-manual-2.4.6-40.el7_2.6.noarch.rpm | SHA-256: 7bb01380bd0b7e8bf5f707320fb30c4f9a09a29a48e5ea2bc8f4387a26e99ce1 |
| httpd-tools-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 5943244e29debd5b186b1cc4557d84b0caed9d8a79b05682ca8e84b52790ee11 |
| mod_ldap-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: bfb19d2bf37b86662b7e674d0df43ceed2fb60c2d7111bb0fad8491e7284b446 |
| mod_proxy_html-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 061506d56486da4d07a23697d5b6a467c03b030fbf8da59088c5cbd09bc075f8 |
| mod_session-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: df853f8a467c310503079388e7351e1a01b43c5091cb536fd7ebe8178112d844 |
| mod_ssl-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: d69cd7630387d7953a25d6d3aaa3bc861dfb3f9d0415beed0ec65c21084fc328 |
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.2
| SRPM | |
|---|---|
| httpd-2.4.6-40.el7_2.6.src.rpm | SHA-256: ee633b44d4dace579fc7bb64e4d4b975c086d303d3972100724a4bd261d0f6b0 |
| s390x | |
| httpd-2.4.6-40.el7_2.6.s390x.rpm | SHA-256: c76703aa3784f49e419bfb8e3c694e4a5da38f6290c420dbf6f055709cd14dc9 |
| httpd-debuginfo-2.4.6-40.el7_2.6.s390x.rpm | SHA-256: 37da32248da34d531fcacb8b5f97eac1a6cfb29365e71753db0d8454ecff6f3f |
| httpd-debuginfo-2.4.6-40.el7_2.6.s390x.rpm | SHA-256: 37da32248da34d531fcacb8b5f97eac1a6cfb29365e71753db0d8454ecff6f3f |
| httpd-devel-2.4.6-40.el7_2.6.s390x.rpm | SHA-256: 77a1cbb3373bb107b3a4ac1627f611cfd368f13ad8cfead920a4bc264e9bcfdf |
| httpd-manual-2.4.6-40.el7_2.6.noarch.rpm | SHA-256: 7bb01380bd0b7e8bf5f707320fb30c4f9a09a29a48e5ea2bc8f4387a26e99ce1 |
| httpd-tools-2.4.6-40.el7_2.6.s390x.rpm | SHA-256: 50910b816a7bceea10dcc8d5262d2893f0e559bd94875b366541372dc26eae85 |
| mod_ldap-2.4.6-40.el7_2.6.s390x.rpm | SHA-256: f9b1448370c7f8f3d466255a4aa10f3406586f6dbc0e3ab3edf2a912b9c487dd |
| mod_proxy_html-2.4.6-40.el7_2.6.s390x.rpm | SHA-256: b0c9c8c38dcfa7eb4501523411527cf504ad136e07af9ea907b212fa96eaeb59 |
| mod_session-2.4.6-40.el7_2.6.s390x.rpm | SHA-256: 66bb2bba55584dd4accdd895b80a139145720fd1b8340c99e5268189558a51cd |
| mod_ssl-2.4.6-40.el7_2.6.s390x.rpm | SHA-256: 1384c6e4aed2e37ffbf4f9c8e0d6339c6ac77a63a3010e6d29ceef26dd4e3a1c |
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.2
| SRPM | |
|---|---|
| httpd-2.4.6-40.el7_2.6.src.rpm | SHA-256: ee633b44d4dace579fc7bb64e4d4b975c086d303d3972100724a4bd261d0f6b0 |
| ppc64 | |
| httpd-2.4.6-40.el7_2.6.ppc64.rpm | SHA-256: 2efec0aae8d07f7ad4449d71b44ff7fe1e47aea07dca0a180a47afd069eb87e5 |
| httpd-debuginfo-2.4.6-40.el7_2.6.ppc64.rpm | SHA-256: 9be3245295669896a2ae67534ff540a8e9fb52af733767f365863d55b62bf723 |
| httpd-debuginfo-2.4.6-40.el7_2.6.ppc64.rpm | SHA-256: 9be3245295669896a2ae67534ff540a8e9fb52af733767f365863d55b62bf723 |
| httpd-devel-2.4.6-40.el7_2.6.ppc64.rpm | SHA-256: ec7d20c967e9163d16210efd9db3d238eb076101dba918ea00f770ca9d36b1e9 |
| httpd-manual-2.4.6-40.el7_2.6.noarch.rpm | SHA-256: 7bb01380bd0b7e8bf5f707320fb30c4f9a09a29a48e5ea2bc8f4387a26e99ce1 |
| httpd-tools-2.4.6-40.el7_2.6.ppc64.rpm | SHA-256: 726556ab92ed17b8d94fb96b8f3cde94d82215a8469145cf033eb913faa18bf6 |
| mod_ldap-2.4.6-40.el7_2.6.ppc64.rpm | SHA-256: c7e123ab2e598c44ee7d5d013844bbbf8ee79fccb237c29ac57a6e8485efd464 |
| mod_proxy_html-2.4.6-40.el7_2.6.ppc64.rpm | SHA-256: 6b63eb619b267e9a5fadbd487778e622eb71cb353f0199ae2574f549b32d6f16 |
| mod_session-2.4.6-40.el7_2.6.ppc64.rpm | SHA-256: 33bc1f0d6c43e4a892eecc126184b4a7e12389f554ca3990b6ec9f09ee1d010b |
| mod_ssl-2.4.6-40.el7_2.6.ppc64.rpm | SHA-256: 6416b5dacbfbce5e76a871501095a49aa6d04c1dd6126b464addf9a9fa5c32b2 |
Red Hat Enterprise Linux EUS Compute Node 7.2
| SRPM | |
|---|---|
