Red Hat Product Errata RHSA-2018:2185 - Security Advisory
Issued:
2018-07-12
Updated:
2018-07-12

RHSA-2018:2185 - Security Advisory

Synopsis

Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 7 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this release as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

This release adds the new Apache HTTP Server 2.4.29 packages that are part
of the JBoss Core Services offering.

This release serves as a replacement for Red Hat JBoss Core Services
Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes,
enhancements and component upgrades included in this release.

This release upgrades OpenSSL to version 1.0.2.n

Security Fix(es):

  • openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182)
  • openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302)
  • openssl: certificate message OOB reads (CVE-2016-6306)
  • openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055)
  • openssl: Truncated packet could crash via OOB read (CVE-2017-3731)
  • openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
  • openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
  • openssl: Read/write after SSL object in error state (CVE-2017-3737)
  • openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306
and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6306.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat JBoss Core Services 1 for RHEL 7 x86_64

Fixes

  • BZ - 1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
  • BZ - 1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
  • BZ - 1377594 - CVE-2016-6306 openssl: certificate message OOB reads
  • BZ - 1393929 - CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication
  • BZ - 1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read
  • BZ - 1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64
  • BZ - 1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64
  • BZ - 1523504 - CVE-2017-3737 openssl: Read/write after SSL object in error state
  • BZ - 1523510 - CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64

Red Hat JBoss Core Services 1 for RHEL 7

SRPM
jbcs-httpd24-apache-commons-daemon-1.1.0-1.redhat_2.1.jbcs.el7.src.rpm SHA-256: 38a3404236a2518eb9fe17b0a28851f05d2d41d6ac35df49860bab01f66dbc93
jbcs-httpd24-apache-commons-daemon-jsvc-1.1.0-1.redhat_2.jbcs.el7.src.rpm SHA-256: b99ccc75da41a48498dad4eb363c6efa820f97b2ffefdb45911142316fad9065
jbcs-httpd24-apr-1.6.3-14.jbcs.el7.src.rpm SHA-256: a20a1a7cfc5647ab6bed286ec4fbe007e3b50a4e496743bdd2ccd512bd040b27
jbcs-httpd24-apr-util-1.6.1-9.jbcs.el7.src.rpm SHA-256: 7c5b6c838f047da2780e0ea1c51e490424703a88c998e968b496436d07d34a39
jbcs-httpd24-httpd-2.4.29-17.jbcs.el7.src.rpm SHA-256: 4fde482ccca51add6d1894e3a8e73f511f914f9abf045b0f62f1ad69a2030d96
jbcs-httpd24-mod_auth_kerb-5.4-36.jbcs.el7.src.rpm SHA-256: 028493079ca5f1f14f2541befbd8ef56ce1dfcd37a1ee5b8f71ad1eb27f28a3f
jbcs-httpd24-mod_bmx-0.9.6-17.GA.jbcs.el7.src.rpm SHA-256: 060d3656c720fe050513ae89a78908acc932313350d25bd49e1376f2a3532d2e
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_2.jbcs.el7.src.rpm SHA-256: 1b2df5747df1cd1a300cd0551ed93a56076fedc61d5e54005637cb1836c2a700
jbcs-httpd24-mod_jk-1.2.43-1.redhat_1.jbcs.el7.src.rpm SHA-256: 34381a41e0ac821f3a9f3b0d6ef335a11a51b426386e20feb9525409674cd098
jbcs-httpd24-mod_rt-2.4.1-19.GA.jbcs.el7.src.rpm SHA-256: 60305c2e32e336a3356013b8eea28b1e36b0c534f30bf575caee2c05a27a6c58
jbcs-httpd24-mod_security-2.9.1-23.GA.jbcs.el7.src.rpm SHA-256: 3275980eb09643fc1bb0c14abc31ca645191283e3ba891f98d38cd03bc8edb76
jbcs-httpd24-nghttp2-1.29.0-8.jbcs.el7.src.rpm SHA-256: d52049d04f7e2d65b17e7fa80fd2f4d24deca279029cac8846af31406cf78cf3
jbcs-httpd24-openssl-1.0.2n-11.jbcs.el7.src.rpm SHA-256: bcc121ddeb0760b311c93627155e8575227d76d187a0db5bd67e0706fe25d879
x86_64
jbcs-httpd24-apache-commons-daemon-1.1.0-1.redhat_2.1.jbcs.el7.noarch.rpm SHA-256: 03ed16654b8b7db2b4c7c4339627465a76f99d99c81bfb19594da1f733561a44
jbcs-httpd24-apache-commons-daemon-jsvc-1.1.0-1.redhat_2.jbcs.el7.x86_64.rpm SHA-256: 9db0de89f1c77cfb96f4f572b2e612abd8f477074ccbfbb66335f5def81fb72e
jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.1.0-1.redhat_2.jbcs.el7.x86_64.rpm SHA-256: 401e8654a097edf2b46c2ae494e86605008c028e11837c816e3fc3abb97bf44b
jbcs-httpd24-apr-1.6.3-14.jbcs.el7.x86_64.rpm SHA-256: 77ecd9f8c9c869d28ec86345f141a2cfbea3bb7a8f847cf61a4932cb12952c3c
jbcs-httpd24-apr-debuginfo-1.6.3-14.jbcs.el7.x86_64.rpm SHA-256: a041646c46263ec8ea1662f53dd13844cc4f5caa309e44b7f736a8b4f6ae7f38
jbcs-httpd24-apr-devel-1.6.3-14.jbcs.el7.x86_64.rpm SHA-256: 4d54174cf84af22c1d14d16c8769c1a7022f660b43630c198388eb924bb2801c
jbcs-httpd24-apr-util-1.6.1-9.jbcs.el7.x86_64.rpm SHA-256: b95222c1e323d7162d9805c90127aeb1ab816808311c60d26404f0ac8b152a9c
jbcs-httpd24-apr-util-debuginfo-1.6.1-9.jbcs.el7.x86_64.rpm SHA-256: a3515a61e8ad94274ddc1cf5211bfb42b459a24743c6f77e594ef9392dd2369c
jbcs-httpd24-apr-util-devel-1.6.1-9.jbcs.el7.x86_64.rpm SHA-256: f0bf2487b59579e1b76fa599503ce084fd2a93d5a16c1daf5877dc0f9bb7832a
jbcs-httpd24-apr-util-ldap-1.6.1-9.jbcs.el7.x86_64.rpm SHA-256: b68e16afa627ceddb5657f9d0e42baa3aaea5f7c182ccd24cf40df54348a4122
jbcs-httpd24-apr-util-mysql-1.6.1-9.jbcs.el7.x86_64.rpm SHA-256: bf85a30ce0325f923173a1a0b7a6db5ff7c4e190d92e505b1f92eb4f8b1987af
jbcs-httpd24-apr-util-nss-1.6.1-9.jbcs.el7.x86_64.rpm SHA-256: 13f17890cfc6878c930ea010a697d21aee96cb9a48503399e849a170f105b6d4
jbcs-httpd24-apr-util-odbc-1.6.1-9.jbcs.el7.x86_64.rpm SHA-256: 2598b3559c80d23b77e8545d5c41ed319965679dee89014b5c034ce5ab02e204
jbcs-httpd24-apr-util-openssl-1.6.1-9.jbcs.el7.x86_64.rpm SHA-256: 00149e4c5737c65cd30e6336682e4e90aaef7d33c63131c531e139beed8765fb
jbcs-httpd24-apr-util-pgsql-1.6.1-9.jbcs.el7.x86_64.rpm SHA-256: 7b7bebdd61718c85a10e0ebc241d7ae174efeb0b721799a6f874f69d6cc52fbb
jbcs-httpd24-apr-util-sqlite-1.6.1-9.jbcs.el7.x86_64.rpm SHA-256: 441187d2990ada02f70aa5590e87cee6a04571e4bfd4641216a9218514615a6b
jbcs-httpd24-httpd-2.4.29-17.jbcs.el7.x86_64.rpm SHA-256: 0f24cdf1b5ef37261c100c9cbb82098722bfaf0f00ef4f524e6a7413db4022a1
jbcs-httpd24-httpd-debuginfo-2.4.29-17.jbcs.el7.x86_64.rpm SHA-256: 450a21bb6ec233458956869ae58d84267d29002a71361e9e694c0b7e68c1b4b5
jbcs-httpd24-httpd-devel-2.4.29-17.jbcs.el7.x86_64.rpm SHA-256: 9671a5937e0952f5e9adcbb79b194d32c4d25a96f91823c3c8962111994f2b02
jbcs-httpd24-httpd-manual-2.4.29-17.jbcs.el7.noarch.rpm SHA-256: f67d325e61d5b6ee5a882f83e3d19fe1a19c5e55b098efdf318cb5326d2b6824
jbcs-httpd24-httpd-selinux-2.4.29-17.jbcs.el7.x86_64.rpm SHA-256: 788732c584c5c0de2581771c4d33c7b2ff80518ac43fba9dda10037cf7bfc8b4
jbcs-httpd24-httpd-tools-2.4.29-17.jbcs.el7.x86_64.rpm SHA-256: d6afa288b244327a187103b4a4d6ff45e53ef2ff81cd689fc8903b6fdcf48ebd
jbcs-httpd24-mod_auth_kerb-5.4-36.jbcs.el7.x86_64.rpm SHA-256: aaa4bfad02aee63ef1fc90935e55ea11a1e898611fac6c77eb85a7d5ad2af25b
jbcs-httpd24-mod_auth_kerb-debuginfo-5.4-36.jbcs.el7.x86_64.rpm SHA-256: a853a49f19ec2cb2fb2a5e5561752d1f1e4d60fc6f90da2c6cc0bde8b809d0ad
jbcs-httpd24-mod_bmx-0.9.6-17.GA.jbcs.el7.x86_64.rpm SHA-256: 0f005c72163e5d009d905ee275b8b9d99d22ffc5ce42ed449e6cf33ceef7799e
jbcs-httpd24-mod_bmx-debuginfo-0.9.6-17.GA.jbcs.el7.x86_64.rpm SHA-256: 65e60391c123b472ca7100a15be62d914f1b1929f11cf0a6dd92966b28bede15
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_2.jbcs.el7.x86_64.rpm SHA-256: 3e39231d6ed340fd54c52674637f7b215eb82bf15d36394e3423f571eed18c6b
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_2.jbcs.el7.x86_64.rpm SHA-256: f3749ffabcadaa16caada6597d042a44d222aba7a8d435ccf07b36364239549b
jbcs-httpd24-mod_jk-ap24-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm SHA-256: e78d2d343c2d153c53107fa100322c8dd743e6bc8422dd6d676163b878be9189
jbcs-httpd24-mod_jk-debuginfo-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm SHA-256: 30831173da8fd63facca1ac88ec500856ee0d6cb02bfa9de670151609577a892
jbcs-httpd24-mod_jk-manual-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm SHA-256: 76ef70ebe35978f0d02a3c71266a6bab3f321874c2c0694ceabdaec4ab8c7137
jbcs-httpd24-mod_ldap-2.4.29-17.jbcs.el7.x86_64.rpm SHA-256: d779885ce25c037c0c8b2c3f063533e643af58a511f42d479d8d88ef412086c1
jbcs-httpd24-mod_proxy_html-2.4.29-17.jbcs.el7.x86_64.rpm SHA-256: d3bcb4cc3c10aa95ea34327e3db99a1a3e18e8eda98513f00d803efe3b6fcd56
jbcs-httpd24-mod_rt-2.4.1-19.GA.jbcs.el7.x86_64.rpm SHA-256: 856be5ad6c2c09a3ac739c174a0acf1854c915d06e79bd1bb1684fa8f8901235
jbcs-httpd24-mod_rt-debuginfo-2.4.1-19.GA.jbcs.el7.x86_64.rpm SHA-256: b03912484ebac71c4cb91b3787fa43f2bb661978b6e9e381b001809ae2d84092
jbcs-httpd24-mod_security-2.9.1-23.GA.jbcs.el7.x86_64.rpm SHA-256: bd989aec29a06a40080ec117a953e61fb6ec5d7d8d5eb5bccf1691e2511bdec3
jbcs-httpd24-mod_security-debuginfo-2.9.1-23.GA.jbcs.el7.x86_64.rpm SHA-256: 8826ae29ba2ed187c0150660b36642faf3ab1a5b1d51fe1dfe9ecb7949119f28
jbcs-httpd24-mod_session-2.4.29-17.jbcs.el7.x86_64.rpm SHA-256: 86957662698c9939b4d1c1da534be5978d8e283ecc997feeaeed451e2d3aceda
jbcs-httpd24-mod_ssl-2.4.29-17.jbcs.el7.x86_64.rpm SHA-256: f2c6e53bca8f3ac3e8bdbdd47ffe1564ace8b01bbf94b16cb38a84568b19638c
jbcs-httpd24-nghttp2-1.29.0-8.jbcs.el7.x86_64.rpm SHA-256: 0922b97f4835e6cc9906c2f43ecc875cb602949681321d2db4317cbc98bc8d0a
jbcs-httpd24-nghttp2-debuginfo-1.29.0-8.jbcs.el7.x86_64.rpm SHA-256: 480633fc93336a654a8fc8766cfde34413c085db42366aae7b93b130a9747325
jbcs-httpd24-nghttp2-devel-1.29.0-8.jbcs.el7.x86_64.rpm SHA-256: 5435d58973bc3dc189c1b1cfe7a3ae5b50a3681ea9bb676f247fcd64894d00e2
jbcs-httpd24-openssl-1.0.2n-11.jbcs.el7.x86_64.rpm SHA-256: 9e9e452d90c592ad2834a47d673941bc3e6a26856b1c3111258bfa1613a382f9
jbcs-httpd24-openssl-debuginfo-1.0.2n-11.jbcs.el7.x86_64.rpm SHA-256: 5fad62a0c912413eb0252a2965ed9c80659da354e6db641ee91d1d35e0617a4f
jbcs-httpd24-openssl-devel-1.0.2n-11.jbcs.el7.x86_64.rpm SHA-256: 22e13f3de793fb0248d1a84f499781e91793b48a4dec58dc3d65643f954d77f9
jbcs-httpd24-openssl-libs-1.0.2n-11.jbcs.el7.x86_64.rpm SHA-256: d442c8111182048d8f9d045cf52c950b73442535536ef2b47092e2c9370e9e60
jbcs-httpd24-openssl-perl-1.0.2n-11.jbcs.el7.x86_64.rpm SHA-256: a19de9dbf25971da000cf606de026eb039a9b411a3997ecc458cc099c8fcc373
jbcs-httpd24-openssl-static-1.0.2n-11.jbcs.el7.x86_64.rpm SHA-256: a39841f250bdd4ca4fc5e56ffd1ce4d7c11d6c563b514c7f22cdf70fb616f268

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.