CWE
416
Advisory Published

RHSA-2017:3018: Moderate: httpd24 security, bug fix, and enhancement update

First published: Tue Oct 24 2017(Updated: )

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.<br>The following packages have been upgraded to a later upstream version: httpd24-httpd (2.4.27). (BZ#1461819)<br>Security Fix(es):<br><li> A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)</li> Red Hat would like to thank Hanno Böck for reporting this issue.<br>Bug Fix(es):<br><li> The httpd package installation script tried to create both the "apache" user and group in a single "useradd" command. Consequently, when the "apache" group had already been created on the system, the command failed, and the "apache" user was not created. To fix this bug, the "apache" group is now created by a separate command, and the "apache" user is correctly created during httpd installation even when the "apache" group exists. (BZ#1486843)</li> <li> When installing the httpd24 Software Collection using the "yum" command, if the "apache" group already existed on the system with GID other than 48, the "apache" user was not created. This update fixes the bug. (BZ#1487164)</li> <li> With this update, it is possible to run the mod_rewrite external mapping program as a non-root user. (BZ#1486832)</li> <li> On a Red Hat Enterprise Linux 6 system, when the httpd service was stopped twice in a row by running the "service httpd stop" command, a misleading message was returned: "Stopping httpd: [FAILED]". This bug has been fixed. (BZ#1418395)</li> <li> When the "service httpd24-httpd graceful" command was used on Red Hat Enterprise Linux 7 while the httpd24-httpd service was not running, the daemon was started without being tracked by systemd. As a consequence, the daemon ran in an incorrect SELinux domain. This bug has been fixed, and the httpd daemon runs in the correct SELinux domain in the described scenario. (BZ#1440858)</li> Enhancement(s):<br><li> With this update, the mod_ssl module supports the ALPN protocol on Red Hat Enterprise Linux 7.4 and later versions. (BZ#1327548)</li> For further details, see the Red Hat Software Collections 3.0 Release Notes linked from the References section.

Affected SoftwareAffected VersionHow to fix
redhat/httpd24<1.1-18.el7
1.1-18.el7
redhat/httpd24-curl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-httpd<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-nghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24<1.1-18.el7
1.1-18.el7
redhat/httpd24-curl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-curl-debuginfo<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-httpd<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-debuginfo<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-devel<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-manual<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-tools<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-libcurl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libcurl-devel<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libnghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-libnghttp2-devel<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-nghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-nghttp2-debuginfo<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-runtime<1.1-18.el7
1.1-18.el7
redhat/httpd24-scldevel<1.1-18.el7
1.1-18.el7
redhat/httpd24-curl-debuginfo<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-httpd-debuginfo<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-devel<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-tools<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-libcurl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libcurl-devel<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libnghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-libnghttp2-devel<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-nghttp2-debuginfo<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-runtime<1.1-18.el7
1.1-18.el7
redhat/httpd24-scldevel<1.1-18.el7
1.1-18.el7
redhat/httpd24<1.1-18.el7
1.1-18.el7
redhat/httpd24-curl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-curl-debuginfo<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-httpd<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-debuginfo<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-devel<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-tools<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-libcurl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libcurl-devel<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libnghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-libnghttp2-devel<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-nghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-nghttp2-debuginfo<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-runtime<1.1-18.el7
1.1-18.el7
redhat/httpd24-scldevel<1.1-18.el7
1.1-18.el7
redhat/httpd24<1.1-18.el7.aa
1.1-18.el7.aa
redhat/httpd24-curl<7.47.1-4.el7.aa
7.47.1-4.el7.aa
redhat/httpd24-curl-debuginfo<7.47.1-4.el7.aa
7.47.1-4.el7.aa
redhat/httpd24-httpd<2.4.27-8.el7.aa
2.4.27-8.el7.aa
redhat/httpd24-httpd-debuginfo<2.4.27-8.el7.aa
2.4.27-8.el7.aa
redhat/httpd24-httpd-devel<2.4.27-8.el7.aa
2.4.27-8.el7.aa
redhat/httpd24-httpd-tools<2.4.27-8.el7.aa
2.4.27-8.el7.aa
redhat/httpd24-libcurl<7.47.1-4.el7.aa
7.47.1-4.el7.aa
redhat/httpd24-libcurl-devel<7.47.1-4.el7.aa
7.47.1-4.el7.aa
redhat/httpd24-libnghttp2<1.7.1-6.el7.aa
1.7.1-6.el7.aa
redhat/httpd24-libnghttp2-devel<1.7.1-6.el7.aa
1.7.1-6.el7.aa
redhat/httpd24-nghttp2<1.7.1-6.el7.aa
1.7.1-6.el7.aa
redhat/httpd24-nghttp2-debuginfo<1.7.1-6.el7.aa
1.7.1-6.el7.aa
redhat/httpd24-runtime<1.1-18.el7.aa
1.1-18.el7.aa
redhat/httpd24-scldevel<1.1-18.el7.aa
1.1-18.el7.aa
redhat/httpd24<1.1-18.el6
1.1-18.el6
redhat/httpd24-httpd<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24<1.1-18.el6
1.1-18.el6
redhat/httpd24-httpd<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24-httpd-debuginfo<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24-httpd-devel<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24-httpd-manual<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24-httpd-tools<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24-runtime<1.1-18.el6
1.1-18.el6
redhat/httpd24-scldevel<1.1-18.el6
1.1-18.el6

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of RHSA-2017:3018?

    The severity of RHSA-2017:3018 is classified as important.

  • How do I fix RHSA-2017:3018?

    To fix RHSA-2017:3018, update the affected packages to the specified versions as recommended in the advisory.

  • What packages are affected by RHSA-2017:3018?

    Affected packages include httpd24, httpd24-httpd, httpd24-curl, and others as detailed in the advisory.

  • Is RHSA-2017:3018 applicable to all Red Hat versions?

    RHSA-2017:3018 specifically pertains to Red Hat Enterprise Linux versions 6 and 7.

  • What potential risks are associated with RHSA-2017:3018?

    Ignoring RHSA-2017:3018 may expose the system to security vulnerabilities that could be exploited by attackers.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203