Red Hat Product Errata RHSA-2020:1337 - Security Advisory

Issued:: 2020-04-06
Updated:: 2020-04-06

RHSA-2020:1337 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP2 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2.4.37 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release adds the new Apache HTTP Server 2.4.37 Service Pack 2 packages that are part of the JBoss Core Services offering.

This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 1 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.

Security Fix(es):

openssl: side-channel weak encryption vulnerability (CVE-2019-1547)
httpd: memory corruption on early pushes (CVE-2019-10081)
httpd: read-after-free in h2 connection shutdown (CVE-2019-10082)
httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)
openssl: information disclosure in fork() (CVE-2019-1549)
openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)
httpd: mod_rewrite potential open redirect (CVE-2019-10098)
httpd: mod_rewrite configurations vulnerable to open redirect(CVE-2020-1927)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat JBoss Core Services 1 for RHEL 7 x86_64
Red Hat JBoss Core Services 1 for RHEL 6 x86_64
Red Hat JBoss Core Services 1 for RHEL 6 i386

Fixes

BZ - 1743956 - CVE-2019-10092 httpd: limited cross-site scripting in mod_proxy error page
BZ - 1743959 - CVE-2019-10098 httpd: mod_rewrite potential open redirect
BZ - 1743966 - CVE-2019-10081 httpd: memory corruption on early pushes
BZ - 1743974 - CVE-2019-10082 httpd: read-after-free in h2 connection shutdown
BZ - 1743996 - CVE-2019-10097 httpd: null-pointer dereference in mod_remoteip
BZ - 1752090 - CVE-2019-1547 openssl: side-channel weak encryption vulnerability
BZ - 1752095 - CVE-2019-1549 openssl: information disclosure in fork()
BZ - 1752100 - CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey
BZ - 1820761 - CVE-2020-1927 httpd: mod_rewrite configurations vulnerable to open redirect

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat JBoss Core Services 1 for RHEL 7

SRPM
jbcs-httpd24-apr-1.6.3-86.jbcs.el7.src.rpm	SHA-256: 47a492c4296b8df0372fe64a42083c0b9659b7a9abd907cf50ac595cfbd3aa52
jbcs-httpd24-brotli-1.0.6-21.jbcs.el7.src.rpm	SHA-256: 6cf79773cf4f5d8a3b642b9402b5b10d8775139cc42f0610504c689c5316a1ea
jbcs-httpd24-httpd-2.4.37-52.jbcs.el7.src.rpm	SHA-256: 76c4ad15c54a28abb0b21722d1e23f710f8bc2e45de09c7fcf642f3815eb6468
jbcs-httpd24-mod_cluster-native-1.3.12-41.Final_redhat_2.jbcs.el7.src.rpm	SHA-256: 87ae4f69dc8fa7ec2eaa7682dc36883f423357e47c8e35c7e90657f6686690f2
jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el7.src.rpm	SHA-256: acba0fc10321d53a7950fad54264f211eab7aec6e524f466047aad6539f056ad
jbcs-httpd24-openssl-1.1.1c-16.jbcs.el7.src.rpm	SHA-256: a2bab03c99c67b37deae8f6eea243bd73b20939ed2a35c367eabc6bf04c40123
x86_64
jbcs-httpd24-apr-1.6.3-86.jbcs.el7.x86_64.rpm	SHA-256: 34baf29e5b1191b1a279298b2b06c12117a3968cbcbd1d30c9cbe94530518ab8
jbcs-httpd24-apr-debuginfo-1.6.3-86.jbcs.el7.x86_64.rpm	SHA-256: 302820520e2fcdca955815a2afe478aa01d3484f4458f5ea23046ac60007082d
jbcs-httpd24-apr-devel-1.6.3-86.jbcs.el7.x86_64.rpm	SHA-256: 7214f866892efc5167c8627bf9b92e3be316d7c40ce37708f31fecd80e88fce5
jbcs-httpd24-brotli-1.0.6-21.jbcs.el7.x86_64.rpm	SHA-256: 900c6fd93a5b52398cd93c9713173cfe03f39de7c66d9806b3641d85629ebf34
jbcs-httpd24-brotli-debuginfo-1.0.6-21.jbcs.el7.x86_64.rpm	SHA-256: f9a9b02eb56bc1ce9b6465541842ced9fcb81496ab38d9dc0ee1b3c386a8f840
jbcs-httpd24-brotli-devel-1.0.6-21.jbcs.el7.x86_64.rpm	SHA-256: a69ebb32b15b63477649684c89a7562cdd4954b7304700bf19832d54cb12bc8f
jbcs-httpd24-httpd-2.4.37-52.jbcs.el7.x86_64.rpm	SHA-256: 0cef9288ecbe38a7f12389b6ff2eedfc817c5c80208168e21217854e3a5733b2
jbcs-httpd24-httpd-debuginfo-2.4.37-52.jbcs.el7.x86_64.rpm	SHA-256: 870f82418e42a381344acb5cc329be1bf5dff9cf8513ec67f0fdb4ec1784da0f
jbcs-httpd24-httpd-devel-2.4.37-52.jbcs.el7.x86_64.rpm	SHA-256: 4d7867c7f0147a0aeeac459f20363ea2e7c05c7577afc16a70c4d288cfb4c82b
jbcs-httpd24-httpd-manual-2.4.37-52.jbcs.el7.noarch.rpm	SHA-256: d225cb62f03c6abe7ed6bceb108f7310ab8af634122ac566e36a1c8054ce3010
jbcs-httpd24-httpd-selinux-2.4.37-52.jbcs.el7.x86_64.rpm	SHA-256: 3e5f6fd87c22cba9e48ce751a35b5544b2efd9b078b084b46103698f5240b666
jbcs-httpd24-httpd-tools-2.4.37-52.jbcs.el7.x86_64.rpm	SHA-256: f75e2c63fb7eb792b8d224c86b22732f01577d23c85ed415e8fa6c55dd6b4609
jbcs-httpd24-mod_cluster-native-1.3.12-41.Final_redhat_2.jbcs.el7.x86_64.rpm	SHA-256: b2c1420c9e3f2a368fe3d8bbf321cfff65903527df2e02914a917a475379e8d5
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.12-41.Final_redhat_2.jbcs.el7.x86_64.rpm	SHA-256: 86cd57482f4eb75acc9641230398b5cbaa7071e4c1b2e6cf5c204f0da26a31b6
jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el7.x86_64.rpm	SHA-256: b3b553af259f478d625158b8330963492c9ac353a0b9d1e2260b643d47fd84fc
jbcs-httpd24-mod_http2-debuginfo-1.11.3-22.jbcs.el7.x86_64.rpm	SHA-256: c29193ff31f499f2d59ab7bcf21f77ae1e3e07bed35bb1b9cf88bac15259132a
jbcs-httpd24-mod_ldap-2.4.37-52.jbcs.el7.x86_64.rpm	SHA-256: 69344914296cd1c5a0d0adfdd41c555b97b287328c327f8c4eafb64f95522bfb
jbcs-httpd24-mod_proxy_html-2.4.37-52.jbcs.el7.x86_64.rpm	SHA-256: c49735ae9ed5fcbea5f9da76a934e69befbd4f3e6bb4ab6c66b553087965865a
jbcs-httpd24-mod_session-2.4.37-52.jbcs.el7.x86_64.rpm	SHA-256: 9090a74afc52c69024a887e7df6092389f48b52da2611153214780a1f6104a34
jbcs-httpd24-mod_ssl-2.4.37-52.jbcs.el7.x86_64.rpm	SHA-256: af8f6fba213da7d729dad76a8d764aeaa58d37b329d92cea7572ea0fb1d696b4
jbcs-httpd24-openssl-1.1.1c-16.jbcs.el7.x86_64.rpm	SHA-256: 702e9795602dd186586ec542c6969097a8d36c123cca6d65dd5517c918f57708
jbcs-httpd24-openssl-debuginfo-1.1.1c-16.jbcs.el7.x86_64.rpm	SHA-256: c3df0bcec65d12195622f95dc11371955a16ecc14c308d5c9633185cafa67dff
jbcs-httpd24-openssl-devel-1.1.1c-16.jbcs.el7.x86_64.rpm	SHA-256: e8c8c8effc050dc8cfe335ddb229718a9238bca9b793a29511ed9b1d8d882188
jbcs-httpd24-openssl-libs-1.1.1c-16.jbcs.el7.x86_64.rpm	SHA-256: eb0d0961318035d0422bc8387b962e7f7e77c84670dcc50e0cfa575f5b473e10
jbcs-httpd24-openssl-perl-1.1.1c-16.jbcs.el7.x86_64.rpm	SHA-256: 989201930990324452e10b7383c3762a4c402d6090a91bddd3865cd07972ff74
jbcs-httpd24-openssl-static-1.1.1c-16.jbcs.el7.x86_64.rpm	SHA-256: 86bc47f91f20d01592331f80f4cd71f443a274a37b9809b1bd02eb95be5bcbaf