| httpd-2.4.6-40.el7_2.6.src.rpm | SHA-256: ee633b44d4dace579fc7bb64e4d4b975c086d303d3972100724a4bd261d0f6b0 |
| x86_64 | |
| httpd-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 67f20276a9944d0d41e773c486206ddb383f30caeca8f40cf0c55a4d4aadd732 |
| httpd-debuginfo-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 90fbb52e10f6f1f0eaa9710564b80816dfa445f29fcb27f21f0a6348cf9f3eb4 |
| httpd-devel-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 11842aa45a6ae4301d56d3d13550206e270dfcafa00d5b37d0c3b4427c051bfc |
| httpd-manual-2.4.6-40.el7_2.6.noarch.rpm | SHA-256: 7bb01380bd0b7e8bf5f707320fb30c4f9a09a29a48e5ea2bc8f4387a26e99ce1 |
| httpd-tools-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 5943244e29debd5b186b1cc4557d84b0caed9d8a79b05682ca8e84b52790ee11 |
| mod_ldap-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: bfb19d2bf37b86662b7e674d0df43ceed2fb60c2d7111bb0fad8491e7284b446 |
| mod_proxy_html-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 061506d56486da4d07a23697d5b6a467c03b030fbf8da59088c5cbd09bc075f8 |
| mod_session-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: df853f8a467c310503079388e7351e1a01b43c5091cb536fd7ebe8178112d844 |
| mod_ssl-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: d69cd7630387d7953a25d6d3aaa3bc861dfb3f9d0415beed0ec65c21084fc328 |
Red Hat Enterprise Linux Server - AUS 7.2
| SRPM | |
|---|---|
| httpd-2.4.6-40.el7_2.6.src.rpm | SHA-256: ee633b44d4dace579fc7bb64e4d4b975c086d303d3972100724a4bd261d0f6b0 |
| x86_64 | |
| httpd-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 67f20276a9944d0d41e773c486206ddb383f30caeca8f40cf0c55a4d4aadd732 |
| httpd-debuginfo-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 90fbb52e10f6f1f0eaa9710564b80816dfa445f29fcb27f21f0a6348cf9f3eb4 |
| httpd-debuginfo-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 90fbb52e10f6f1f0eaa9710564b80816dfa445f29fcb27f21f0a6348cf9f3eb4 |
| httpd-devel-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 11842aa45a6ae4301d56d3d13550206e270dfcafa00d5b37d0c3b4427c051bfc |
| httpd-manual-2.4.6-40.el7_2.6.noarch.rpm | SHA-256: 7bb01380bd0b7e8bf5f707320fb30c4f9a09a29a48e5ea2bc8f4387a26e99ce1 |
| httpd-tools-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 5943244e29debd5b186b1cc4557d84b0caed9d8a79b05682ca8e84b52790ee11 |
| mod_ldap-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: bfb19d2bf37b86662b7e674d0df43ceed2fb60c2d7111bb0fad8491e7284b446 |
| mod_proxy_html-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 061506d56486da4d07a23697d5b6a467c03b030fbf8da59088c5cbd09bc075f8 |
| mod_session-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: df853f8a467c310503079388e7351e1a01b43c5091cb536fd7ebe8178112d844 |
| mod_ssl-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: d69cd7630387d7953a25d6d3aaa3bc861dfb3f9d0415beed0ec65c21084fc328 |
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.2
| SRPM | |
|---|---|
| httpd-2.4.6-40.el7_2.6.src.rpm | SHA-256: ee633b44d4dace579fc7bb64e4d4b975c086d303d3972100724a4bd261d0f6b0 |
| ppc64le | |
| httpd-2.4.6-40.el7_2.6.ppc64le.rpm | SHA-256: 929b8ab55a1e7087231f25ea3fe620d7c9443a84b67d66b5167ea2d18ddcd8b2 |
| httpd-debuginfo-2.4.6-40.el7_2.6.ppc64le.rpm | SHA-256: c9a953b97b8fc311e03bead64a20db66ad45fed4d4e2d419f2e8c1ce39b49fbe |
| httpd-debuginfo-2.4.6-40.el7_2.6.ppc64le.rpm | SHA-256: c9a953b97b8fc311e03bead64a20db66ad45fed4d4e2d419f2e8c1ce39b49fbe |
| httpd-devel-2.4.6-40.el7_2.6.ppc64le.rpm | SHA-256: 7ac7df15e800eaa9e6aef9bd0bf84a0fd50c52cf41ba19593a46a255845aa432 |
| httpd-manual-2.4.6-40.el7_2.6.noarch.rpm | SHA-256: 7bb01380bd0b7e8bf5f707320fb30c4f9a09a29a48e5ea2bc8f4387a26e99ce1 |
| httpd-tools-2.4.6-40.el7_2.6.ppc64le.rpm | SHA-256: cf19762f2f082f80e1891c37b97bac22420dad892ee1ca01ff285abae4f7d0b9 |
| mod_ldap-2.4.6-40.el7_2.6.ppc64le.rpm | SHA-256: a52bd748471721d285281869aa7566d49f27d06d61d9ce9a00a2adbb8a2c246d |
| mod_proxy_html-2.4.6-40.el7_2.6.ppc64le.rpm | SHA-256: 3a8d5489952b06deea036d6281d74aa82126c84bfb839896b2f2ecc718499969 |
| mod_session-2.4.6-40.el7_2.6.ppc64le.rpm | SHA-256: b8c52e02c9e9efb44104bf9d7a60bccdaedc2f61f79f730954ac614c4b87e543 |
| mod_ssl-2.4.6-40.el7_2.6.ppc64le.rpm | SHA-256: 9a58d1498be75a00b392b297c7d7f9c820c8b69fd8a631f5618b7a553dc41c81 |
Red Hat Enterprise Linux Server - TUS 7.2
| SRPM | |
|---|---|
| httpd-2.4.6-40.el7_2.6.src.rpm | SHA-256: ee633b44d4dace579fc7bb64e4d4b975c086d303d3972100724a4bd261d0f6b0 |
| x86_64 | |
| httpd-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 67f20276a9944d0d41e773c486206ddb383f30caeca8f40cf0c55a4d4aadd732 |
| httpd-debuginfo-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 90fbb52e10f6f1f0eaa9710564b80816dfa445f29fcb27f21f0a6348cf9f3eb4 |
| httpd-debuginfo-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 90fbb52e10f6f1f0eaa9710564b80816dfa445f29fcb27f21f0a6348cf9f3eb4 |
| httpd-devel-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 11842aa45a6ae4301d56d3d13550206e270dfcafa00d5b37d0c3b4427c051bfc |
| httpd-manual-2.4.6-40.el7_2.6.noarch.rpm | SHA-256: 7bb01380bd0b7e8bf5f707320fb30c4f9a09a29a48e5ea2bc8f4387a26e99ce1 |
| httpd-tools-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 5943244e29debd5b186b1cc4557d84b0caed9d8a79b05682ca8e84b52790ee11 |
| mod_ldap-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: bfb19d2bf37b86662b7e674d0df43ceed2fb60c2d7111bb0fad8491e7284b446 |
| mod_proxy_html-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 061506d56486da4d07a23697d5b6a467c03b030fbf8da59088c5cbd09bc075f8 |
| mod_session-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: df853f8a467c310503079388e7351e1a01b43c5091cb536fd7ebe8178112d844 |
| mod_ssl-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: d69cd7630387d7953a25d6d3aaa3bc861dfb3f9d0415beed0ec65c21084fc328 |
Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.2
| SRPM | |
|---|---|
| httpd-2.4.6-40.el7_2.6.src.rpm | SHA-256: ee633b44d4dace579fc7bb64e4d4b975c086d303d3972100724a4bd261d0f6b0 |
| x86_64 | |
| httpd-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 67f20276a9944d0d41e773c486206ddb383f30caeca8f40cf0c55a4d4aadd732 |
| httpd-debuginfo-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 90fbb52e10f6f1f0eaa9710564b80816dfa445f29fcb27f21f0a6348cf9f3eb4 |
| httpd-debuginfo-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 90fbb52e10f6f1f0eaa9710564b80816dfa445f29fcb27f21f0a6348cf9f3eb4 |
| httpd-devel-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 11842aa45a6ae4301d56d3d13550206e270dfcafa00d5b37d0c3b4427c051bfc |
| httpd-manual-2.4.6-40.el7_2.6.noarch.rpm | SHA-256: 7bb01380bd0b7e8bf5f707320fb30c4f9a09a29a48e5ea2bc8f4387a26e99ce1 |
| httpd-tools-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 5943244e29debd5b186b1cc4557d84b0caed9d8a79b05682ca8e84b52790ee11 |
| mod_ldap-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: bfb19d2bf37b86662b7e674d0df43ceed2fb60c2d7111bb0fad8491e7284b446 |
| mod_proxy_html-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: 061506d56486da4d07a23697d5b6a467c03b030fbf8da59088c5cbd09bc075f8 |
| mod_session-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: df853f8a467c310503079388e7351e1a01b43c5091cb536fd7ebe8178112d844 |
| mod_ssl-2.4.6-40.el7_2.6.x86_64.rpm | SHA-256: d69cd7630387d7953a25d6d3aaa3bc861dfb3f9d0415beed0ec65c21084fc328 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.