- Issued:
- 2017-11-13
- Updated:
- 2017-11-13
RHSA-2017:3194 - Security Advisory
Synopsis
Important: httpd security update
Type/Severity
Security Advisory: Important
Topic
An update for httpd is now available for Red Hat Enterprise Linux 7.3 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
- It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)
- It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167)
- A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)
- A buffer over-read flaw was found in the httpd's ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. (CVE-2017-7668)
- A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679)
- A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)
Red Hat would like to thank Hanno Böck for reporting CVE-2017-9798.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
Affected Products
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.3 x86_64
- Red Hat Enterprise Linux EUS Compute Node 7.3 x86_64
- Red Hat Enterprise Linux Server - AUS 7.3 x86_64
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.3 s390x
- Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.3 ppc64
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.3 ppc64le
- Red Hat Enterprise Linux Server - TUS 7.3 x86_64
- Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.3 ppc64le
- Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.3 x86_64
Fixes
- BZ - 1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
- BZ - 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
- BZ - 1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread
- BZ - 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
- BZ - 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
- BZ - 1490344 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)
CVEs
References
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.3
| SRPM | |
|---|---|
| httpd-2.4.6-45.el7_3.5.src.rpm | SHA-256: 24fc1cff0a9d88055832c68f166b84f78147355091bf506b8fa740f4d12069da |
| x86_64 | |
| httpd-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 5ff7789d7e909d366332f4d6e2144a089bbcb67a02eb66f8f299d3e3cbcad95a |
| httpd-debuginfo-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: b7725bbe93888cc9a65fe6f4af5b7a6c7f56b085bd63b2f0fd077389d4679ec5 |
| httpd-debuginfo-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: b7725bbe93888cc9a65fe6f4af5b7a6c7f56b085bd63b2f0fd077389d4679ec5 |
| httpd-devel-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 7b93a7d3d108f02c21b4408f4989bf76e9cf619178bb8195858f664fa1813fbf |
| httpd-manual-2.4.6-45.el7_3.5.noarch.rpm | SHA-256: 06d48d067215626b43ea0e331964f72d58a7a4ff2bdc668c6e4ac4b049031a81 |
| httpd-tools-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 3a76c4a6a37005c5a0f74605cd27076bb7540b63970ae262bc4186b398f9487e |
| mod_ldap-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: dd545f4671a673757d86026e51dcc3dcf9907d4e796f7b35f2d73b7b2d159d49 |
| mod_proxy_html-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 834423090c37b4b65498d94fb30e50c92061ec96b4f21bb0000f3f65c52b6ea0 |
| mod_session-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: f6bbde4bf702a45d6ff77a246948ade6d3cd684aedfa07098404a3965ab668ef |
| mod_ssl-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 5dd4602f016f6d821fbe23f5a31ba50c4475a54828446fa5627c1cced6477fd1 |
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.3
| SRPM | |
|---|---|
| httpd-2.4.6-45.el7_3.5.src.rpm | SHA-256: 24fc1cff0a9d88055832c68f166b84f78147355091bf506b8fa740f4d12069da |
| s390x | |
| httpd-2.4.6-45.el7_3.5.s390x.rpm | SHA-256: 5ac03f5c1d78918fabfc01c16087cd450767f1d5693d8b764106fe2f2db2b551 |
| httpd-debuginfo-2.4.6-45.el7_3.5.s390x.rpm | SHA-256: 67d6cbb94ee9251914c242b1ac1e32721fe1cb9617dac663646f38582a58c4a1 |
| httpd-debuginfo-2.4.6-45.el7_3.5.s390x.rpm | SHA-256: 67d6cbb94ee9251914c242b1ac1e32721fe1cb9617dac663646f38582a58c4a1 |
| httpd-devel-2.4.6-45.el7_3.5.s390x.rpm | SHA-256: 19d52e8eb7a7743aaf379a70447039c05b4aee1bdb170182c188b736e023577b |
| httpd-manual-2.4.6-45.el7_3.5.noarch.rpm | SHA-256: 06d48d067215626b43ea0e331964f72d58a7a4ff2bdc668c6e4ac4b049031a81 |
| httpd-tools-2.4.6-45.el7_3.5.s390x.rpm | SHA-256: 3c4479a44dc1e1aa6e5b25d9883f23837f09485f2ec9e5a61cd4b27bcc1b8a46 |
| mod_ldap-2.4.6-45.el7_3.5.s390x.rpm | SHA-256: d9bb738ddf3f76044240aea8cb8c1fa733841299a352362dc45b8ae2efe882a6 |
| mod_proxy_html-2.4.6-45.el7_3.5.s390x.rpm | SHA-256: d59763b82a4b0e1e7254c25f9c92f68902a0b48c9af5a15bedc38e6352e1f070 |
| mod_session-2.4.6-45.el7_3.5.s390x.rpm | SHA-256: f5372f8d5e622dde8a0c57de5959fc308a744655035f9bdffb4eabd35453e76a |
| mod_ssl-2.4.6-45.el7_3.5.s390x.rpm | SHA-256: d6e368f32eec64cc8a988e9a39e4b6f4e8d80dc65c646b61ce5a1678c24c3494 |
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.3
| SRPM | |
|---|---|
| httpd-2.4.6-45.el7_3.5.src.rpm | SHA-256: 24fc1cff0a9d88055832c68f166b84f78147355091bf506b8fa740f4d12069da |
| ppc64 | |
| httpd-2.4.6-45.el7_3.5.ppc64.rpm | SHA-256: e43d13a5a93bc45b629950550ef2caeff4a0f15092dc267336044b619841c178 |
| httpd-debuginfo-2.4.6-45.el7_3.5.ppc64.rpm | SHA-256: 41b1d0ea580a6bc1a919856d0e92fb8ca606689541327078be016b1837ff9b64 |
| httpd-debuginfo-2.4.6-45.el7_3.5.ppc64.rpm | SHA-256: 41b1d0ea580a6bc1a919856d0e92fb8ca606689541327078be016b1837ff9b64 |
| httpd-devel-2.4.6-45.el7_3.5.ppc64.rpm | SHA-256: 78fd4b8cb4147f8e8b688353a861bd335d50495200338d9b39deb9d48ab3a9e0 |
| httpd-manual-2.4.6-45.el7_3.5.noarch.rpm | SHA-256: 06d48d067215626b43ea0e331964f72d58a7a4ff2bdc668c6e4ac4b049031a81 |
| httpd-tools-2.4.6-45.el7_3.5.ppc64.rpm | SHA-256: 7f56254bc0aa46fbe923dfdae88dad9c5e5211db85b76747567b2abbf328b975 |
| mod_ldap-2.4.6-45.el7_3.5.ppc64.rpm | SHA-256: ecbaf7631c2f0b3dd238711f078953f303c8b347528a5fe863e8603adb5eb1fb |
| mod_proxy_html-2.4.6-45.el7_3.5.ppc64.rpm | SHA-256: c91896bff1b9433183613aedca37decdd909f56fde238c75ef2b6a07bba29a1d |
| mod_session-2.4.6-45.el7_3.5.ppc64.rpm | SHA-256: 4d31d30439a8bb78a080d811fafa4f533b359978f087c7c5f597cd5533ba3dd8 |
| mod_ssl-2.4.6-45.el7_3.5.ppc64.rpm | SHA-256: 50304ba36fefcb4a2dc8bccf7f7e2888cf307212f0e1fbb58faf9d801ed13ce8 |
Red Hat Enterprise Linux EUS Compute Node 7.3
| SRPM | |
|---|---|
| httpd-2.4.6-45.el7_3.5.src.rpm | SHA-256: 24fc1cff0a9d88055832c68f166b84f78147355091bf506b8fa740f4d12069da |
| x86_64 | |
| httpd-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 5ff7789d7e909d366332f4d6e2144a089bbcb67a02eb66f8f299d3e3cbcad95a |
| httpd-debuginfo-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: b7725bbe93888cc9a65fe6f4af5b7a6c7f56b085bd63b2f0fd077389d4679ec5 |
| httpd-devel-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 7b93a7d3d108f02c21b4408f4989bf76e9cf619178bb8195858f664fa1813fbf |
| httpd-manual-2.4.6-45.el7_3.5.noarch.rpm | SHA-256: 06d48d067215626b43ea0e331964f72d58a7a4ff2bdc668c6e4ac4b049031a81 |
| httpd-tools-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 3a76c4a6a37005c5a0f74605cd27076bb7540b63970ae262bc4186b398f9487e |
| mod_ldap-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: dd545f4671a673757d86026e51dcc3dcf9907d4e796f7b35f2d73b7b2d159d49 |
| mod_proxy_html-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 834423090c37b4b65498d94fb30e50c92061ec96b4f21bb0000f3f65c52b6ea0 |
| mod_session-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: f6bbde4bf702a45d6ff77a246948ade6d3cd684aedfa07098404a3965ab668ef |
| mod_ssl-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 5dd4602f016f6d821fbe23f5a31ba50c4475a54828446fa5627c1cced6477fd1 |
Red Hat Enterprise Linux Server - AUS 7.3
| SRPM | |
|---|---|
| httpd-2.4.6-45.el7_3.5.src.rpm | SHA-256: 24fc1cff0a9d88055832c68f166b84f78147355091bf506b8fa740f4d12069da |
| x86_64 | |
| httpd-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 5ff7789d7e909d366332f4d6e2144a089bbcb67a02eb66f8f299d3e3cbcad95a |
| httpd-debuginfo-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: b7725bbe93888cc9a65fe6f4af5b7a6c7f56b085bd63b2f0fd077389d4679ec5 |
| httpd-debuginfo-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: b7725bbe93888cc9a65fe6f4af5b7a6c7f56b085bd63b2f0fd077389d4679ec5 |
| httpd-devel-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 7b93a7d3d108f02c21b4408f4989bf76e9cf619178bb8195858f664fa1813fbf |
| httpd-manual-2.4.6-45.el7_3.5.noarch.rpm | SHA-256: 06d48d067215626b43ea0e331964f72d58a7a4ff2bdc668c6e4ac4b049031a81 |
| httpd-tools-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 3a76c4a6a37005c5a0f74605cd27076bb7540b63970ae262bc4186b398f9487e |
| mod_ldap-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: dd545f4671a673757d86026e51dcc3dcf9907d4e796f7b35f2d73b7b2d159d49 |
| mod_proxy_html-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 834423090c37b4b65498d94fb30e50c92061ec96b4f21bb0000f3f65c52b6ea0 |
| mod_session-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: f6bbde4bf702a45d6ff77a246948ade6d3cd684aedfa07098404a3965ab668ef |
| mod_ssl-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 5dd4602f016f6d821fbe23f5a31ba50c4475a54828446fa5627c1cced6477fd1 |
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.3
| SRPM | |
|---|---|
| httpd-2.4.6-45.el7_3.5.src.rpm | SHA-256: 24fc1cff0a9d88055832c68f166b84f78147355091bf506b8fa740f4d12069da |
| ppc64le | |
| httpd-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: 8d49276de74ee36093723944b0292986dd00049b51247401f3d3d618f9d68e33 |
| httpd-debuginfo-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: d971ee4addb75c263387d329969de267532e0bec67d9995bab70080300b70759 |
| httpd-debuginfo-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: d971ee4addb75c263387d329969de267532e0bec67d9995bab70080300b70759 |
| httpd-devel-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: ba25b1ed8a93c79a00cd873979d973a1829b5286bbff09960a4aa168c9446ddd |
| httpd-manual-2.4.6-45.el7_3.5.noarch.rpm | SHA-256: 06d48d067215626b43ea0e331964f72d58a7a4ff2bdc668c6e4ac4b049031a81 |
| httpd-tools-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: a22d38340b028fecc979782fc50cf228e658ca7a7337c8ab99c384544190d3cc |
| mod_ldap-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: 285c1ff02ee7fbdd095ffcbb5ecc702d8a8d63bf35a3add783a44be5fc88d049 |
| mod_proxy_html-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: b5d379a650c8bf62490f9dae6b21efb1a7997ed493a6900ece7be42330b7b07c |
| mod_session-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: 12908ac1cf03fcc11fb0cf936f76b18fe85537531f34f0f9965489b8772390f5 |
| mod_ssl-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: 5a3e32b5653b32b7494c2b5a545d9ad2abe3da8348dadaa8fffc3ba94506e49b |
Red Hat Enterprise Linux Server - TUS 7.3
| SRPM | |
|---|---|
| httpd-2.4.6-45.el7_3.5.src.rpm | SHA-256: 24fc1cff0a9d88055832c68f166b84f78147355091bf506b8fa740f4d12069da |
| x86_64 | |
| httpd-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 5ff7789d7e909d366332f4d6e2144a089bbcb67a02eb66f8f299d3e3cbcad95a |
| httpd-debuginfo-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: b7725bbe93888cc9a65fe6f4af5b7a6c7f56b085bd63b2f0fd077389d4679ec5 |
| httpd-debuginfo-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: b7725bbe93888cc9a65fe6f4af5b7a6c7f56b085bd63b2f0fd077389d4679ec5 |
| httpd-devel-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 7b93a7d3d108f02c21b4408f4989bf76e9cf619178bb8195858f664fa1813fbf |
| httpd-manual-2.4.6-45.el7_3.5.noarch.rpm | SHA-256: 06d48d067215626b43ea0e331964f72d58a7a4ff2bdc668c6e4ac4b049031a81 |
| httpd-tools-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 3a76c4a6a37005c5a0f74605cd27076bb7540b63970ae262bc4186b398f9487e |
| mod_ldap-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: dd545f4671a673757d86026e51dcc3dcf9907d4e796f7b35f2d73b7b2d159d49 |
| mod_proxy_html-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 834423090c37b4b65498d94fb30e50c92061ec96b4f21bb0000f3f65c52b6ea0 |
| mod_session-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: f6bbde4bf702a45d6ff77a246948ade6d3cd684aedfa07098404a3965ab668ef |
| mod_ssl-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 5dd4602f016f6d821fbe23f5a31ba50c4475a54828446fa5627c1cced6477fd1 |
Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.3
| SRPM | |
|---|---|
| httpd-2.4.6-45.el7_3.5.src.rpm | SHA-256: 24fc1cff0a9d88055832c68f166b84f78147355091bf506b8fa740f4d12069da |
| ppc64le | |
| httpd-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: 8d49276de74ee36093723944b0292986dd00049b51247401f3d3d618f9d68e33 |
| httpd-debuginfo-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: d971ee4addb75c263387d329969de267532e0bec67d9995bab70080300b70759 |
| httpd-debuginfo-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: d971ee4addb75c263387d329969de267532e0bec67d9995bab70080300b70759 |
| httpd-devel-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: ba25b1ed8a93c79a00cd873979d973a1829b5286bbff09960a4aa168c9446ddd |
| httpd-manual-2.4.6-45.el7_3.5.noarch.rpm | SHA-256: 06d48d067215626b43ea0e331964f72d58a7a4ff2bdc668c6e4ac4b049031a81 |
| httpd-tools-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: a22d38340b028fecc979782fc50cf228e658ca7a7337c8ab99c384544190d3cc |
| mod_ldap-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: 285c1ff02ee7fbdd095ffcbb5ecc702d8a8d63bf35a3add783a44be5fc88d049 |
| mod_proxy_html-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: b5d379a650c8bf62490f9dae6b21efb1a7997ed493a6900ece7be42330b7b07c |
| mod_session-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: 12908ac1cf03fcc11fb0cf936f76b18fe85537531f34f0f9965489b8772390f5 |
| mod_ssl-2.4.6-45.el7_3.5.ppc64le.rpm | SHA-256: 5a3e32b5653b32b7494c2b5a545d9ad2abe3da8348dadaa8fffc3ba94506e49b |
Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.3
| SRPM | |
|---|---|
| httpd-2.4.6-45.el7_3.5.src.rpm | SHA-256: 24fc1cff0a9d88055832c68f166b84f78147355091bf506b8fa740f4d12069da |
| x86_64 | |
| httpd-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 5ff7789d7e909d366332f4d6e2144a089bbcb67a02eb66f8f299d3e3cbcad95a |
| httpd-debuginfo-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: b7725bbe93888cc9a65fe6f4af5b7a6c7f56b085bd63b2f0fd077389d4679ec5 |
| httpd-debuginfo-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: b7725bbe93888cc9a65fe6f4af5b7a6c7f56b085bd63b2f0fd077389d4679ec5 |
| httpd-devel-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 7b93a7d3d108f02c21b4408f4989bf76e9cf619178bb8195858f664fa1813fbf |
| httpd-manual-2.4.6-45.el7_3.5.noarch.rpm | SHA-256: 06d48d067215626b43ea0e331964f72d58a7a4ff2bdc668c6e4ac4b049031a81 |
| httpd-tools-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 3a76c4a6a37005c5a0f74605cd27076bb7540b63970ae262bc4186b398f9487e |
| mod_ldap-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: dd545f4671a673757d86026e51dcc3dcf9907d4e796f7b35f2d73b7b2d159d49 |
| mod_proxy_html-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 834423090c37b4b65498d94fb30e50c92061ec96b4f21bb0000f3f65c52b6ea0 |
| mod_session-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: f6bbde4bf702a45d6ff77a246948ade6d3cd684aedfa07098404a3965ab668ef |
| mod_ssl-2.4.6-45.el7_3.5.x86_64.rpm | SHA-256: 5dd4602f016f6d821fbe23f5a31ba50c4475a54828446fa5627c1cced6477fd1 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.