Red Hat JBoss Core Services 1 for RHEL 6

SRPM
jbcs-httpd24-apr-1.6.3-86.jbcs.el6.src.rpm	SHA-256: 6df0320dfc955099526d782f7d1646e65343fbe1269c11ae380cdc9b8880e8ce
jbcs-httpd24-brotli-1.0.6-21.jbcs.el6.src.rpm	SHA-256: 37d73bebd36059e06095a9c9c579e4fae8e68b0fd8a600228fd0f2dbdcd0882e
jbcs-httpd24-httpd-2.4.37-52.jbcs.el6.src.rpm	SHA-256: 2697d7c6ad15b1d5acc89f9aa44632bc9c26fdf22469c238ffdf9dd36ce3877a
jbcs-httpd24-mod_cluster-native-1.3.12-41.Final_redhat_2.jbcs.el6.src.rpm	SHA-256: baa80cc5a7613085f4de2b549fa8832bccd2f3cde04d029b191343b8e8d28159
jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el6.src.rpm	SHA-256: 9d5baeea76acbd750334009b5a4ee754983fef2e901ec80c5c570a43d863f01e
jbcs-httpd24-openssl-1.1.1c-16.jbcs.el6.src.rpm	SHA-256: 9613ecadeb1b7c800865036221c627b24fe2afc1ba776f46f93bf0b9fe40c52d
x86_64
jbcs-httpd24-apr-1.6.3-86.jbcs.el6.x86_64.rpm	SHA-256: b3d56ff5905c0877302055f4e9be140af09712b2d5efbf32e976ec2b85483637
jbcs-httpd24-apr-debuginfo-1.6.3-86.jbcs.el6.x86_64.rpm	SHA-256: eae1c53e826f9a134dafce43542e48886d7ec6894b148d548f44c2aea9cee913
jbcs-httpd24-apr-devel-1.6.3-86.jbcs.el6.x86_64.rpm	SHA-256: 698adc088c2b13edc37e08b554117aa39a3e7cf744dddf37e87220140e2323a8
jbcs-httpd24-brotli-1.0.6-21.jbcs.el6.x86_64.rpm	SHA-256: aeb23dbd29b47f10161ea85748caf0bc18a4de4af6e8b903f36303fcafd7f52c
jbcs-httpd24-brotli-debuginfo-1.0.6-21.jbcs.el6.x86_64.rpm	SHA-256: ed3a1a663ca218195e652e2e66cae9adc7fe47ff1c7ad97ee1cbeb7bf9a365d5
jbcs-httpd24-brotli-devel-1.0.6-21.jbcs.el6.x86_64.rpm	SHA-256: 2a41232508202873f39ae11d7d901189888b9a515df47978c9a89eef9c7cefe6
jbcs-httpd24-httpd-2.4.37-52.jbcs.el6.x86_64.rpm	SHA-256: 4afa06e3656373100fd26c03db92a0c8a90497bb0f555c35f8e810f32173a994
jbcs-httpd24-httpd-debuginfo-2.4.37-52.jbcs.el6.x86_64.rpm	SHA-256: 42fce9361f7610e1238fdfab20026e92f95d78c95a9392954543700897ff0f5d
jbcs-httpd24-httpd-devel-2.4.37-52.jbcs.el6.x86_64.rpm	SHA-256: 05e271353e75c0aee998053561dec638e46556594ad851f0711ee695c6fe5f63
jbcs-httpd24-httpd-manual-2.4.37-52.jbcs.el6.noarch.rpm	SHA-256: 290770314c56ee36b2f3c899e731e031575202aad14a1e56f96f24d608de9bbf
jbcs-httpd24-httpd-selinux-2.4.37-52.jbcs.el6.x86_64.rpm	SHA-256: dc9ee8242e320325b176d9fac3318d6ba58cc450b5aaeb5c65e7a9f7693cb6f6
jbcs-httpd24-httpd-tools-2.4.37-52.jbcs.el6.x86_64.rpm	SHA-256: 2cb243f8863feeab176279b66b4c19972f26c782a59d590a43005ebd3863a796
jbcs-httpd24-mod_cluster-native-1.3.12-41.Final_redhat_2.jbcs.el6.x86_64.rpm	SHA-256: e493eddc97e956b3c1b28d097eeec9398f5b72fa49283594e3c5e70d6b4eb889
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.12-41.Final_redhat_2.jbcs.el6.x86_64.rpm	SHA-256: abfa417ab03aa2ecd5acd0f995ee49ad388fb13f71d5eb86f755b6762ad0a5cf
jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el6.x86_64.rpm	SHA-256: 655a90e0e99fa6d8cae703f6150507a9c7eca1f3ee3eadb4f0c1d6991b7c45b1
jbcs-httpd24-mod_http2-debuginfo-1.11.3-22.jbcs.el6.x86_64.rpm	SHA-256: f6256b400947171014b8e0ea9957d35aa1ea9790cd8e3aac2872010777cdc164
jbcs-httpd24-mod_ldap-2.4.37-52.jbcs.el6.x86_64.rpm	SHA-256: e70dc5c7703395305bf4d62d01b1aa57017e87f874e4a03b92eea9c288e61509
jbcs-httpd24-mod_proxy_html-2.4.37-52.jbcs.el6.x86_64.rpm	SHA-256: 1e941553ec5bd2088b1bfea66d52568bdbc77f76f9e62a8307a1ccce003b34c5
jbcs-httpd24-mod_session-2.4.37-52.jbcs.el6.x86_64.rpm	SHA-256: 5f2dda786e410ecd7ad13c51eedc06da69243890dd289cb9271d65b177af7304
jbcs-httpd24-mod_ssl-2.4.37-52.jbcs.el6.x86_64.rpm	SHA-256: b179bdb89c611e39f5d3dd4ad73d0524fbf9d90d684465c70ce2bbbe8f28c27c
jbcs-httpd24-openssl-1.1.1c-16.jbcs.el6.x86_64.rpm	SHA-256: 2790c9104ddcb6c46d2c2117405389ef5eaee4e73c9d1d49a989bd949083acc5
jbcs-httpd24-openssl-debuginfo-1.1.1c-16.jbcs.el6.x86_64.rpm	SHA-256: c8b9d6f301ec05c71a4710fc162b9b93d100e3257b52576b06eafd4352d65705
jbcs-httpd24-openssl-devel-1.1.1c-16.jbcs.el6.x86_64.rpm	SHA-256: 27bd595900c49c2b900feb8c2016099e11c3d8e5aba915c6d2733154633b6790
jbcs-httpd24-openssl-libs-1.1.1c-16.jbcs.el6.x86_64.rpm	SHA-256: d72d1ba6509affdf671964a55f79b73979613677f9cd67af1c4600b9abd843b5
jbcs-httpd24-openssl-perl-1.1.1c-16.jbcs.el6.x86_64.rpm	SHA-256: 626c97bf755bdcfe303614cf625c5f1eef1df1b55f29bb3d80035a1233ba3f2f
jbcs-httpd24-openssl-static-1.1.1c-16.jbcs.el6.x86_64.rpm	SHA-256: 5c109c277e06eb1925cf11656b4dc57588025d5eaadf3530191c59188f2ae456
i386
jbcs-httpd24-apr-1.6.3-86.jbcs.el6.i686.rpm	SHA-256: bbe690785aa244459617bd99064f5088d5f03de865f71026b765e102c5a3eef8
jbcs-httpd24-apr-debuginfo-1.6.3-86.jbcs.el6.i686.rpm	SHA-256: ab7e7cc41b074f791bde3c71535474d576a2c7e72fd9d7d61a93ed7e902a3a60
jbcs-httpd24-apr-devel-1.6.3-86.jbcs.el6.i686.rpm	SHA-256: aedca36f34af4f3665a2a222f4e454eebdb550c7e63adf9414ed8d3b6b6c90d8
jbcs-httpd24-brotli-1.0.6-21.jbcs.el6.i686.rpm	SHA-256: bd5e44cdd28f770e26798199978afdc3209867b7d3d6f578b5d97db48be71045
jbcs-httpd24-brotli-debuginfo-1.0.6-21.jbcs.el6.i686.rpm	SHA-256: 542e7bfb12b13c38cd3591ac25e1055f75e87d99454df23b9777e3d20327d18d
jbcs-httpd24-brotli-devel-1.0.6-21.jbcs.el6.i686.rpm	SHA-256: 3fc85b29c54c41f05aaa8ec08ecbf44d0a515cdf1604f90a2bc3aeef9b20d7a0
jbcs-httpd24-httpd-2.4.37-52.jbcs.el6.i686.rpm	SHA-256: bcb4a1af64bc8581757d04ce4c825f722e41b813be752a79e76f8d225f9497cc
jbcs-httpd24-httpd-debuginfo-2.4.37-52.jbcs.el6.i686.rpm	SHA-256: c7e00f8b6232a950fcae771d900ad5e6b693af9862fc91473f1ec51cc2c74b24
jbcs-httpd24-httpd-devel-2.4.37-52.jbcs.el6.i686.rpm	SHA-256: 24777bc443f84219115b114c3a40e39a4c2fa51e466e95ba5b53cc9822a395ec
jbcs-httpd24-httpd-manual-2.4.37-52.jbcs.el6.noarch.rpm	SHA-256: 290770314c56ee36b2f3c899e731e031575202aad14a1e56f96f24d608de9bbf
jbcs-httpd24-httpd-selinux-2.4.37-52.jbcs.el6.i686.rpm	SHA-256: e09438ed704620a3e43ef895b3518691c3f5a461e1b2899bfc1958dbde25f49e
jbcs-httpd24-httpd-tools-2.4.37-52.jbcs.el6.i686.rpm	SHA-256: 3ebb0d7514840fa2d16f937009b4ae77461d250714325c8ab08b2f72f2e33e34
jbcs-httpd24-mod_cluster-native-1.3.12-41.Final_redhat_2.jbcs.el6.i686.rpm	SHA-256: c7177c9eecf7659c61e4de73e70b2d2ee60ed85dc6ef22ea14bb421e94061e5e
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.12-41.Final_redhat_2.jbcs.el6.i686.rpm	SHA-256: b09f682b95eacd04c72caddb0ce174f612d7bd346a4e5c9e3a8c210fb4b442f9
jbcs-httpd24-mod_http2-1.11.3-22.jbcs.el6.i686.rpm	SHA-256: 7100759eb9a530edf663a583cd896c61c63ebef1adfb4390072f685217d95b9c
jbcs-httpd24-mod_http2-debuginfo-1.11.3-22.jbcs.el6.i686.rpm	SHA-256: 3bd503d2d9bb827b0dc3b66e1668f235f328138fa29efeefd828f2e4adcf16fa
jbcs-httpd24-mod_ldap-2.4.37-52.jbcs.el6.i686.rpm	SHA-256: 7ee6591b3d213c6dcbae2c54c25148edaf47ef03a1dd5cdf5fd0254037a4eaf3
jbcs-httpd24-mod_proxy_html-2.4.37-52.jbcs.el6.i686.rpm	SHA-256: 5586bb46d2cea7dca6b68ea889992d9e6e13b0a323b4a126f172bcc7f9f55db0
jbcs-httpd24-mod_session-2.4.37-52.jbcs.el6.i686.rpm	SHA-256: ade319e9178c8256696b915e0239b3f06fa82aec362706f6d27b8bd68e6cb1e3
jbcs-httpd24-mod_ssl-2.4.37-52.jbcs.el6.i686.rpm	SHA-256: 3bfea06b5cb93e41406eafdea3c616724f7667504bd49887ed4da198000220a5
jbcs-httpd24-openssl-1.1.1c-16.jbcs.el6.i686.rpm	SHA-256: 1231b5228196328788b52c4e28b7d71f14edb4971b42d2a3f152cdd1d45db94b
jbcs-httpd24-openssl-debuginfo-1.1.1c-16.jbcs.el6.i686.rpm	SHA-256: 096eeb008ea64de1f8278f22cd8296b455f3c531e78fd41c758dde4bb48671d8
jbcs-httpd24-openssl-devel-1.1.1c-16.jbcs.el6.i686.rpm	SHA-256: aef39bd970aa99874ce0316e5a56fad852ec76b97cf51afcc674ead2d09366e5
jbcs-httpd24-openssl-libs-1.1.1c-16.jbcs.el6.i686.rpm	SHA-256: 6f93b4793bc7ff5629ab409212ca3e5f99ae051a2f808c54046c5d344222aef5
jbcs-httpd24-openssl-perl-1.1.1c-16.jbcs.el6.i686.rpm	SHA-256: c1ae9a8779e8bb62dde064d6666042b3a05e963b1694e881ab968269b17fb876
jbcs-httpd24-openssl-static-1.1.1c-16.jbcs.el6.i686.rpm	SHA-256: ade743c0e042ba908deaf2ad32d4429e49122fac6e5d2d968d92bb8418a7523f

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories