RHSA-2019:0366: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP1 security update
First published: Mon Feb 18 2019(Updated: )
This release adds the new Apache HTTP Server 2.4.29 Service Pack 1 packages that are part<br>of the JBoss Core Services offering.<br>This release serves as a replacement for Red Hat JBoss Core Services<br>Apache HTTP Server 2.4.29, and includes bug fixes and enhancements. Refer<br>to the Release Notes for information on the most significant bug fixes,<br>enhancements and component upgrades included in this release.<br>Security Fix(es):<br><li> db4: libdb: Reads DB_CONFIG from the current working directory (CVE-2017-10140)</li> <li> httpd: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)</li> <li> httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)</li> <li> httpd: Out of bound access after failure in reading the HTTP request (CVE-2018-1301)</li> <li> httpd: Use-after-free on HTTP/2 stream shutdown (CVE-2018-1302)</li> <li> httpd: <FilesMatch> bypass with a trailing newline in the file name (CVE-2017-15715)</li> <li> httpd: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)</li> <li> httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause a denial of service (CVE-2018-1303)</li> <li> httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications (CVE-2018-1283)</li> <li> httpd: mod_http2: too much time allocated to workers, possibly leading to DoS (CVE-2018-1333)</li> <li> mod_jk: connector path traversal due to mishandled HTTP requests in httpd (CVE-2018-11759)</li> <li> nghttp2: Null pointer dereference when too large ALTSVC frame is received (CVE-2018-1000168)</li> <li> openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service (CVE-2018-0739)</li> Details around this issue, including information about the CVE, severity of<br>the issue, and the CVSS score can be found on the CVE page listed in the<br>Reference section below.<br>The CVE-2018-1000168 issue was discovered by The Nghttp2 Project.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1464032
- https://bugzilla.redhat.com/show_bug.cgi?id=1560395
- https://bugzilla.redhat.com/show_bug.cgi?id=1560399
- https://bugzilla.redhat.com/show_bug.cgi?id=1560599
- https://bugzilla.redhat.com/show_bug.cgi?id=1560614
- https://bugzilla.redhat.com/show_bug.cgi?id=1560625
- https://bugzilla.redhat.com/show_bug.cgi?id=1560634
- https://bugzilla.redhat.com/show_bug.cgi?id=1560643
- https://bugzilla.redhat.com/show_bug.cgi?id=1561266
- https://bugzilla.redhat.com/show_bug.cgi?id=1565035
- https://bugzilla.redhat.com/show_bug.cgi?id=1605048
- https://bugzilla.redhat.com/show_bug.cgi?id=1633399
- https://bugzilla.redhat.com/show_bug.cgi?id=1645589
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2019:0366 (Advisory)
- agent/severity
- agent/title
- agent/references
- agent/weakness
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2019:0366
- agent/description
- agent/remedy