RHSA-2019:4126: Moderate: httpd24-httpd security, bug fix, and enhancement update
First published: Tue Dec 10 2019(Updated: )
The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.<br>Security Fix(es):<br><li> httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)</li> <li> httpd: mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)</li> <li> httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)</li> <li> httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)</li> <li> httpd: URL normalization inconsistency (CVE-2019-0220)</li> <li> httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.<br>Bug Fix(es):<br><li> `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang (BZ#1669213)</li> <li> httpd can not be started with mod_md enabled (BZ#1673019)</li> <li> Rebuild metapackage with latest scl-utils (BZ#1696527)</li> <li> fix a regression introduced in r1740928 (BZ#1707636)</li> <li> duplicated cookie in Apache httpd with mod_session (BZ#1725922)</li> <li> Unexpected OCSP in proxy SSL connection (BZ#1744120)</li> Enhancement(s):<br><li> RFE: updated collection for httpd 2.4 (BZ#1726706)</li> Additional Changes:<br>For detailed information on changes in this release, see the Red Hat Software Collections 3.4 Release Notes linked from the References section.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/httpd24 | <1.1-19.el7 | 1.1-19.el7 |
| redhat/httpd24-httpd | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-nghttp2 | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24 | <1.1-19.el7 | 1.1-19.el7 |
| redhat/httpd24-httpd | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-httpd-debuginfo | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-httpd-devel | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-httpd-manual | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-httpd-tools | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-libnghttp2 | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-libnghttp2-devel | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-nghttp2 | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-nghttp2-debuginfo | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-runtime | <1.1-19.el7 | 1.1-19.el7 |
| redhat/httpd24-scldevel | <1.1-19.el7 | 1.1-19.el7 |
| redhat/httpd24-httpd-debuginfo | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-httpd-devel | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-httpd-tools | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-libnghttp2 | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-libnghttp2-devel | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-nghttp2-debuginfo | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-runtime | <1.1-19.el7 | 1.1-19.el7 |
| redhat/httpd24-scldevel | <1.1-19.el7 | 1.1-19.el7 |
| redhat/httpd24 | <1.1-19.el7 | 1.1-19.el7 |
| redhat/httpd24-httpd | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-httpd-debuginfo | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-httpd-devel | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-httpd-tools | <2.4.34-15.el7 | 2.4.34-15.el7 |
| redhat/httpd24-libnghttp2 | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-libnghttp2-devel | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-nghttp2 | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-nghttp2-debuginfo | <1.7.1-8.el7 | 1.7.1-8.el7 |
| redhat/httpd24-runtime | <1.1-19.el7 | 1.1-19.el7 |
| redhat/httpd24-scldevel | <1.1-19.el7 | 1.1-19.el7 |
| redhat/httpd24 | <1.1-19.el7.aa | 1.1-19.el7.aa |
| redhat/httpd24-httpd | <2.4.34-15.el7.aa | 2.4.34-15.el7.aa |
| redhat/httpd24-httpd-debuginfo | <2.4.34-15.el7.aa | 2.4.34-15.el7.aa |
| redhat/httpd24-httpd-devel | <2.4.34-15.el7.aa | 2.4.34-15.el7.aa |
| redhat/httpd24-httpd-tools | <2.4.34-15.el7.aa | 2.4.34-15.el7.aa |
| redhat/httpd24-libnghttp2 | <1.7.1-8.el7.aa | 1.7.1-8.el7.aa |
| redhat/httpd24-libnghttp2-devel | <1.7.1-8.el7.aa | 1.7.1-8.el7.aa |
| redhat/httpd24-nghttp2 | <1.7.1-8.el7.aa | 1.7.1-8.el7.aa |
| redhat/httpd24-nghttp2-debuginfo | <1.7.1-8.el7.aa | 1.7.1-8.el7.aa |
| redhat/httpd24-runtime | <1.1-19.el7.aa | 1.1-19.el7.aa |
| redhat/httpd24-scldevel | <1.1-19.el7.aa | 1.1-19.el7.aa |
| redhat/httpd24 | <1.1-19.el6 | 1.1-19.el6 |
| redhat/httpd24-httpd | <2.4.34-15.el6 | 2.4.34-15.el6 |
| redhat/httpd24-nghttp2 | <1.7.1-8.el6 | 1.7.1-8.el6 |
| redhat/httpd24 | <1.1-19.el6 | 1.1-19.el6 |
| redhat/httpd24-build | <1.1-19.el6 | 1.1-19.el6 |
| redhat/httpd24-httpd | <2.4.34-15.el6 | 2.4.34-15.el6 |
| redhat/httpd24-httpd-debuginfo | <2.4.34-15.el6 | 2.4.34-15.el6 |
| redhat/httpd24-httpd-devel | <2.4.34-15.el6 | 2.4.34-15.el6 |
| redhat/httpd24-httpd-manual | <2.4.34-15.el6 | 2.4.34-15.el6 |
| redhat/httpd24-httpd-tools | <2.4.34-15.el6 | 2.4.34-15.el6 |
| redhat/httpd24-libnghttp2 | <1.7.1-8.el6 | 1.7.1-8.el6 |
| redhat/httpd24-libnghttp2-devel | <1.7.1-8.el6 | 1.7.1-8.el6 |
| redhat/httpd24-nghttp2 | <1.7.1-8.el6 | 1.7.1-8.el6 |
| redhat/httpd24-nghttp2-debuginfo | <1.7.1-8.el6 | 1.7.1-8.el6 |
| redhat/httpd24-runtime | <1.1-19.el6 | 1.1-19.el6 |
| redhat/httpd24-scldevel | <1.1-19.el6 | 1.1-19.el6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1668493
- https://bugzilla.redhat.com/show_bug.cgi?id=1668497
- https://bugzilla.redhat.com/show_bug.cgi?id=1669213
- https://bugzilla.redhat.com/show_bug.cgi?id=1673019
- https://bugzilla.redhat.com/show_bug.cgi?id=1695020
- https://bugzilla.redhat.com/show_bug.cgi?id=1695036
- https://bugzilla.redhat.com/show_bug.cgi?id=1696527
- https://bugzilla.redhat.com/show_bug.cgi?id=1707636
- https://bugzilla.redhat.com/show_bug.cgi?id=1725922
- https://bugzilla.redhat.com/show_bug.cgi?id=1743956
- https://bugzilla.redhat.com/show_bug.cgi?id=1743996
- https://bugzilla.redhat.com/show_bug.cgi?id=1744120
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.4_release_notes/
- https://access.redhat.com/errata/RHSA-2019:4126 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2019:4126?
The severity of RHSA-2019:4126 is classified as important.
How do I fix RHSA-2019:4126?
To fix RHSA-2019:4126, update your Apache HTTP Server packages to the latest versions listed in the advisory.
Which versions of Apache are affected by RHSA-2019:4126?
RHSA-2019:4126 affects the httpd24 packages and specific versions of the Apache HTTP Server, including 2.4.34 and earlier.
What vulnerabilities are addressed in RHSA-2019:4126?
RHSA-2019:4126 addresses issues in mod_session_cookie that do not respect expiration, exposing potential security weaknesses.
When was RHSA-2019:4126 released?
RHSA-2019:4126 was released on December 18, 2019.
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2019:4126
- agent/software-canonical-lookup
- package-manager/redhat