RHSA-2019:3932: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 6

First published: Wed Nov 20 2019(Updated: )

This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services offering.<br>This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.29 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.<br>Security Fix(es):<br><li> openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys (CVE-2018-0737) * openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734) * mod_auth_digest: access control bypass due to race condition (CVE-2019-0217) * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407) * mod_session_cookie does not respect expiry time (CVE-2018-17199) * mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189) * mod_http2: possible crash on late upgrade (CVE-2019-0197) * mod_http2: read-after-free on a string compare (CVE-2019-0196) * nghttp2: HTTP/2: large amount of data request leads to denial of service (CVE-2019-9511) * nghttp2: HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513) * mod_http2: HTTP/2: 0-length headers leads to denial of service (CVE-2019-9516) * mod_http2: HTTP/2: request for large response leads to denial of service (CVE-2019-9517)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Software	Affected Version	How to fix
redhat/jbcs-httpd24-apr	<1.6.3-63.jbcs.el6	1.6.3-63.jbcs.el6
redhat/jbcs-httpd24-apr-util	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-brotli	<1.0.6-7.jbcs.el6	1.0.6-7.jbcs.el6
redhat/jbcs-httpd24-curl	<7.64.1-14.jbcs.el6	7.64.1-14.jbcs.el6
redhat/jbcs-httpd24-httpd	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-jansson	<2.11-20.jbcs.el6	2.11-20.jbcs.el6
redhat/jbcs-httpd24-nghttp2	<1.39.2-4.jbcs.el6	1.39.2-4.jbcs.el6
redhat/jbcs-httpd24-openssl	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-apr	<1.6.3-63.jbcs.el6	1.6.3-63.jbcs.el6
redhat/jbcs-httpd24-apr-debuginfo	<1.6.3-63.jbcs.el6	1.6.3-63.jbcs.el6
redhat/jbcs-httpd24-apr-devel	<1.6.3-63.jbcs.el6	1.6.3-63.jbcs.el6
redhat/jbcs-httpd24-apr-util	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-debuginfo	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-devel	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-ldap	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-mysql	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-nss	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-odbc	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-openssl	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-pgsql	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-sqlite	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-brotli	<1.0.6-7.jbcs.el6	1.0.6-7.jbcs.el6
redhat/jbcs-httpd24-brotli-debuginfo	<1.0.6-7.jbcs.el6	1.0.6-7.jbcs.el6
redhat/jbcs-httpd24-brotli-devel	<1.0.6-7.jbcs.el6	1.0.6-7.jbcs.el6
redhat/jbcs-httpd24-curl	<7.64.1-14.jbcs.el6	7.64.1-14.jbcs.el6
redhat/jbcs-httpd24-curl-debuginfo	<7.64.1-14.jbcs.el6	7.64.1-14.jbcs.el6
redhat/jbcs-httpd24-httpd	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-httpd-debuginfo	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-httpd-devel	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-httpd-manual	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-httpd-selinux	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-httpd-tools	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-jansson	<2.11-20.jbcs.el6	2.11-20.jbcs.el6
redhat/jbcs-httpd24-jansson-debuginfo	<2.11-20.jbcs.el6	2.11-20.jbcs.el6
redhat/jbcs-httpd24-jansson-devel	<2.11-20.jbcs.el6	2.11-20.jbcs.el6
redhat/jbcs-httpd24-libcurl	<7.64.1-14.jbcs.el6	7.64.1-14.jbcs.el6
redhat/jbcs-httpd24-libcurl-devel	<7.64.1-14.jbcs.el6	7.64.1-14.jbcs.el6
redhat/jbcs-httpd24-nghttp2	<1.39.2-4.jbcs.el6	1.39.2-4.jbcs.el6
redhat/jbcs-httpd24-nghttp2-debuginfo	<1.39.2-4.jbcs.el6	1.39.2-4.jbcs.el6
redhat/jbcs-httpd24-nghttp2-devel	<1.39.2-4.jbcs.el6	1.39.2-4.jbcs.el6
redhat/jbcs-httpd24-openssl	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-openssl-debuginfo	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-openssl-devel	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-openssl-libs	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-openssl-perl	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-openssl-static	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-apr-debuginfo	<1.6.3-63.jbcs.el6	1.6.3-63.jbcs.el6
redhat/jbcs-httpd24-apr-devel	<1.6.3-63.jbcs.el6	1.6.3-63.jbcs.el6
redhat/jbcs-httpd24-apr-util-debuginfo	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-devel	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-ldap	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-mysql	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-nss	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-odbc	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-openssl	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-pgsql	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-apr-util-sqlite	<1.6.1-48.jbcs.el6	1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-brotli-debuginfo	<1.0.6-7.jbcs.el6	1.0.6-7.jbcs.el6
redhat/jbcs-httpd24-brotli-devel	<1.0.6-7.jbcs.el6	1.0.6-7.jbcs.el6
redhat/jbcs-httpd24-curl-debuginfo	<7.64.1-14.jbcs.el6	7.64.1-14.jbcs.el6
redhat/jbcs-httpd24-httpd-debuginfo	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-httpd-devel	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-httpd-selinux	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-httpd-tools	<2.4.37-33.jbcs.el6	2.4.37-33.jbcs.el6
redhat/jbcs-httpd24-jansson-debuginfo	<2.11-20.jbcs.el6	2.11-20.jbcs.el6
redhat/jbcs-httpd24-jansson-devel	<2.11-20.jbcs.el6	2.11-20.jbcs.el6
redhat/jbcs-httpd24-libcurl	<7.64.1-14.jbcs.el6	7.64.1-14.jbcs.el6
redhat/jbcs-httpd24-libcurl-devel	<7.64.1-14.jbcs.el6	7.64.1-14.jbcs.el6
redhat/jbcs-httpd24-nghttp2-debuginfo	<1.39.2-4.jbcs.el6	1.39.2-4.jbcs.el6
redhat/jbcs-httpd24-nghttp2-devel	<1.39.2-4.jbcs.el6	1.39.2-4.jbcs.el6
redhat/jbcs-httpd24-openssl-debuginfo	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-openssl-devel	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-openssl-libs	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-openssl-perl	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6
redhat/jbcs-httpd24-openssl-static	<1.1.1-25.jbcs.el6	1.1.1-25.jbcs.el6

Never miss a vulnerability like this again

Reference Links

https://access.redhat.com/errata/RHSA-2019:3932 (Advisory)

agent/severity
agent/references
agent/type
agent/first-publish-date
agent/softwarecombine
agent/last-modified-date
agent/title
agent/event
agent/remedy
agent/weakness
agent/tags
agent/description
collector/redhat-errata
source/Red Hat
anchor-id/RHSA-2019:3932
agent/software-canonical-lookup
package-manager/redhat

RHSA-2019:3932: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 6

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact