Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2017:3195 - Security Advisory
Issued:
2017-11-13
Updated:
2017-11-13

RHSA-2017:3195 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: httpd security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for httpd is now available for Red Hat Enterprise Linux 6.7 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

  • It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)
  • It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167)
  • A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)
  • A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679)
  • A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)

Red Hat would like to thank Hanno Böck for reporting CVE-2017-9798.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.7 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.7 i386
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.7 s390x
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.7 ppc64
  • Red Hat Enterprise Linux EUS Compute Node 6.7 x86_64
  • Red Hat Enterprise Linux for SAP Solutions for x86_64 - Extended Update Support 6.7 x86_64

Fixes

  • BZ - 1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
  • BZ - 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
  • BZ - 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
  • BZ - 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
  • BZ - 1490344 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)

CVEs

  • CVE-2017-3167
  • CVE-2017-3169
  • CVE-2017-7679
  • CVE-2017-9788
  • CVE-2017-9798

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.7

SRPM
httpd-2.2.15-47.el6_7.5.src.rpm SHA-256: 16b6e03426b667cf361d5ef4c7e7d588cd4c0622d3b0e0956acfa3a1e35c54c3
x86_64
httpd-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 0bb5c1887fdbabfdbdee5da8336b40bb55864c277a4a5665a0fbda1606a489b4
httpd-debuginfo-2.2.15-47.el6_7.5.i686.rpm SHA-256: 312153810e7f96fb92d3557dd0eb22af18e76f8265338010346742083af59f3d
httpd-debuginfo-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 607a7e6cfc34091b3b3be9892ede1fdf850352d8e984cafba460d9edad18f98a
httpd-devel-2.2.15-47.el6_7.5.i686.rpm SHA-256: 8fcab6e7d575f63b233e7ab4477fa99deac9336a68970c581f4676e2f364155a
httpd-devel-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 3135b913dd694e54f78ab231825c0f549faa0508560e17380d03589777ac9cc4
httpd-manual-2.2.15-47.el6_7.5.noarch.rpm SHA-256: 79fd8fd9f6e4724067c4e008f5a002abe8d68b8d68a2cd3a5176df4795adc948
httpd-tools-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 8018d72f19b541e4fe862e004a234202e34eb9382e4d8a1005489e36712b0974
mod_ssl-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 0da3a6a369dce0a2a99e245d07fd8be94a83976f26a10e498586716671d52ec8
i386
httpd-2.2.15-47.el6_7.5.i686.rpm SHA-256: e97da87dabdb13c85205dfd3368ad4cdb20b39e5c69d0e4d7fec58abaa6ca078
httpd-debuginfo-2.2.15-47.el6_7.5.i686.rpm SHA-256: 312153810e7f96fb92d3557dd0eb22af18e76f8265338010346742083af59f3d
httpd-devel-2.2.15-47.el6_7.5.i686.rpm SHA-256: 8fcab6e7d575f63b233e7ab4477fa99deac9336a68970c581f4676e2f364155a
httpd-manual-2.2.15-47.el6_7.5.noarch.rpm SHA-256: 79fd8fd9f6e4724067c4e008f5a002abe8d68b8d68a2cd3a5176df4795adc948
httpd-tools-2.2.15-47.el6_7.5.i686.rpm SHA-256: b87ac98a7ca7d757571d6acaf565f507fd4117114a5a8e22132be259fd3f0e04
mod_ssl-2.2.15-47.el6_7.5.i686.rpm SHA-256: cf74b79f1d6bb20f6292183c024a1f93851431f1d5ca7ad7a4ef58350a7e2fb7

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.7

SRPM
httpd-2.2.15-47.el6_7.5.src.rpm SHA-256: 16b6e03426b667cf361d5ef4c7e7d588cd4c0622d3b0e0956acfa3a1e35c54c3
s390x
httpd-2.2.15-47.el6_7.5.s390x.rpm SHA-256: e53e22fd23a60a61e93ca42668525be470c2f893707c256735fefba453cec921
httpd-debuginfo-2.2.15-47.el6_7.5.s390.rpm SHA-256: c0debcab1dc5c5482f2693020e05f306de6f1b5ccf936e0edfafbc205070d9b1
httpd-debuginfo-2.2.15-47.el6_7.5.s390x.rpm SHA-256: db8ef7393596ffa007face01917bd9a45c0bc2ad27a68d2b88ab0977c2a8d39c
httpd-devel-2.2.15-47.el6_7.5.s390.rpm SHA-256: eec65163ae6b113a0b94840d6f7029a394e1fde86e33eb1238adf0fa836f6193
httpd-devel-2.2.15-47.el6_7.5.s390x.rpm SHA-256: 4b839dde5189b44363b1bb0adf1db1dc8d6cc3f07040e8a503777f47f7dab68b
httpd-manual-2.2.15-47.el6_7.5.noarch.rpm SHA-256: 79fd8fd9f6e4724067c4e008f5a002abe8d68b8d68a2cd3a5176df4795adc948
httpd-tools-2.2.15-47.el6_7.5.s390x.rpm SHA-256: 7f1a3479c2893d19775a8cd42754811d508916cc016a9b9b6847b629e76bed3a
mod_ssl-2.2.15-47.el6_7.5.s390x.rpm SHA-256: 74fe9908bced24328f5b7213ddcc1a2100303352dbaab7a8d08bcd27750cd148

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.7

SRPM
httpd-2.2.15-47.el6_7.5.src.rpm SHA-256: 16b6e03426b667cf361d5ef4c7e7d588cd4c0622d3b0e0956acfa3a1e35c54c3
ppc64
httpd-2.2.15-47.el6_7.5.ppc64.rpm SHA-256: 40cf182760e0c417a6d830dc6d0f67c7c1341fa5ca737bf6fb81537d25576ffb
httpd-debuginfo-2.2.15-47.el6_7.5.ppc.rpm SHA-256: 21d0ffc228fba7c39ddcfe2bf03ba094d90ea432ad77f04317d70117df66d0fc
httpd-debuginfo-2.2.15-47.el6_7.5.ppc64.rpm SHA-256: 3bc74693ca6d3509362b9993df360c9b1e450d8c5b0ed33ac95efb6983bdd1ed
httpd-devel-2.2.15-47.el6_7.5.ppc.rpm SHA-256: 9ce27f26e68cbdeda45d59c40f8f77ecaa8b2f9ecc9b76bd3ccd992e7d1060c5
httpd-devel-2.2.15-47.el6_7.5.ppc64.rpm SHA-256: c7cf8234054ff5288fd16428eb3911c237962e3ce27eda92b5dd380d15606a33
httpd-manual-2.2.15-47.el6_7.5.noarch.rpm SHA-256: 79fd8fd9f6e4724067c4e008f5a002abe8d68b8d68a2cd3a5176df4795adc948
httpd-tools-2.2.15-47.el6_7.5.ppc64.rpm SHA-256: cf5f5491d3eeba8250c3d3106fda6036ee9c70f348b37aaa7b254e955fcf9e6e
mod_ssl-2.2.15-47.el6_7.5.ppc64.rpm SHA-256: 9faad7773a99993d2a7f9a48747fe31ecfd3583ae07113f09bffd8c36d09e51a

Red Hat Enterprise Linux EUS Compute Node 6.7

SRPM
httpd-2.2.15-47.el6_7.5.src.rpm SHA-256: 16b6e03426b667cf361d5ef4c7e7d588cd4c0622d3b0e0956acfa3a1e35c54c3
x86_64
httpd-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 0bb5c1887fdbabfdbdee5da8336b40bb55864c277a4a5665a0fbda1606a489b4
httpd-debuginfo-2.2.15-47.el6_7.5.i686.rpm SHA-256: 312153810e7f96fb92d3557dd0eb22af18e76f8265338010346742083af59f3d
httpd-debuginfo-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 607a7e6cfc34091b3b3be9892ede1fdf850352d8e984cafba460d9edad18f98a
httpd-debuginfo-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 607a7e6cfc34091b3b3be9892ede1fdf850352d8e984cafba460d9edad18f98a
httpd-devel-2.2.15-47.el6_7.5.i686.rpm SHA-256: 8fcab6e7d575f63b233e7ab4477fa99deac9336a68970c581f4676e2f364155a
httpd-devel-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 3135b913dd694e54f78ab231825c0f549faa0508560e17380d03589777ac9cc4
httpd-manual-2.2.15-47.el6_7.5.noarch.rpm SHA-256: 79fd8fd9f6e4724067c4e008f5a002abe8d68b8d68a2cd3a5176df4795adc948
httpd-tools-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 8018d72f19b541e4fe862e004a234202e34eb9382e4d8a1005489e36712b0974
mod_ssl-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 0da3a6a369dce0a2a99e245d07fd8be94a83976f26a10e498586716671d52ec8

Red Hat Enterprise Linux for SAP Solutions for x86_64 - Extended Update Support 6.7

SRPM
httpd-2.2.15-47.el6_7.5.src.rpm SHA-256: 16b6e03426b667cf361d5ef4c7e7d588cd4c0622d3b0e0956acfa3a1e35c54c3
x86_64
httpd-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 0bb5c1887fdbabfdbdee5da8336b40bb55864c277a4a5665a0fbda1606a489b4
httpd-debuginfo-2.2.15-47.el6_7.5.i686.rpm SHA-256: 312153810e7f96fb92d3557dd0eb22af18e76f8265338010346742083af59f3d
httpd-debuginfo-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 607a7e6cfc34091b3b3be9892ede1fdf850352d8e984cafba460d9edad18f98a
httpd-devel-2.2.15-47.el6_7.5.i686.rpm SHA-256: 8fcab6e7d575f63b233e7ab4477fa99deac9336a68970c581f4676e2f364155a
httpd-devel-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 3135b913dd694e54f78ab231825c0f549faa0508560e17380d03589777ac9cc4
httpd-manual-2.2.15-47.el6_7.5.noarch.rpm SHA-256: 79fd8fd9f6e4724067c4e008f5a002abe8d68b8d68a2cd3a5176df4795adc948
httpd-tools-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 8018d72f19b541e4fe862e004a234202e34eb9382e4d8a1005489e36712b0974
mod_ssl-2.2.15-47.el6_7.5.x86_64.rpm SHA-256: 0da3a6a369dce0a2a99e245d07fd8be94a83976f26a10e498586716671d52ec8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2022 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter