Red Hat Product Errata RHSA-2019:1297 - Security Advisory

Issued:: 2019-05-30
Updated:: 2019-05-30

RHSA-2019:1297 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP2 security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for JBoss Core Services on RHEL 6 and RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.

This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Service Pack 2 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.29, and includes bug fixes for CVEs which are linked to in the References section.

Security Fix(es):

openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang (CVE-2018-0732)
openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495)
httpd: privilege escalation from modules scripts (CVE-2019-0211)

Details around this issue, including information about the CVE, severity of the issue, and CVSS scores can be found on the CVE pages listed in the References section below.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

Red Hat JBoss Core Services 1 for RHEL 7 x86_64
Red Hat JBoss Core Services 1 for RHEL 6 x86_64
Red Hat JBoss Core Services 1 for RHEL 6 i386

Fixes

BZ - 1591100 - CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang
BZ - 1591163 - CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries
BZ - 1694980 - CVE-2019-0211 httpd: privilege escalation from modules scripts

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat JBoss Core Services 1 for RHEL 7

SRPM
jbcs-httpd24-httpd-2.4.29-40.jbcs.el7.src.rpm	SHA-256: 66063c59ac2c64f8de08181d9f4a859834f74cc4ced693491592bd4719db02f2
jbcs-httpd24-openssl-1.0.2n-15.jbcs.el7.src.rpm	SHA-256: ab45892f33ea339c6fc6243a8765c06b0e10d471a6ba5d7dc1408b8ee6ce47c0
x86_64
jbcs-httpd24-httpd-2.4.29-40.jbcs.el7.x86_64.rpm	SHA-256: b92384954e394f7ecfcab9057bb109a6ba3c583210746894b6e530dc19682594
jbcs-httpd24-httpd-debuginfo-2.4.29-40.jbcs.el7.x86_64.rpm	SHA-256: acc3c79f547817889f83ddbbf4a46aa158ac7fc5c71cf443ae5f2646caef01f4
jbcs-httpd24-httpd-devel-2.4.29-40.jbcs.el7.x86_64.rpm	SHA-256: 6a55808818d04db957910db20b46a41d7936daee1f0ed43306f531148e4e804c
jbcs-httpd24-httpd-manual-2.4.29-40.jbcs.el7.noarch.rpm	SHA-256: 4977519a9a35b76098e1ed9c5b6003e1738e7e1489fa600766a6e83acfe05e1f
jbcs-httpd24-httpd-selinux-2.4.29-40.jbcs.el7.x86_64.rpm	SHA-256: 0b95b035bdcd01a27a19fbb7f36610bd5b8ac518228322945a3768a5c433782c
jbcs-httpd24-httpd-tools-2.4.29-40.jbcs.el7.x86_64.rpm	SHA-256: c200fb97a218ef5488c87e356123204528181725007774443a912f4000e4f766
jbcs-httpd24-mod_ldap-2.4.29-40.jbcs.el7.x86_64.rpm	SHA-256: e3cc9b457acc6d158b6d826c80a2ecb2ca00956ca7fe771f36a36eb3cb4208d7
jbcs-httpd24-mod_proxy_html-2.4.29-40.jbcs.el7.x86_64.rpm	SHA-256: a1b624dd904ff5ab29980704416b9f03510ae8eaf89650a767c9932881f0f46e
jbcs-httpd24-mod_session-2.4.29-40.jbcs.el7.x86_64.rpm	SHA-256: a9554b079519419f33583a7d4b652af557f5b1e2f4bbd6614e89f103a8cf327e
jbcs-httpd24-mod_ssl-2.4.29-40.jbcs.el7.x86_64.rpm	SHA-256: 18893957b59541ab198bd50eb89e573bfd0ae27403e8de9fbbd6b88b2d60c2ce
jbcs-httpd24-openssl-1.0.2n-15.jbcs.el7.x86_64.rpm	SHA-256: 9231761f55d949d33d20c6d6ae0f17611b708c0974f0f4e8b96c11c620a5bead
jbcs-httpd24-openssl-debuginfo-1.0.2n-15.jbcs.el7.x86_64.rpm	SHA-256: 0b599c02a1eac3667413be9ebc1109d4d35c519adcd8aff3e77ccc724de67bc4
jbcs-httpd24-openssl-devel-1.0.2n-15.jbcs.el7.x86_64.rpm	SHA-256: bdfe1c40a3dc51339fbdb5037503ade8dab16d71d9f4faff98bea6ab06719499
jbcs-httpd24-openssl-libs-1.0.2n-15.jbcs.el7.x86_64.rpm	SHA-256: a93c5a8d2480e8dc7842d7abc7e091ade7cd3a2200c9e12c0261837673cec19b
jbcs-httpd24-openssl-perl-1.0.2n-15.jbcs.el7.x86_64.rpm	SHA-256: ade08eb7d48b69bc80a4f80776cc818df9cc993b857d91d572a98e4996b8b875
jbcs-httpd24-openssl-static-1.0.2n-15.jbcs.el7.x86_64.rpm	SHA-256: aa1c317d771f6ce9f6918e50c319f5f63d61309a27746975e5e34f562b5f5139

Red Hat JBoss Core Services 1 for RHEL 6

SRPM
jbcs-httpd24-httpd-2.4.29-40.jbcs.el6.src.rpm	SHA-256: 6cfd352582b728582defed36b14d7f71f8d4e58498a227876de6f4ed6a5d0b55
jbcs-httpd24-openssl-1.0.2n-15.jbcs.el6.src.rpm	SHA-256: 3fb8cb4045c96349b5c0428c0af2d96d947de9af4a15cf8b8f81dc52a9763bba
x86_64
jbcs-httpd24-httpd-2.4.29-40.jbcs.el6.x86_64.rpm	SHA-256: 050cba6ddb3c8f738314f39cf7a6b2461fb4578a32e227db422aecdd71fd0a55
jbcs-httpd24-httpd-debuginfo-2.4.29-40.jbcs.el6.x86_64.rpm	SHA-256: 5bbabb121abc1ba7d6099f2b5e9e442a0839213670ce5e2fdc84ed399a3fec77
jbcs-httpd24-httpd-devel-2.4.29-40.jbcs.el6.x86_64.rpm	SHA-256: 1e3419c1fee4d51037c1fee308e755d4e9347715cd49f28c91cfb6685586df05
jbcs-httpd24-httpd-manual-2.4.29-40.jbcs.el6.noarch.rpm	SHA-256: 4bed8244610148e0b140c0aa0fe74cacf463407fda7489505d2b783ed3f084a4
jbcs-httpd24-httpd-selinux-2.4.29-40.jbcs.el6.x86_64.rpm	SHA-256: 2642947b19081e79402aab22349c6bff7baf60a8b596a7390dde2be3bd716940
jbcs-httpd24-httpd-tools-2.4.29-40.jbcs.el6.x86_64.rpm	SHA-256: ee137b6824bb57247682b9864cefdf0b59737141d3ed4ab2175eee7a8b27ef09
jbcs-httpd24-mod_ldap-2.4.29-40.jbcs.el6.x86_64.rpm	SHA-256: c5dc910b7f097ccdd07b06d5d36fc9f816e5abf2f3d38428b55b8552378ffda9
jbcs-httpd24-mod_proxy_html-2.4.29-40.jbcs.el6.x86_64.rpm	SHA-256: f32fe62369edf7bd9a4b8ccf0bb9e3a0e1eeca2d7604c176f60870863a148bd6
jbcs-httpd24-mod_session-2.4.29-40.jbcs.el6.x86_64.rpm	SHA-256: 3b5bc5fce87fc4957fd65a5f172e11e8bd9a6531bf1e14e49f9c08b7e7aa8eb3
jbcs-httpd24-mod_ssl-2.4.29-40.jbcs.el6.x86_64.rpm	SHA-256: aefd7b350cabba9857790450a225cf178c53bd8f7f9e9d9005c8e2609a05716b
jbcs-httpd24-openssl-1.0.2n-15.jbcs.el6.x86_64.rpm	SHA-256: b362c317f27787961f1d1906b6a6d2423feb893e3d338ee771e591d4a6400648
jbcs-httpd24-openssl-debuginfo-1.0.2n-15.jbcs.el6.x86_64.rpm	SHA-256: 16c293ff6a68053c8f80e11d0c7167bd6cb903ad3fd6df60e7a24749a6e708fe
jbcs-httpd24-openssl-devel-1.0.2n-15.jbcs.el6.x86_64.rpm	SHA-256: 46b17ab3c30d1993d57c3f8871358ddb8076fb8f54093a5f9424aa75f26b6517
jbcs-httpd24-openssl-libs-1.0.2n-15.jbcs.el6.x86_64.rpm	SHA-256: 410c8aec1304714437d9495137723efd1c8d20429437f2ac34b9724987578fff
jbcs-httpd24-openssl-perl-1.0.2n-15.jbcs.el6.x86_64.rpm	SHA-256: 3ab47c27f960d1f6da55fcc6b6a8f8839171c9d8b195c0bda33e3c59abf5948e
