Moderate: httpd:2.4 security, bug fix, and enhancement update

Synopsis

Moderate: httpd:2.4 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

The following packages have been upgraded to a later upstream version: mod_http2 (1.15.7). (BZ#1814236)

Security Fix(es):

• httpd: memory corruption on early pushes (CVE-2019-10081)
  
• httpd: read-after-free in h4 connection shutdown (CVE-2019-10082)
  
• httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)
  
• httpd: mod_rewrite configurations vulnerable to open redirect (CVE-2020-1927)
  
• httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)
  
• httpd: mod_http2: read-after-free on a string compare (CVE-2019-0196)
  
• httpd: mod_http2: possible crash on late upgrade (CVE-2019-0197)
  
• httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)
  
• httpd: mod_rewrite potential open redirect (CVE-2019-10098)
  
• httpd: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)
  

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

• BZ - 1209162 - RFE: CustomLog should be able to use journald
• BZ - 1668497 - CVE-2018-17189 httpd: mod_http2: DoS via slow, unneeded request bodies
• BZ - 1695030 - CVE-2019-0196 httpd: mod_http2: read-after-free on a string compare
• BZ - 1695042 - CVE-2019-0197 httpd: mod_http2: possible crash on late upgrade
• BZ - 1743956 - CVE-2019-10092 httpd: limited cross-site scripting in mod_proxy error page
• BZ - 1743959 - CVE-2019-10098 httpd: mod_rewrite potential open redirect
• BZ - 1743966 - CVE-2019-10081 httpd: memory corruption on early pushes
• BZ - 1743974 - CVE-2019-10082 httpd: read-after-free in h4 connection shutdown
• BZ - 1743996 - CVE-2019-10097 httpd: null-pointer dereference in mod_remoteip
• BZ - 1771847 - BalancerMember ping parameter for mod_proxy_http doesn't work
• BZ - 1814236 - RFE: mod_http2 rebase
• BZ - 1820761 - CVE-2020-1927 httpd: mod_rewrite configurations vulnerable to open redirect
• BZ - 1820772 - CVE-2020-1934 httpd: mod_proxy_ftp use of uninitialized value
• BZ - 1832844 - mod_md does not work with ACME server that does not provide keyChange or revokeCert resources

CVEs

• CVE-2018-17189
• CVE-2019-0196
• CVE-2019-0197
• CVE-2019-10081
• CVE-2019-10082
• CVE-2019-10092
• CVE-2019-10097
• CVE-2019-10098
• CVE-2020-1927
• CVE-2020-1934

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/