RHSA-2016:2957: Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release
First published: Thu Dec 15 2016(Updated: )
This release of Red Hat JBoss Core Services httpd 2.4.23 serves as a replacement for JBoss Core Services Apache HTTP Server 2.4.6.<br>Security Fix(es):<br><li> This update fixes several flaws in OpenSSL. (CVE-2014-8176, CVE-2015-0209, CVE-2015-0286, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-3216, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2177, CVE-2016-2178, CVE-2016-2842)</li> <li> This update fixes several flaws in libxml2. (CVE-2016-1762, CVE-2016-1833, CVE-2016-1834, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2016-1840, CVE-2016-3627, CVE-2016-3705, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, CVE-2016-4483)</li> <li> This update fixes three flaws in curl. (CVE-2016-5419, CVE-2016-5420, CVE-2016-7141)</li> <li> This update fixes two flaws in httpd. (CVE-2014-3523, CVE-2015-3185)</li> <li> This update fixes two flaws in mod_cluster. (CVE-2016-4459, CVE-2016-8612)</li> <li> A buffer overflow flaw when concatenating virtual host names and URIs was fixed in mod_jk. (CVE-2016-6808)</li> <li> A memory leak flaw was fixed in expat. (CVE-2012-1148)</li> Red Hat would like to thank the OpenSSL project for reporting CVE-2014-8176, CVE-2015-0286, CVE-2016-2108, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842. The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat). Upstream acknowledges Stephen Henson (OpenSSL development team) as the original reporter of CVE-2015-0286; Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken as the original reporter of CVE-2016-2105, CVE-2016-2106, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842; Juraj Somorovsky as the original reporter of CVE-2016-2107; Yuval Yarom (University of Adelaide and NICTA), Daniel Genkin (Technion and Tel Aviv University), and Nadia Heninger (University of Pennsylvania) as the original reporters of CVE-2016-0702; and Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705.<br>See the corresponding CVE pages linked to in the References section for more information about each of the flaws listed in this advisory.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=801648
- https://bugzilla.redhat.com/show_bug.cgi?id=1121519
- https://bugzilla.redhat.com/show_bug.cgi?id=1196737
- https://bugzilla.redhat.com/show_bug.cgi?id=1202366
- https://bugzilla.redhat.com/show_bug.cgi?id=1227574
- https://bugzilla.redhat.com/show_bug.cgi?id=1228611
- https://bugzilla.redhat.com/show_bug.cgi?id=1243888
- https://bugzilla.redhat.com/show_bug.cgi?id=1288320
- https://bugzilla.redhat.com/show_bug.cgi?id=1288322
- https://bugzilla.redhat.com/show_bug.cgi?id=1288326
- https://bugzilla.redhat.com/show_bug.cgi?id=1310596
- https://bugzilla.redhat.com/show_bug.cgi?id=1310599
- https://bugzilla.redhat.com/show_bug.cgi?id=1311880
- https://bugzilla.redhat.com/show_bug.cgi?id=1312219
- https://bugzilla.redhat.com/show_bug.cgi?id=1314757
- https://bugzilla.redhat.com/show_bug.cgi?id=1319829
- https://bugzilla.redhat.com/show_bug.cgi?id=1330101
- https://bugzilla.redhat.com/show_bug.cgi?id=1331402
- https://bugzilla.redhat.com/show_bug.cgi?id=1331426
- https://bugzilla.redhat.com/show_bug.cgi?id=1331441
- https://bugzilla.redhat.com/show_bug.cgi?id=1331536
- https://bugzilla.redhat.com/show_bug.cgi?id=1332443
- https://bugzilla.redhat.com/show_bug.cgi?id=1332820
- https://bugzilla.redhat.com/show_bug.cgi?id=1338682
- https://bugzilla.redhat.com/show_bug.cgi?id=1338686
- https://bugzilla.redhat.com/show_bug.cgi?id=1338691
- https://bugzilla.redhat.com/show_bug.cgi?id=1338696
- https://bugzilla.redhat.com/show_bug.cgi?id=1338700
- https://bugzilla.redhat.com/show_bug.cgi?id=1338701
- https://bugzilla.redhat.com/show_bug.cgi?id=1338702
- https://bugzilla.redhat.com/show_bug.cgi?id=1338703
- https://bugzilla.redhat.com/show_bug.cgi?id=1338705
- https://bugzilla.redhat.com/show_bug.cgi?id=1338706
- https://bugzilla.redhat.com/show_bug.cgi?id=1338708
- https://bugzilla.redhat.com/show_bug.cgi?id=1338711
- https://bugzilla.redhat.com/show_bug.cgi?id=1341583
- https://bugzilla.redhat.com/show_bug.cgi?id=1341705
- https://bugzilla.redhat.com/show_bug.cgi?id=1343400
- https://bugzilla.redhat.com/show_bug.cgi?id=1362183
- https://bugzilla.redhat.com/show_bug.cgi?id=1362190
- https://bugzilla.redhat.com/show_bug.cgi?id=1373229
- https://bugzilla.redhat.com/show_bug.cgi?id=1382352
- https://bugzilla.redhat.com/show_bug.cgi?id=1387605
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=distributions&version=2.4.23
- https://access.redhat.com/documentation/en/red-hat-jboss-core-services-apache-http-server/version-2.4.23/apache-http-server-2423-release-notes/
- https://access.redhat.com/errata/RHSA-2016:2957 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2016:2957
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness