Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2017:0906-01] Moderate: httpd security and bug fix update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: httpd security and bug fix update

Advisory ID: RHSA-2017:0906-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2017:0906

Issue date: 2017-04-12

CVE Names: CVE-2016-0736 CVE-2016-2161 CVE-2016-8743

=====================================================================

 

1. Summary:

 

An update for httpd is now available for Red Hat Enterprise Linux 7.

 

Red Hat Product Security has rated this update as having a security impact

of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available for each vulnerability from

the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

 

3. Description:

 

The httpd packages provide the Apache HTTP Server, a powerful, efficient,

and extensible web server.

 

Security Fix(es):

 

* It was discovered that the mod_session_crypto module of httpd did not use

any mechanisms to verify integrity of the encrypted session data stored in

the user's browser. A remote attacker could use this flaw to decrypt and

modify session data using a padding oracle attack. (CVE-2016-0736)

 

* It was discovered that the mod_auth_digest module of httpd did not

properly check for memory allocation failures. A remote attacker could use

this flaw to cause httpd child processes to repeatedly crash if the server

used HTTP digest authentication. (CVE-2016-2161)

 

* It was discovered that the HTTP parser in httpd incorrectly allowed

certain characters not permitted by the HTTP protocol specification to

appear unencoded in HTTP request headers. If httpd was used in conjunction

with a proxy or backend server that interpreted those characters

differently, a remote attacker could possibly use this flaw to inject data

into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)

 

Note: The fix for the CVE-2016-8743 issue causes httpd to return "400 Bad

Request" error to HTTP clients which do not strictly follow HTTP protocol

specification. A newly introduced configuration directive

"HttpProtocolOptions Unsafe" can be used to re-enable the old less strict

parsing. However, such setting also re-introduces the CVE-2016-8743 issue.

 

Bug Fix(es):

 

* When waking up child processes during a graceful restart, the httpd

parent process could attempt to open more connections than necessary if a

large number of child processes had been active prior to the restart.

Consequently, a graceful restart could take a long time to complete. With

this update, httpd has been fixed to limit the number of connections opened

during a graceful restart to the number of active children, and the

described problem no longer occurs. (BZ#1420002)

 

* Previously, httpd running in a container returned the 500 HTTP status

code (Internal Server Error) when a connection to a WebSocket server was

closed. As a consequence, the httpd server failed to deliver the correct

HTTP status and data to a client. With this update, httpd correctly handles

all proxied requests to the WebSocket server, and the described problem no

longer occurs. (BZ#1429947)

 

* In a configuration using LDAP authentication with the mod_authnz_ldap

module, the name set using the AuthLDAPBindDN directive was not correctly

used to bind to the LDAP server for all queries. Consequently,

authorization attempts failed. The LDAP modules have been fixed to ensure

the configured name is correctly bound for LDAP queries, and authorization

using LDAP no longer fails. (BZ#1420047)

 

4. Solution:

 

For details on how to apply this update, which includes the changes

described in this advisory, refer to:

 

https://access.redhat.com/articles/11258

 

After installing the updated packages, the httpd daemon will be restarted

automatically.

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1406744 - CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto

1406753 - CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest

1406822 - CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects

1420002 - Backport fix for issue with graceful restart taking very long time sometimes

1420047 - AuthLDAPBindDN might not be used for some LDAP searches causing LDAP authz failures

1429947 - Backport: mod_proxy_wstunnel - AH02447: err/hup on backconn

 

6. Package List:

 

Red Hat Enterprise Linux Client Optional (v. 7):

 

Source:

httpd-2.4.6-45.el7_3.4.src.rpm

 

noarch:

httpd-manual-2.4.6-45.el7_3.4.noarch.rpm

 

x86_64:

httpd-2.4.6-45.el7_3.4.x86_64.rpm

httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm

httpd-devel-2.4.6-45.el7_3.4.x86_64.rpm

httpd-tools-2.4.6-45.el7_3.4.x86_64.rpm

mod_ldap-2.4.6-45.el7_3.4.x86_64.rpm

mod_proxy_html-2.4.6-45.el7_3.4.x86_64.rpm

mod_session-2.4.6-45.el7_3.4.x86_64.rpm

mod_ssl-2.4.6-45.el7_3.4.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

 

Source:

httpd-2.4.6-45.el7_3.4.src.rpm

 

noarch:

httpd-manual-2.4.6-45.el7_3.4.noarch.rpm

 

x86_64:

httpd-2.4.6-45.el7_3.4.x86_64.rpm

httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm

httpd-devel-2.4.6-45.el7_3.4.x86_64.rpm

httpd-tools-2.4.6-45.el7_3.4.x86_64.rpm

mod_ldap-2.4.6-45.el7_3.4.x86_64.rpm

mod_proxy_html-2.4.6-45.el7_3.4.x86_64.rpm

mod_session-2.4.6-45.el7_3.4.x86_64.rpm

mod_ssl-2.4.6-45.el7_3.4.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

httpd-2.4.6-45.el7_3.4.src.rpm

 

aarch64:

httpd-2.4.6-45.el7_3.4.aarch64.rpm

httpd-debuginfo-2.4.6-45.el7_3.4.aarch64.rpm

httpd-devel-2.4.6-45.el7_3.4.aarch64.rpm

httpd-tools-2.4.6-45.el7_3.4.aarch64.rpm

mod_ssl-2.4.6-45.el7_3.4.aarch64.rpm

 

noarch:

httpd-manual-2.4.6-45.el7_3.4.noarch.rpm

 

ppc64:

httpd-2.4.6-45.el7_3.4.ppc64.rpm

httpd-debuginfo-2.4.6-45.el7_3.4.ppc64.rpm

httpd-devel-2.4.6-45.el7_3.4.ppc64.rpm

httpd-tools-2.4.6-45.el7_3.4.ppc64.rpm

mod_ssl-2.4.6-45.el7_3.4.ppc64.rpm

 

ppc64le:

httpd-2.4.6-45.el7_3.4.ppc64le.rpm

httpd-debuginfo-2.4.6-45.el7_3.4.ppc64le.rpm

httpd-devel-2.4.6-45.el7_3.4.ppc64le.rpm

httpd-tools-2.4.6-45.el7_3.4.ppc64le.rpm

mod_ssl-2.4.6-45.el7_3.4.ppc64le.rpm

 

s390x:

httpd-2.4.6-45.el7_3.4.s390x.rpm

httpd-debuginfo-2.4.6-45.el7_3.4.s390x.rpm

httpd-devel-2.4.6-45.el7_3.4.s390x.rpm

httpd-tools-2.4.6-45.el7_3.4.s390x.rpm

mod_ssl-2.4.6-45.el7_3.4.s390x.rpm

 

x86_64:

httpd-2.4.6-45.el7_3.4.x86_64.rpm

httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm

httpd-devel-2.4.6-45.el7_3.4.x86_64.rpm

httpd-tools-2.4.6-45.el7_3.4.x86_64.rpm

mod_ssl-2.4.6-45.el7_3.4.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 7):

 

aarch64:

httpd-debuginfo-2.4.6-45.el7_3.4.aarch64.rpm

mod_ldap-2.4.6-45.el7_3.4.aarch64.rpm

mod_proxy_html-2.4.6-45.el7_3.4.aarch64.rpm

mod_session-2.4.6-45.el7_3.4.aarch64.rpm

 

ppc64:

httpd-debuginfo-2.4.6-45.el7_3.4.ppc64.rpm

mod_ldap-2.4.6-45.el7_3.4.ppc64.rpm

mod_proxy_html-2.4.6-45.el7_3.4.ppc64.rpm

mod_session-2.4.6-45.el7_3.4.ppc64.rpm

 

ppc64le:

httpd-debuginfo-2.4.6-45.el7_3.4.ppc64le.rpm

mod_ldap-2.4.6-45.el7_3.4.ppc64le.rpm

mod_proxy_html-2.4.6-45.el7_3.4.ppc64le.rpm

mod_session-2.4.6-45.el7_3.4.ppc64le.rpm

 

s390x:

httpd-debuginfo-2.4.6-45.el7_3.4.s390x.rpm

mod_ldap-2.4.6-45.el7_3.4.s390x.rpm

mod_proxy_html-2.4.6-45.el7_3.4.s390x.rpm

mod_session-2.4.6-45.el7_3.4.s390x.rpm

 

x86_64:

httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm

mod_ldap-2.4.6-45.el7_3.4.x86_64.rpm

mod_proxy_html-2.4.6-45.el7_3.4.x86_64.rpm

mod_session-2.4.6-45.el7_3.4.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 7):

 

Source:

httpd-2.4.6-45.el7_3.4.src.rpm

 

noarch:

httpd-manual-2.4.6-45.el7_3.4.noarch.rpm

 

x86_64:

httpd-2.4.6-45.el7_3.4.x86_64.rpm

httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm

httpd-devel-2.4.6-45.el7_3.4.x86_64.rpm

httpd-tools-2.4.6-45.el7_3.4.x86_64.rpm

mod_ssl-2.4.6-45.el7_3.4.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 7):

 

x86_64:

httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm

mod_ldap-2.4.6-45.el7_3.4.x86_64.rpm

mod_proxy_html-2.4.6-45.el7_3.4.x86_64.rpm

mod_session-2.4.6-45.el7_3.4.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2016-0736

https://access.redhat.com/security/cve/CVE-2016-2161

https://access.redhat.com/security/cve/CVE-2016-8743

https://access.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2017 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFY7n2lXlSAg2UNWIIRAn0EAJ95hoSJjNM/kZUXd8Ae6G5J3pXXHACfTIfP

pb07muMthgb6w7tJ0kAuc4o=

=gSHO

-----END PGP SIGNATURE-----

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×