Synopsis
Moderate: httpd24 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Topic
An update for httpd24, httpd24-curl, httpd24-httpd, httpd24-mod_auth_kerb, and httpd24-nghttp2 is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.
The following packages have been upgraded to a later upstream version: httpd24-httpd (2.4.27). (BZ#1461819)
Security Fix(es):
- A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)
Red Hat would like to thank Hanno Böck for reporting this issue.
Bug Fix(es):
- The httpd package installation script tried to create both the "apache" user and group in a single "useradd" command. Consequently, when the "apache" group had already been created on the system, the command failed, and the "apache" user was not created. To fix this bug, the "apache" group is now created by a separate command, and the "apache" user is correctly created during httpd installation even when the "apache" group exists. (BZ#1486843)
- When installing the httpd24 Software Collection using the "yum" command, if the "apache" group already existed on the system with GID other than 48, the "apache" user was not created. This update fixes the bug. (BZ#1487164)
- With this update, it is possible to run the mod_rewrite external mapping program as a non-root user. (BZ#1486832)
- On a Red Hat Enterprise Linux 6 system, when the httpd service was stopped twice in a row by running the "service httpd stop" command, a misleading message was returned: "Stopping httpd: [FAILED]". This bug has been fixed. (BZ#1418395)
- When the "service httpd24-httpd graceful" command was used on Red Hat Enterprise Linux 7 while the httpd24-httpd service was not running, the daemon was started without being tracked by systemd. As a consequence, the daemon ran in an incorrect SELinux domain. This bug has been fixed, and the httpd daemon runs in the correct SELinux domain in the described scenario. (BZ#1440858)
Enhancement(s):
- With this update, the mod_ssl module supports the ALPN protocol on Red Hat Enterprise Linux 7.4 and later versions. (BZ#1327548)
For further details, see the Red Hat Software Collections 3.0 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
Affected Products
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6 x86_64
-
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.6 s390x
-
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.6 ppc64le
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
-
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.5 s390x
-
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.5 ppc64le
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
-
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.4 s390x
-
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.4 ppc64le
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
-
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.3 s390x
-
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.3 ppc64le
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
-
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
-
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
-
Red Hat Software Collections (for RHEL Server for ARM) 1 aarch64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
-
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
-
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
Fixes
- BZ - 1327548 - RFE: enable ALPN support in mod_ssl
- BZ - 1418395 - httpd stop prints failure if service already stopped
- BZ - 1428940 - mod_proxy_fcgi (more) wrong behavior with 304
- BZ - 1440858 - graceful start of stopped service fail
- BZ - 1457316 - [RFE] please consider using scl_package_override
- BZ - 1480506 - mod_authz_dbd segfaults when AuthzDBDQuery missing
- BZ - 1486843 - apache user is not created during httpd installation when apache group already exist
- BZ - 1487164 - apache user is not created during httpd installation when apache group already exist with GID other than 48
- BZ - 1488541 - rotatelogs %Z does not use correct timezone respecting DST
- BZ - 1490344 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)
CVEs
References
Vulmon