- Issued:
- 2018-07-12
- Updated:
- 2018-07-12
RHSA-2018:2185 - Security Advisory
Synopsis
Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 7 security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this release as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Description
This release adds the new Apache HTTP Server 2.4.29 packages that are part
of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services
Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes,
enhancements and component upgrades included in this release.
This release upgrades OpenSSL to version 1.0.2.n
Security Fix(es):
- openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182)
- openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302)
- openssl: certificate message OOB reads (CVE-2016-6306)
- openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055)
- openssl: Truncated packet could crash via OOB read (CVE-2017-3731)
- openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
- openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
- openssl: Read/write after SSL object in error state (CVE-2017-3737)
- openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306
and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6306.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat JBoss Core Services 1 for RHEL 7 x86_64
Fixes
- BZ - 1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
- BZ - 1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
- BZ - 1377594 - CVE-2016-6306 openssl: certificate message OOB reads
- BZ - 1393929 - CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication
- BZ - 1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read
- BZ - 1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64
- BZ - 1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64
- BZ - 1523504 - CVE-2017-3737 openssl: Read/write after SSL object in error state
- BZ - 1523510 - CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
CVEs
Red Hat JBoss Core Services 1 for RHEL 7
SRPM | |
---|---|
jbcs-httpd24-apache-commons-daemon-1.1.0-1.redhat_2.1.jbcs.el7.src.rpm | SHA-256: 38a3404236a2518eb9fe17b0a28851f05d2d41d6ac35df49860bab01f66dbc93 |
jbcs-httpd24-apache-commons-daemon-jsvc-1.1.0-1.redhat_2.jbcs.el7.src.rpm | SHA-256: b99ccc75da41a48498dad4eb363c6efa820f97b2ffefdb45911142316fad9065 |
jbcs-httpd24-apr-1.6.3-14.jbcs.el7.src.rpm | SHA-256: a20a1a7cfc5647ab6bed286ec4fbe007e3b50a4e496743bdd2ccd512bd040b27 |
jbcs-httpd24-apr-util-1.6.1-9.jbcs.el7.src.rpm | SHA-256: 7c5b6c838f047da2780e0ea1c51e490424703a88c998e968b496436d07d34a39 |
jbcs-httpd24-httpd-2.4.29-17.jbcs.el7.src.rpm | SHA-256: 4fde482ccca51add6d1894e3a8e73f511f914f9abf045b0f62f1ad69a2030d96 |
jbcs-httpd24-mod_auth_kerb-5.4-36.jbcs.el7.src.rpm | SHA-256: 028493079ca5f1f14f2541befbd8ef56ce1dfcd37a1ee5b8f71ad1eb27f28a3f |
jbcs-httpd24-mod_bmx-0.9.6-17.GA.jbcs.el7.src.rpm | SHA-256: 060d3656c720fe050513ae89a78908acc932313350d25bd49e1376f2a3532d2e |
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_2.jbcs.el7.src.rpm | SHA-256: 1b2df5747df1cd1a300cd0551ed93a56076fedc61d5e54005637cb1836c2a700 |
jbcs-httpd24-mod_jk-1.2.43-1.redhat_1.jbcs.el7.src.rpm | SHA-256: 34381a41e0ac821f3a9f3b0d6ef335a11a51b426386e20feb9525409674cd098 |
jbcs-httpd24-mod_rt-2.4.1-19.GA.jbcs.el7.src.rpm | SHA-256: 60305c2e32e336a3356013b8eea28b1e36b0c534f30bf575caee2c05a27a6c58 |
jbcs-httpd24-mod_security-2.9.1-23.GA.jbcs.el7.src.rpm | SHA-256: 3275980eb09643fc1bb0c14abc31ca645191283e3ba891f98d38cd03bc8edb76 |
jbcs-httpd24-nghttp2-1.29.0-8.jbcs.el7.src.rpm | SHA-256: d52049d04f7e2d65b17e7fa80fd2f4d24deca279029cac8846af31406cf78cf3 |
jbcs-httpd24-openssl-1.0.2n-11.jbcs.el7.src.rpm | SHA-256: bcc121ddeb0760b311c93627155e8575227d76d187a0db5bd67e0706fe25d879 |
x86_64 | |
jbcs-httpd24-apache-commons-daemon-1.1.0-1.redhat_2.1.jbcs.el7.noarch.rpm | SHA-256: 03ed16654b8b7db2b4c7c4339627465a76f99d99c81bfb19594da1f733561a44 |
jbcs-httpd24-apache-commons-daemon-jsvc-1.1.0-1.redhat_2.jbcs.el7.x86_64.rpm | SHA-256: 9db0de89f1c77cfb96f4f572b2e612abd8f477074ccbfbb66335f5def81fb72e |
jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.1.0-1.redhat_2.jbcs.el7.x86_64.rpm | SHA-256: 401e8654a097edf2b46c2ae494e86605008c028e11837c816e3fc3abb97bf44b |
jbcs-httpd24-apr-1.6.3-14.jbcs.el7.x86_64.rpm | SHA-256: 77ecd9f8c9c869d28ec86345f141a2cfbea3bb7a8f847cf61a4932cb12952c3c |
jbcs-httpd24-apr-debuginfo-1.6.3-14.jbcs.el7.x86_64.rpm | SHA-256: a041646c46263ec8ea1662f53dd13844cc4f5caa309e44b7f736a8b4f6ae7f38 |
jbcs-httpd24-apr-devel-1.6.3-14.jbcs.el7.x86_64.rpm | SHA-256: 4d54174cf84af22c1d14d16c8769c1a7022f660b43630c198388eb924bb2801c |
jbcs-httpd24-apr-util-1.6.1-9.jbcs.el7.x86_64.rpm | SHA-256: b95222c1e323d7162d9805c90127aeb1ab816808311c60d26404f0ac8b152a9c |
jbcs-httpd24-apr-util-debuginfo-1.6.1-9.jbcs.el7.x86_64.rpm | SHA-256: a3515a61e8ad94274ddc1cf5211bfb42b459a24743c6f77e594ef9392dd2369c |
jbcs-httpd24-apr-util-devel-1.6.1-9.jbcs.el7.x86_64.rpm | SHA-256: f0bf2487b59579e1b76fa599503ce084fd2a93d5a16c1daf5877dc0f9bb7832a |
jbcs-httpd24-apr-util-ldap-1.6.1-9.jbcs.el7.x86_64.rpm | SHA-256: b68e16afa627ceddb5657f9d0e42baa3aaea5f7c182ccd24cf40df54348a4122 |
jbcs-httpd24-apr-util-mysql-1.6.1-9.jbcs.el7.x86_64.rpm | SHA-256: bf85a30ce0325f923173a1a0b7a6db5ff7c4e190d92e505b1f92eb4f8b1987af |
jbcs-httpd24-apr-util-nss-1.6.1-9.jbcs.el7.x86_64.rpm | SHA-256: 13f17890cfc6878c930ea010a697d21aee96cb9a48503399e849a170f105b6d4 |
jbcs-httpd24-apr-util-odbc-1.6.1-9.jbcs.el7.x86_64.rpm | SHA-256: 2598b3559c80d23b77e8545d5c41ed319965679dee89014b5c034ce5ab02e204 |
jbcs-httpd24-apr-util-openssl-1.6.1-9.jbcs.el7.x86_64.rpm | SHA-256: 00149e4c5737c65cd30e6336682e4e90aaef7d33c63131c531e139beed8765fb |
jbcs-httpd24-apr-util-pgsql-1.6.1-9.jbcs.el7.x86_64.rpm | SHA-256: 7b7bebdd61718c85a10e0ebc241d7ae174efeb0b721799a6f874f69d6cc52fbb |
jbcs-httpd24-apr-util-sqlite-1.6.1-9.jbcs.el7.x86_64.rpm | SHA-256: 441187d2990ada02f70aa5590e87cee6a04571e4bfd4641216a9218514615a6b |
jbcs-httpd24-httpd-2.4.29-17.jbcs.el7.x86_64.rpm | SHA-256: 0f24cdf1b5ef37261c100c9cbb82098722bfaf0f00ef4f524e6a7413db4022a1 |
jbcs-httpd24-httpd-debuginfo-2.4.29-17.jbcs.el7.x86_64.rpm | SHA-256: 450a21bb6ec233458956869ae58d84267d29002a71361e9e694c0b7e68c1b4b5 |
jbcs-httpd24-httpd-devel-2.4.29-17.jbcs.el7.x86_64.rpm | SHA-256: 9671a5937e0952f5e9adcbb79b194d32c4d25a96f91823c3c8962111994f2b02 |
jbcs-httpd24-httpd-manual-2.4.29-17.jbcs.el7.noarch.rpm | SHA-256: f67d325e61d5b6ee5a882f83e3d19fe1a19c5e55b098efdf318cb5326d2b6824 |
jbcs-httpd24-httpd-selinux-2.4.29-17.jbcs.el7.x86_64.rpm | SHA-256: 788732c584c5c0de2581771c4d33c7b2ff80518ac43fba9dda10037cf7bfc8b4 |
jbcs-httpd24-httpd-tools-2.4.29-17.jbcs.el7.x86_64.rpm | SHA-256: d6afa288b244327a187103b4a4d6ff45e53ef2ff81cd689fc8903b6fdcf48ebd |
jbcs-httpd24-mod_auth_kerb-5.4-36.jbcs.el7.x86_64.rpm | SHA-256: aaa4bfad02aee63ef1fc90935e55ea11a1e898611fac6c77eb85a7d5ad2af25b |
jbcs-httpd24-mod_auth_kerb-debuginfo-5.4-36.jbcs.el7.x86_64.rpm | SHA-256: a853a49f19ec2cb2fb2a5e5561752d1f1e4d60fc6f90da2c6cc0bde8b809d0ad |
jbcs-httpd24-mod_bmx-0.9.6-17.GA.jbcs.el7.x86_64.rpm | SHA-256: 0f005c72163e5d009d905ee275b8b9d99d22ffc5ce42ed449e6cf33ceef7799e |
jbcs-httpd24-mod_bmx-debuginfo-0.9.6-17.GA.jbcs.el7.x86_64.rpm | SHA-256: 65e60391c123b472ca7100a15be62d914f1b1929f11cf0a6dd92966b28bede15 |
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_2.jbcs.el7.x86_64.rpm | SHA-256: 3e39231d6ed340fd54c52674637f7b215eb82bf15d36394e3423f571eed18c6b |
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_2.jbcs.el7.x86_64.rpm | SHA-256: f3749ffabcadaa16caada6597d042a44d222aba7a8d435ccf07b36364239549b |
jbcs-httpd24-mod_jk-ap24-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm | SHA-256: e78d2d343c2d153c53107fa100322c8dd743e6bc8422dd6d676163b878be9189 |
jbcs-httpd24-mod_jk-debuginfo-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm | SHA-256: 30831173da8fd63facca1ac88ec500856ee0d6cb02bfa9de670151609577a892 |
jbcs-httpd24-mod_jk-manual-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm | SHA-256: 76ef70ebe35978f0d02a3c71266a6bab3f321874c2c0694ceabdaec4ab8c7137 |
jbcs-httpd24-mod_ldap-2.4.29-17.jbcs.el7.x86_64.rpm | SHA-256: d779885ce25c037c0c8b2c3f063533e643af58a511f42d479d8d88ef412086c1 |
jbcs-httpd24-mod_proxy_html-2.4.29-17.jbcs.el7.x86_64.rpm | SHA-256: d3bcb4cc3c10aa95ea34327e3db99a1a3e18e8eda98513f00d803efe3b6fcd56 |
jbcs-httpd24-mod_rt-2.4.1-19.GA.jbcs.el7.x86_64.rpm | SHA-256: 856be5ad6c2c09a3ac739c174a0acf1854c915d06e79bd1bb1684fa8f8901235 |
jbcs-httpd24-mod_rt-debuginfo-2.4.1-19.GA.jbcs.el7.x86_64.rpm | SHA-256: b03912484ebac71c4cb91b3787fa43f2bb661978b6e9e381b001809ae2d84092 |
jbcs-httpd24-mod_security-2.9.1-23.GA.jbcs.el7.x86_64.rpm | SHA-256: bd989aec29a06a40080ec117a953e61fb6ec5d7d8d5eb5bccf1691e2511bdec3 |
jbcs-httpd24-mod_security-debuginfo-2.9.1-23.GA.jbcs.el7.x86_64.rpm | SHA-256: 8826ae29ba2ed187c0150660b36642faf3ab1a5b1d51fe1dfe9ecb7949119f28 |
jbcs-httpd24-mod_session-2.4.29-17.jbcs.el7.x86_64.rpm | SHA-256: 86957662698c9939b4d1c1da534be5978d8e283ecc997feeaeed451e2d3aceda |
jbcs-httpd24-mod_ssl-2.4.29-17.jbcs.el7.x86_64.rpm | SHA-256: f2c6e53bca8f3ac3e8bdbdd47ffe1564ace8b01bbf94b16cb38a84568b19638c |
jbcs-httpd24-nghttp2-1.29.0-8.jbcs.el7.x86_64.rpm | SHA-256: 0922b97f4835e6cc9906c2f43ecc875cb602949681321d2db4317cbc98bc8d0a |
jbcs-httpd24-nghttp2-debuginfo-1.29.0-8.jbcs.el7.x86_64.rpm | SHA-256: 480633fc93336a654a8fc8766cfde34413c085db42366aae7b93b130a9747325 |
jbcs-httpd24-nghttp2-devel-1.29.0-8.jbcs.el7.x86_64.rpm | SHA-256: 5435d58973bc3dc189c1b1cfe7a3ae5b50a3681ea9bb676f247fcd64894d00e2 |
jbcs-httpd24-openssl-1.0.2n-11.jbcs.el7.x86_64.rpm | SHA-256: 9e9e452d90c592ad2834a47d673941bc3e6a26856b1c3111258bfa1613a382f9 |
jbcs-httpd24-openssl-debuginfo-1.0.2n-11.jbcs.el7.x86_64.rpm | SHA-256: 5fad62a0c912413eb0252a2965ed9c80659da354e6db641ee91d1d35e0617a4f |
jbcs-httpd24-openssl-devel-1.0.2n-11.jbcs.el7.x86_64.rpm | SHA-256: 22e13f3de793fb0248d1a84f499781e91793b48a4dec58dc3d65643f954d77f9 |
jbcs-httpd24-openssl-libs-1.0.2n-11.jbcs.el7.x86_64.rpm | SHA-256: d442c8111182048d8f9d045cf52c950b73442535536ef2b47092e2c9370e9e60 |
jbcs-httpd24-openssl-perl-1.0.2n-11.jbcs.el7.x86_64.rpm | SHA-256: a19de9dbf25971da000cf606de026eb039a9b411a3997ecc458cc099c8fcc373 |
jbcs-httpd24-openssl-static-1.0.2n-11.jbcs.el7.x86_64.rpm | SHA-256: a39841f250bdd4ca4fc5e56ffd1ce4d7c11d6c563b514c7f22cdf70fb616f268 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.