- Vulnerability/
- RHSA-2017:1161
RHSA-2017:1161: Moderate: httpd24-httpd security, bug fix, and enhancement update
First published: Wed Apr 26 2017(Updated: )
The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.<br>The httpd24 Software Collection has been upgraded to version 2.4.25, which provides a number of bug fixes and enhancements over the previous version. For detailed changes, see the Red Hat Software Collections 2.4 Release Notes linked from the References section. (BZ#1404778)<br>Security Fix(es):<br><li> It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)</li> <li> A denial of service flaw was found in httpd's mod_http2 module. A remote attacker could use this flaw to block server threads for long times, causing starvation of worker threads, by manipulating the flow control windows on streams. (CVE-2016-1546)</li> <li> It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)</li> <li> It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)</li> Note: The fix for the CVE-2016-8743 issue causes httpd to return "400 Bad Request" error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive "HttpProtocolOptions Unsafe" can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.<br><li> A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)</li>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/httpd24-httpd | <2.4.25-9.el7 | 2.4.25-9.el7 |
| redhat/httpd24-httpd | <2.4.25-9.el7 | 2.4.25-9.el7 |
| redhat/httpd24-httpd-debuginfo | <2.4.25-9.el7 | 2.4.25-9.el7 |
| redhat/httpd24-httpd-devel | <2.4.25-9.el7 | 2.4.25-9.el7 |
| redhat/httpd24-httpd-manual | <2.4.25-9.el7 | 2.4.25-9.el7 |
| redhat/httpd24-httpd-tools | <2.4.25-9.el7 | 2.4.25-9.el7 |
| redhat/httpd24-httpd | <2.4.25-9.el6 | 2.4.25-9.el6 |
| redhat/httpd24-httpd | <2.4.25-9.el6 | 2.4.25-9.el6 |
| redhat/httpd24-httpd-debuginfo | <2.4.25-9.el6 | 2.4.25-9.el6 |
| redhat/httpd24-httpd-devel | <2.4.25-9.el6 | 2.4.25-9.el6 |
| redhat/httpd24-httpd-manual | <2.4.25-9.el6 | 2.4.25-9.el6 |
| redhat/httpd24-httpd-tools | <2.4.25-9.el6 | 2.4.25-9.el6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1329639
- https://bugzilla.redhat.com/show_bug.cgi?id=1335616
- https://bugzilla.redhat.com/show_bug.cgi?id=1336350
- https://bugzilla.redhat.com/show_bug.cgi?id=1401528
- https://bugzilla.redhat.com/show_bug.cgi?id=1406744
- https://bugzilla.redhat.com/show_bug.cgi?id=1406753
- https://bugzilla.redhat.com/show_bug.cgi?id=1406822
- https://bugzilla.redhat.com/show_bug.cgi?id=1414037
- https://bugzilla.redhat.com/show_bug.cgi?id=1432249
- https://bugzilla.redhat.com/show_bug.cgi?id=1433474
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/2/html/2.4_Release_Notes/chap-RHSCL.html#sect-RHSCL-Changes-httpd
- https://access.redhat.com/errata/RHSA-2017:1161 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2017:1161?
The severity of RHSA-2017:1161 is classified as moderate.
How do I fix RHSA-2017:1161?
To fix RHSA-2017:1161, upgrade to the updated packages version 2.4.25-9.el7 or 2.4.25-9.el6 as recommended.
What software is affected by RHSA-2017:1161?
RHSA-2017:1161 affects the httpd24-httpd package among others in the Red Hat Software Collections.
Is RHSA-2017:1161 applicable to all versions of the Apache HTTP Server?
No, RHSA-2017:1161 specifically applies to the 2.4.25 version of the Apache HTTP Server.
Can I continue to use Apache HTTP Server after RHSA-2017:1161 is reported?
It is not recommended to use Apache HTTP Server without applying the fixes for RHSA-2017:1161 due to potential vulnerabilities.
- agent/severity
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/title
- agent/description
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2017:1161
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/tags
- agent/source
- package-manager/redhat