RHSA-2018:2486: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update

First published: Thu Aug 16 2018(Updated: )

This release adds the new Apache HTTP Server 2.4.29 packages that are part<br>of the JBoss Core Services offering.<br>This release serves as a replacement for Red Hat JBoss Core Services<br>Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer<br>to the Release Notes for information on the most significant bug fixes,<br>enhancements and component upgrades included in this release.<br>Security Fix(es):<br><li> expat: Out-of-bounds heap read on crafted input causing crash (CVE-2016-0718)</li> <li> curl: escape and unescape integer overflows (CVE-2016-7167)</li> <li> curl: Cookie injection for other servers (CVE-2016-8615)</li> <li> curl: Case insensitive password comparison (CVE-2016-8616)</li> <li> curl: Out-of-bounds write via unchecked multiplication (CVE-2016-8617)</li> <li> curl: Double-free in curl_maprintf (CVE-2016-8618)</li> <li> curl: Double-free in krb5 code (CVE-2016-8619)</li> <li> curl: curl_getdate out-of-bounds read (CVE-2016-8621)</li> <li> curl: URL unescape heap overflow via integer truncation (CVE-2016-8622)</li> <li> curl: Use-after-free via shared cookies (CVE-2016-8623)</li> <li> curl: Invalid URL parsing with '#' (CVE-2016-8624)</li> <li> curl: IDNA 2003 makes curl use wrong host (CVE-2016-8625)</li> <li> libxml2: out-of-bounds read (unfixed CVE-2016-4483 in JBCS) (CVE-2016-9598)</li> <li> pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3) (CVE-2017-6004)</li> <li> pcre: Invalid Unicode property lookup (8.41/7, 10.24/2) (CVE-2017-7186)</li> <li> pcre: invalid memory read in_pcre32_xclass (pcre_xclass.c) (CVE-2017-7244)</li> <li> pcre: stack-based buffer overflow write in pcre32_copy_substring (CVE-2017-7245)</li> <li> pcre: stack-based buffer overflow write in pcre32_copy_substring (CVE-2017-7246)</li> <li> curl: FTP PWD response parser out of bounds read (CVE-2017-1000254)</li> <li> curl: IMAP FETCH response out of bounds read (CVE-2017-1000257)</li> <li> curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP (CVE-2018-0500)</li> Details around this issue, including information about the CVE, severity of<br>the issue, and the CVSS score can be found on the CVE page listed in the<br>Reference section below.<br>The following packages have been upgraded to a newer upstream version:<br><li> Curl (7.57.0)</li> <li> OpenSSL (1.0.2n)</li> <li> Expat (2.2.5)</li> <li> PCRE (8.41)</li> <li> libxml2 (2.9.7)</li> Acknowledgements:<br>CVE-2017-1000254: Red Hat would like to thank Daniel Stenberg for reporting this issue.<br>Upstream acknowledges Max Dymond as the original reporter.<br>CVE-2017-1000257: Red Hat would like to thank the Curl project for reporting this issue. Upstream acknowledges Brian Carpenter, (the OSS-Fuzz project) as the original reporter.<br>CVE-2018-0500: Red Hat would like to thank the Curl project for reporting this issue.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/severity
• agent/type
• agent/last-modified-date
• agent/first-publish-date
• agent/remedy
• agent/weakness
• agent/description
• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2018:2486
• agent/title
• agent/references
• agent/event
• agent/source
• agent/softwarecombine
• agent/tags
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request