RHSA-2017:3193: Important: httpd security update
First published: Mon Nov 13 2017(Updated: )
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.<br>Security Fix(es):<br><li> It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)</li> <li> It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167)</li> <li> A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)</li> <li> A buffer over-read flaw was found in the httpd's ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. (CVE-2017-7668)</li> <li> A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679)</li> <li> A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)</li> Red Hat would like to thank Hanno Böck for reporting CVE-2017-9798.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/httpd | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd-debuginfo | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd-devel | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd-manual | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd-tools | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd-debuginfo | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd-devel | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd-tools | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd-debuginfo | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd-devel | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
| redhat/httpd-tools | <2.4.6-40.el7_2.6 | 2.4.6-40.el7_2.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of RHSA-2017:3193?
The severity of RHSA-2017:3193 is categorized as moderate.
How do I fix RHSA-2017:3193?
To fix RHSA-2017:3193, you should upgrade the httpd package to version 2.4.6-40.el7_2.6 or later.
What is RHSA-2017:3193 about?
RHSA-2017:3193 addresses a memory initialization flaw in the mod_auth_digest module of the httpd package.
Which packages are affected by RHSA-2017:3193?
RHSA-2017:3193 affects several httpd packages, including httpd, httpd-devel, and httpd-tools, among others.
Is RHSA-2017:3193 applicable to all systems?
RHSA-2017:3193 is specifically applicable to systems running the affected versions of Red Hat's httpd package.
- agent/weakness
- agent/type
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/title
- agent/description
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2017:3193
- agent/software-canonical-lookup
- agent/remedy
- agent/references
- agent/tags
- agent/event
- agent/source
- package-manager/redhat