jbcs-httpd24-openssl-static-1.0.2n-15.jbcs.el6.x86_64.rpm	SHA-256: ac47778a7b577e04917c62902bd1006cb832586c7e57d534e9377677d14519d3
i386
jbcs-httpd24-httpd-2.4.29-40.jbcs.el6.i686.rpm	SHA-256: 4b1fffc56d431913e41ec2cd5fc0fe30704b6c141bcc959c6060899e93715040
jbcs-httpd24-httpd-debuginfo-2.4.29-40.jbcs.el6.i686.rpm	SHA-256: 7f98dcf78f2fab452181474bcf1030adc728d2a8cffb6f52fe696340848b7cff
jbcs-httpd24-httpd-devel-2.4.29-40.jbcs.el6.i686.rpm	SHA-256: d645c374f0795115d07412856ada1d60dbac47a14a3e8eb6e53c24e004964071
jbcs-httpd24-httpd-manual-2.4.29-40.jbcs.el6.noarch.rpm	SHA-256: 4bed8244610148e0b140c0aa0fe74cacf463407fda7489505d2b783ed3f084a4
jbcs-httpd24-httpd-selinux-2.4.29-40.jbcs.el6.i686.rpm	SHA-256: ce385b6903e9593b0396a38a43be57f534875999ada6d91b52e4d862b6fde738
jbcs-httpd24-httpd-tools-2.4.29-40.jbcs.el6.i686.rpm	SHA-256: d62b756ba75b6910913ce3ffdd42940330fdcfff456ebcee791eadfd2afd4836
jbcs-httpd24-mod_ldap-2.4.29-40.jbcs.el6.i686.rpm	SHA-256: b766692169eadfb491106db513b8e966af35bd8c203a9ec6ced6f462e567e679
jbcs-httpd24-mod_proxy_html-2.4.29-40.jbcs.el6.i686.rpm	SHA-256: 279a913d77bc0ab11c49204c03292421a2425d3202fd4fc585a6cd21ed2c2516
jbcs-httpd24-mod_session-2.4.29-40.jbcs.el6.i686.rpm	SHA-256: 9c314ce710eec6cf5fcf47834b2564db495c640d751d36264b6a289444cc5080
jbcs-httpd24-mod_ssl-2.4.29-40.jbcs.el6.i686.rpm	SHA-256: 8d5e3782d973418b0384cd7b3332f17073edb97d0363a6a21aa1d607f1218f83
jbcs-httpd24-openssl-1.0.2n-15.jbcs.el6.i686.rpm	SHA-256: 9d0b6743c05f1fd8ebd3829c05cdcf7e82e4807f01142eee75ede161632f3233
jbcs-httpd24-openssl-debuginfo-1.0.2n-15.jbcs.el6.i686.rpm	SHA-256: 954c7f667097cea55a7e0be3b0fa85ab990a25aacf823831e1d94707cd571719
jbcs-httpd24-openssl-devel-1.0.2n-15.jbcs.el6.i686.rpm	SHA-256: 4eba599981a64ecae821f273e0b01b1659543770b89efc0387fa1687fe2a7f3e
jbcs-httpd24-openssl-libs-1.0.2n-15.jbcs.el6.i686.rpm	SHA-256: c85f741e5f85ccaf46f7a1d5a7acecc7afbe7c2ab98a5ff2a62d50d8340594c0
jbcs-httpd24-openssl-perl-1.0.2n-15.jbcs.el6.i686.rpm	SHA-256: cdedd940d39c5838db4597569b1b8fa35c71fa19edc030aa00839aa29d74cb90
jbcs-httpd24-openssl-static-1.0.2n-15.jbcs.el6.i686.rpm	SHA-256: 4e4225396780d41405cdd0cfe3708f48d061edadff489fa2fa3896d6495b52f6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories