Red Hat Product Errata RHSA-2019:2258 - Security Advisory
Issued:
2019-08-06
Updated:
2019-08-06

RHSA-2019:2258 - Security Advisory

Synopsis

Moderate: http-parser security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for http-parser is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The http-parser package provides a utility for parsing HTTP messages. It parses both requests and responses. The parser is designed to be used in performance HTTP applications. It does not make any system calls or allocations, it does not buffer data, and it can be interrupted at any time. Depending on your architecture, it only requires about 40 bytes of data per message stream.

Security Fix(es):

  • nodejs: Denial of Service with large HTTP headers (CVE-2018-12121)
  • nodejs: HTTP parser allowed for spaces inside Content-Length header values (CVE-2018-7159)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux Desktop 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 7 x86_64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le

Fixes

  • BZ - 1561981 - CVE-2018-7159 nodejs: HTTP parser allowed for spaces inside Content-Length header values
  • BZ - 1661002 - CVE-2018-12121 nodejs: Denial of Service with large HTTP headers

Red Hat Enterprise Linux Server 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
x86_64
http-parser-2.7.1-8.el7.i686.rpm SHA-256: dba04cf970cb8a5bd9f080f669aca6a36c1e598ca42245629fcdd090b7f2753b
http-parser-2.7.1-8.el7.x86_64.rpm SHA-256: ff230311205bc72352637fa1b6c98ec11927c926a0dce1f174cf9590e3ba01ee
http-parser-debuginfo-2.7.1-8.el7.i686.rpm SHA-256: d5b5363cefb86648eaa44c0480e8d002416d6b2450f855725dce22ba481171ac
http-parser-debuginfo-2.7.1-8.el7.i686.rpm SHA-256: d5b5363cefb86648eaa44c0480e8d002416d6b2450f855725dce22ba481171ac
http-parser-debuginfo-2.7.1-8.el7.x86_64.rpm SHA-256: d90e8171fda8f7b7a2807e2b155146429d75f091e53a51ab6fcdc23b11567c6c
http-parser-debuginfo-2.7.1-8.el7.x86_64.rpm SHA-256: d90e8171fda8f7b7a2807e2b155146429d75f091e53a51ab6fcdc23b11567c6c
http-parser-devel-2.7.1-8.el7.i686.rpm SHA-256: f9bd7f68b3c37d4954c157bb1ba8dd9eb72b700611c58485556d28b2a6567818
http-parser-devel-2.7.1-8.el7.x86_64.rpm SHA-256: 1b20a31d16bee38b55f5ddcd6edca76bf1b187c6c39876cb281a19c886568ad3

Red Hat Enterprise Linux Server - Extended Life Cycle Support 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
x86_64
http-parser-2.7.1-8.el7.i686.rpm SHA-256: dba04cf970cb8a5bd9f080f669aca6a36c1e598ca42245629fcdd090b7f2753b
http-parser-2.7.1-8.el7.x86_64.rpm SHA-256: ff230311205bc72352637fa1b6c98ec11927c926a0dce1f174cf9590e3ba01ee
http-parser-debuginfo-2.7.1-8.el7.i686.rpm SHA-256: d5b5363cefb86648eaa44c0480e8d002416d6b2450f855725dce22ba481171ac
http-parser-debuginfo-2.7.1-8.el7.i686.rpm SHA-256: d5b5363cefb86648eaa44c0480e8d002416d6b2450f855725dce22ba481171ac
http-parser-debuginfo-2.7.1-8.el7.x86_64.rpm SHA-256: d90e8171fda8f7b7a2807e2b155146429d75f091e53a51ab6fcdc23b11567c6c
http-parser-debuginfo-2.7.1-8.el7.x86_64.rpm SHA-256: d90e8171fda8f7b7a2807e2b155146429d75f091e53a51ab6fcdc23b11567c6c
http-parser-devel-2.7.1-8.el7.i686.rpm SHA-256: f9bd7f68b3c37d4954c157bb1ba8dd9eb72b700611c58485556d28b2a6567818
http-parser-devel-2.7.1-8.el7.x86_64.rpm SHA-256: 1b20a31d16bee38b55f5ddcd6edca76bf1b187c6c39876cb281a19c886568ad3

Red Hat Enterprise Linux Workstation 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
x86_64
http-parser-2.7.1-8.el7.i686.rpm SHA-256: dba04cf970cb8a5bd9f080f669aca6a36c1e598ca42245629fcdd090b7f2753b
http-parser-2.7.1-8.el7.x86_64.rpm SHA-256: ff230311205bc72352637fa1b6c98ec11927c926a0dce1f174cf9590e3ba01ee
http-parser-debuginfo-2.7.1-8.el7.i686.rpm SHA-256: d5b5363cefb86648eaa44c0480e8d002416d6b2450f855725dce22ba481171ac
http-parser-debuginfo-2.7.1-8.el7.i686.rpm SHA-256: d5b5363cefb86648eaa44c0480e8d002416d6b2450f855725dce22ba481171ac
http-parser-debuginfo-2.7.1-8.el7.x86_64.rpm SHA-256: d90e8171fda8f7b7a2807e2b155146429d75f091e53a51ab6fcdc23b11567c6c
http-parser-debuginfo-2.7.1-8.el7.x86_64.rpm SHA-256: d90e8171fda8f7b7a2807e2b155146429d75f091e53a51ab6fcdc23b11567c6c
http-parser-devel-2.7.1-8.el7.i686.rpm SHA-256: f9bd7f68b3c37d4954c157bb1ba8dd9eb72b700611c58485556d28b2a6567818
http-parser-devel-2.7.1-8.el7.x86_64.rpm SHA-256: 1b20a31d16bee38b55f5ddcd6edca76bf1b187c6c39876cb281a19c886568ad3

Red Hat Enterprise Linux Desktop 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
x86_64
http-parser-2.7.1-8.el7.i686.rpm SHA-256: dba04cf970cb8a5bd9f080f669aca6a36c1e598ca42245629fcdd090b7f2753b
http-parser-2.7.1-8.el7.x86_64.rpm SHA-256: ff230311205bc72352637fa1b6c98ec11927c926a0dce1f174cf9590e3ba01ee
http-parser-debuginfo-2.7.1-8.el7.i686.rpm SHA-256: d5b5363cefb86648eaa44c0480e8d002416d6b2450f855725dce22ba481171ac
http-parser-debuginfo-2.7.1-8.el7.i686.rpm SHA-256: d5b5363cefb86648eaa44c0480e8d002416d6b2450f855725dce22ba481171ac
http-parser-debuginfo-2.7.1-8.el7.x86_64.rpm SHA-256: d90e8171fda8f7b7a2807e2b155146429d75f091e53a51ab6fcdc23b11567c6c
http-parser-debuginfo-2.7.1-8.el7.x86_64.rpm SHA-256: d90e8171fda8f7b7a2807e2b155146429d75f091e53a51ab6fcdc23b11567c6c
http-parser-devel-2.7.1-8.el7.i686.rpm SHA-256: f9bd7f68b3c37d4954c157bb1ba8dd9eb72b700611c58485556d28b2a6567818
http-parser-devel-2.7.1-8.el7.x86_64.rpm SHA-256: 1b20a31d16bee38b55f5ddcd6edca76bf1b187c6c39876cb281a19c886568ad3

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
s390x
http-parser-2.7.1-8.el7.s390.rpm SHA-256: fb939019ae7e3dcd95235ac0e62d1c40bcbe5df609965346bedc1fe409ca0a12
http-parser-2.7.1-8.el7.s390x.rpm SHA-256: b15ac0ea17fd531b2c197e4b3ee1d016853f4beafecb8656945c4a26b11e4e78
http-parser-debuginfo-2.7.1-8.el7.s390.rpm SHA-256: ec65bd34662df091891c08ac9201a159ea706e69ca3ff56d1eff7a774125f3ac
http-parser-debuginfo-2.7.1-8.el7.s390.rpm SHA-256: ec65bd34662df091891c08ac9201a159ea706e69ca3ff56d1eff7a774125f3ac
http-parser-debuginfo-2.7.1-8.el7.s390x.rpm SHA-256: 6f03543583c3313c92ea4644ce1a221f99b2ffe1ed3b5edbb2950e62d763e22b
http-parser-debuginfo-2.7.1-8.el7.s390x.rpm SHA-256: 6f03543583c3313c92ea4644ce1a221f99b2ffe1ed3b5edbb2950e62d763e22b
http-parser-devel-2.7.1-8.el7.s390.rpm SHA-256: 20a332fec2c0d85529a0593febfa754c70b68b44b4e835fd77a472d5b6196b10
http-parser-devel-2.7.1-8.el7.s390x.rpm SHA-256: 7983ccf94b343dbb8370989d2c5fda10981a8b5c5098b771616ffe399908dfcf

Red Hat Enterprise Linux for Power, big endian 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
ppc64
http-parser-2.7.1-8.el7.ppc.rpm SHA-256: 22434d45b3fcda173118bcf0b7e56755542c945d54eea710b8d712670e3964a5
http-parser-2.7.1-8.el7.ppc64.rpm SHA-256: 6cd32f435b8f6ea52241dfc26d2be9766e67e373da6052352b829a99cf43890e
http-parser-debuginfo-2.7.1-8.el7.ppc.rpm SHA-256: cc3c67ec2a31d5d08215bb84a3f34d2bd3461119500b64d51a4a97c7aa1fa1a2
http-parser-debuginfo-2.7.1-8.el7.ppc.rpm SHA-256: cc3c67ec2a31d5d08215bb84a3f34d2bd3461119500b64d51a4a97c7aa1fa1a2
http-parser-debuginfo-2.7.1-8.el7.ppc64.rpm SHA-256: b8bc11cdad311f16506cd8c8c1c6166c53d92e898f86dca60c522c8f260e4239
http-parser-debuginfo-2.7.1-8.el7.ppc64.rpm SHA-256: b8bc11cdad311f16506cd8c8c1c6166c53d92e898f86dca60c522c8f260e4239
http-parser-devel-2.7.1-8.el7.ppc.rpm SHA-256: e28936ba9fce65469af9582c455f4d523c986dcdb2fa8a948988d643a6f301be
http-parser-devel-2.7.1-8.el7.ppc64.rpm SHA-256: 278e349a8ee1ec1976f23e2b8a3346720bccfb9352b2c2ab2d5d722e08d102df

Red Hat Enterprise Linux for Scientific Computing 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
x86_64
http-parser-2.7.1-8.el7.i686.rpm SHA-256: dba04cf970cb8a5bd9f080f669aca6a36c1e598ca42245629fcdd090b7f2753b
http-parser-2.7.1-8.el7.x86_64.rpm SHA-256: ff230311205bc72352637fa1b6c98ec11927c926a0dce1f174cf9590e3ba01ee
http-parser-debuginfo-2.7.1-8.el7.i686.rpm SHA-256: d5b5363cefb86648eaa44c0480e8d002416d6b2450f855725dce22ba481171ac
http-parser-debuginfo-2.7.1-8.el7.i686.rpm SHA-256: d5b5363cefb86648eaa44c0480e8d002416d6b2450f855725dce22ba481171ac
http-parser-debuginfo-2.7.1-8.el7.x86_64.rpm SHA-256: d90e8171fda8f7b7a2807e2b155146429d75f091e53a51ab6fcdc23b11567c6c
http-parser-debuginfo-2.7.1-8.el7.x86_64.rpm SHA-256: d90e8171fda8f7b7a2807e2b155146429d75f091e53a51ab6fcdc23b11567c6c
http-parser-devel-2.7.1-8.el7.i686.rpm SHA-256: f9bd7f68b3c37d4954c157bb1ba8dd9eb72b700611c58485556d28b2a6567818
http-parser-devel-2.7.1-8.el7.x86_64.rpm SHA-256: 1b20a31d16bee38b55f5ddcd6edca76bf1b187c6c39876cb281a19c886568ad3

Red Hat Enterprise Linux for Power, little endian 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
ppc64le
http-parser-2.7.1-8.el7.ppc64le.rpm SHA-256: ffc3483ceb6b63311b7d9364daf036b50299f1bcb0c7252e55656cf1c9ad6def
http-parser-debuginfo-2.7.1-8.el7.ppc64le.rpm SHA-256: 9ec501bfbc318cd99d1867b9c605f7f1e4b039f8787ec0654a79f0ddae82d6dd
http-parser-debuginfo-2.7.1-8.el7.ppc64le.rpm SHA-256: 9ec501bfbc318cd99d1867b9c605f7f1e4b039f8787ec0654a79f0ddae82d6dd
http-parser-devel-2.7.1-8.el7.ppc64le.rpm SHA-256: 1dca54d32bb655ed93609d41bb1b129e652216a735903a8d5d73d0c0142edeb5

Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
s390x
http-parser-2.7.1-8.el7.s390.rpm SHA-256: fb939019ae7e3dcd95235ac0e62d1c40bcbe5df609965346bedc1fe409ca0a12
http-parser-2.7.1-8.el7.s390x.rpm SHA-256: b15ac0ea17fd531b2c197e4b3ee1d016853f4beafecb8656945c4a26b11e4e78
http-parser-debuginfo-2.7.1-8.el7.s390.rpm SHA-256: ec65bd34662df091891c08ac9201a159ea706e69ca3ff56d1eff7a774125f3ac
http-parser-debuginfo-2.7.1-8.el7.s390.rpm SHA-256: ec65bd34662df091891c08ac9201a159ea706e69ca3ff56d1eff7a774125f3ac
http-parser-debuginfo-2.7.1-8.el7.s390x.rpm SHA-256: 6f03543583c3313c92ea4644ce1a221f99b2ffe1ed3b5edbb2950e62d763e22b
http-parser-debuginfo-2.7.1-8.el7.s390x.rpm SHA-256: 6f03543583c3313c92ea4644ce1a221f99b2ffe1ed3b5edbb2950e62d763e22b
http-parser-devel-2.7.1-8.el7.s390.rpm SHA-256: 20a332fec2c0d85529a0593febfa754c70b68b44b4e835fd77a472d5b6196b10
http-parser-devel-2.7.1-8.el7.s390x.rpm SHA-256: 7983ccf94b343dbb8370989d2c5fda10981a8b5c5098b771616ffe399908dfcf

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
ppc64
http-parser-2.7.1-8.el7.ppc.rpm SHA-256: 22434d45b3fcda173118bcf0b7e56755542c945d54eea710b8d712670e3964a5
http-parser-2.7.1-8.el7.ppc64.rpm SHA-256: 6cd32f435b8f6ea52241dfc26d2be9766e67e373da6052352b829a99cf43890e
http-parser-debuginfo-2.7.1-8.el7.ppc.rpm SHA-256: cc3c67ec2a31d5d08215bb84a3f34d2bd3461119500b64d51a4a97c7aa1fa1a2
http-parser-debuginfo-2.7.1-8.el7.ppc.rpm SHA-256: cc3c67ec2a31d5d08215bb84a3f34d2bd3461119500b64d51a4a97c7aa1fa1a2
http-parser-debuginfo-2.7.1-8.el7.ppc64.rpm SHA-256: b8bc11cdad311f16506cd8c8c1c6166c53d92e898f86dca60c522c8f260e4239
http-parser-debuginfo-2.7.1-8.el7.ppc64.rpm SHA-256: b8bc11cdad311f16506cd8c8c1c6166c53d92e898f86dca60c522c8f260e4239
http-parser-devel-2.7.1-8.el7.ppc.rpm SHA-256: e28936ba9fce65469af9582c455f4d523c986dcdb2fa8a948988d643a6f301be
http-parser-devel-2.7.1-8.el7.ppc64.rpm SHA-256: 278e349a8ee1ec1976f23e2b8a3346720bccfb9352b2c2ab2d5d722e08d102df

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7

SRPM
http-parser-2.7.1-8.el7.src.rpm SHA-256: a7211aedf77c65e653c7e1f71be361aeab903d7f3a75183e2b6a19df0f37d9ad
ppc64le
http-parser-2.7.1-8.el7.ppc64le.rpm SHA-256: ffc3483ceb6b63311b7d9364daf036b50299f1bcb0c7252e55656cf1c9ad6def
http-parser-debuginfo-2.7.1-8.el7.ppc64le.rpm SHA-256: 9ec501bfbc318cd99d1867b9c605f7f1e4b039f8787ec0654a79f0ddae82d6dd
http-parser-debuginfo-2.7.1-8.el7.ppc64le.rpm SHA-256: 9ec501bfbc318cd99d1867b9c605f7f1e4b039f8787ec0654a79f0ddae82d6dd
http-parser-devel-2.7.1-8.el7.ppc64le.rpm SHA-256: 1dca54d32bb655ed93609d41bb1b129e652216a735903a8d5d73d0c0142edeb5

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.