ESB-2017.2690 - [RedHat] httpd24: Denial of service - Remote/unauthenticated 2017-10-25

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2690
        Moderate: httpd24 security, bug fix, and enhancement update
                              25 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           httpd24
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
                   Red Hat Enterprise Linux WS/Desktop 6
                   Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-9798  

Reference:         ESB-2017.2651
                   ESB-2017.2558
                   ESB-2017.2513
                   ESB-2017.2384
                   ESB-2017.2369

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:3018

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: httpd24 security, bug fix, and enhancement update
Advisory ID:       RHSA-2017:3018-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:3018
Issue date:        2017-10-24
CVE Names:         CVE-2017-9798 
=====================================================================

1. Summary:

An update for httpd24, httpd24-curl, httpd24-httpd, httpd24-mod_auth_kerb,
and httpd24-nghttp2 is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

The Apache HTTP Server is a powerful, efficient, and extensible web server.
The httpd24 packages provide a recent stable release of version 2.4 of the
Apache HTTP Server, along with the mod_auth_kerb module.

The following packages have been upgraded to a later upstream version:
httpd24-httpd (2.4.27). (BZ#1461819)

Security Fix(es):

* A use-after-free flaw was found in the way httpd handled invalid and
previously unregistered HTTP methods specified in the Limit directive used
in an .htaccess file. A remote attacker could possibly use this flaw to
disclose portions of the server memory, or cause httpd child process to
crash. (CVE-2017-9798)

Red Hat would like to thank Hanno Böck for reporting this issue.

Bug Fix(es):

* The httpd package installation script tried to create both the "apache"
user and group in a single "useradd" command. Consequently, when the
"apache" group had already been created on the system, the command failed,
and the "apache" user was not created. To fix this bug, the "apache" group
is now created by a separate command, and the "apache" user is correctly
created during httpd installation even when the "apache" group exists.
(BZ#1486843)

* When installing the httpd24 Software Collection using the "yum" command,
if the "apache" group already existed on the system with GID other than 48,
the "apache" user was not created. This update fixes the bug. (BZ#1487164)

* With this update, it is possible to run the mod_rewrite external mapping
program as a non-root user. (BZ#1486832)

* On a Red Hat Enterprise Linux 6 system, when the httpd service was
stopped twice in a row by running the "service httpd stop" command, a
misleading message was returned: "Stopping httpd: [FAILED]". This bug has
been fixed. (BZ#1418395)

* When the "service httpd24-httpd graceful" command was used on Red Hat
Enterprise Linux 7 while the httpd24-httpd service was not running, the
daemon was started without being tracked by systemd. As a consequence, the
daemon ran in an incorrect SELinux domain. This bug has been fixed, and the
httpd daemon runs in the correct SELinux domain in the described scenario.
(BZ#1440858)

Enhancement(s):

* With this update, the mod_ssl module supports the ALPN protocol on Red
Hat Enterprise Linux 7.4 and later versions. (BZ#1327548)

For further details, see the Red Hat Software Collections 3.0 Release Notes
linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1327548 - RFE: enable ALPN support in mod_ssl
1418395 - httpd stop prints failure if service already stopped
1428940 - mod_proxy_fcgi (more) wrong behavior with 304
1440858 - graceful start of stopped service fail
1457316 - [RFE] please consider using scl_package_override
1480506 - mod_authz_dbd segfaults when AuthzDBDQuery missing
1486843 - apache user is not created during httpd installation when apache group already exist
1487164 - apache user is not created during httpd installation when apache group already exist with GID other than 48
1488541 - rotatelogs %Z does not use correct timezone respecting DST
1490344 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):

Source:
httpd24-1.1-18.el6.src.rpm
httpd24-httpd-2.4.27-8.el6.src.rpm

noarch:
httpd24-httpd-manual-2.4.27-8.el6.noarch.rpm

x86_64:
httpd24-1.1-18.el6.x86_64.rpm
httpd24-httpd-2.4.27-8.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.27-8.el6.x86_64.rpm
httpd24-httpd-devel-2.4.27-8.el6.x86_64.rpm
httpd24-httpd-tools-2.4.27-8.el6.x86_64.rpm
httpd24-mod_ldap-2.4.27-8.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.27-8.el6.x86_64.rpm
httpd24-mod_session-2.4.27-8.el6.x86_64.rpm
httpd24-mod_ssl-2.4.27-8.el6.x86_64.rpm
httpd24-runtime-1.1-18.el6.x86_64.rpm
httpd24-scldevel-1.1-18.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):

Source:
httpd24-1.1-18.el6.src.rpm
httpd24-httpd-2.4.27-8.el6.src.rpm

noarch:
httpd24-httpd-manual-2.4.27-8.el6.noarch.rpm

x86_64:
httpd24-1.1-18.el6.x86_64.rpm
httpd24-httpd-2.4.27-8.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.27-8.el6.x86_64.rpm
httpd24-httpd-devel-2.4.27-8.el6.x86_64.rpm
httpd24-httpd-tools-2.4.27-8.el6.x86_64.rpm
httpd24-mod_ldap-2.4.27-8.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.27-8.el6.x86_64.rpm
httpd24-mod_session-2.4.27-8.el6.x86_64.rpm
httpd24-mod_ssl-2.4.27-8.el6.x86_64.rpm
httpd24-runtime-1.1-18.el6.x86_64.rpm
httpd24-scldevel-1.1-18.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):

Source:
httpd24-1.1-18.el6.src.rpm
httpd24-httpd-2.4.27-8.el6.src.rpm

noarch:
httpd24-httpd-manual-2.4.27-8.el6.noarch.rpm

x86_64:
httpd24-1.1-18.el6.x86_64.rpm
httpd24-httpd-2.4.27-8.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.27-8.el6.x86_64.rpm
httpd24-httpd-devel-2.4.27-8.el6.x86_64.rpm
httpd24-httpd-tools-2.4.27-8.el6.x86_64.rpm
httpd24-mod_ldap-2.4.27-8.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.27-8.el6.x86_64.rpm
httpd24-mod_session-2.4.27-8.el6.x86_64.rpm
httpd24-mod_ssl-2.4.27-8.el6.x86_64.rpm
httpd24-runtime-1.1-18.el6.x86_64.rpm
httpd24-scldevel-1.1-18.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
httpd24-1.1-18.el7.src.rpm
httpd24-curl-7.47.1-4.el7.src.rpm
httpd24-httpd-2.4.27-8.el7.src.rpm
httpd24-mod_auth_kerb-5.4-33.el7.src.rpm
httpd24-nghttp2-1.7.1-6.el7.src.rpm

aarch64:
httpd24-1.1-18.el7.aarch64.rpm
httpd24-curl-7.47.1-4.el7.aarch64.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.aarch64.rpm
httpd24-httpd-2.4.27-8.el7.aarch64.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.aarch64.rpm
httpd24-httpd-devel-2.4.27-8.el7.aarch64.rpm
httpd24-httpd-tools-2.4.27-8.el7.aarch64.rpm
httpd24-libcurl-7.47.1-4.el7.aarch64.rpm
httpd24-libcurl-devel-7.47.1-4.el7.aarch64.rpm
httpd24-libnghttp2-1.7.1-6.el7.aarch64.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.aarch64.rpm
httpd24-mod_auth_kerb-5.4-33.el7.aarch64.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.aarch64.rpm
httpd24-mod_ldap-2.4.27-8.el7.aarch64.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.aarch64.rpm
httpd24-mod_session-2.4.27-8.el7.aarch64.rpm
httpd24-mod_ssl-2.4.27-8.el7.aarch64.rpm
httpd24-nghttp2-1.7.1-6.el7.aarch64.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.aarch64.rpm
httpd24-runtime-1.1-18.el7.aarch64.rpm
httpd24-scldevel-1.1-18.el7.aarch64.rpm

noarch:
httpd24-httpd-manual-2.4.27-8.el7.noarch.rpm

ppc64le:
httpd24-1.1-18.el7.ppc64le.rpm
httpd24-curl-7.47.1-4.el7.ppc64le.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.ppc64le.rpm
httpd24-httpd-2.4.27-8.el7.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.ppc64le.rpm
httpd24-httpd-devel-2.4.27-8.el7.ppc64le.rpm
httpd24-httpd-tools-2.4.27-8.el7.ppc64le.rpm
httpd24-libcurl-7.47.1-4.el7.ppc64le.rpm
httpd24-libcurl-devel-7.47.1-4.el7.ppc64le.rpm
httpd24-libnghttp2-1.7.1-6.el7.ppc64le.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.ppc64le.rpm
httpd24-mod_auth_kerb-5.4-33.el7.ppc64le.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.ppc64le.rpm
httpd24-mod_ldap-2.4.27-8.el7.ppc64le.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.ppc64le.rpm
httpd24-mod_session-2.4.27-8.el7.ppc64le.rpm
httpd24-mod_ssl-2.4.27-8.el7.ppc64le.rpm
httpd24-nghttp2-1.7.1-6.el7.ppc64le.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.ppc64le.rpm
httpd24-runtime-1.1-18.el7.ppc64le.rpm
httpd24-scldevel-1.1-18.el7.ppc64le.rpm

s390x:
httpd24-1.1-18.el7.s390x.rpm
httpd24-curl-7.47.1-4.el7.s390x.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.s390x.rpm
httpd24-httpd-2.4.27-8.el7.s390x.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.s390x.rpm
httpd24-httpd-devel-2.4.27-8.el7.s390x.rpm
httpd24-httpd-tools-2.4.27-8.el7.s390x.rpm
httpd24-libcurl-7.47.1-4.el7.s390x.rpm
httpd24-libcurl-devel-7.47.1-4.el7.s390x.rpm
httpd24-libnghttp2-1.7.1-6.el7.s390x.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.s390x.rpm
httpd24-mod_auth_kerb-5.4-33.el7.s390x.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.s390x.rpm
httpd24-mod_ldap-2.4.27-8.el7.s390x.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.s390x.rpm
httpd24-mod_session-2.4.27-8.el7.s390x.rpm
httpd24-mod_ssl-2.4.27-8.el7.s390x.rpm
httpd24-nghttp2-1.7.1-6.el7.s390x.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.s390x.rpm
httpd24-runtime-1.1-18.el7.s390x.rpm
httpd24-scldevel-1.1-18.el7.s390x.rpm

x86_64:
httpd24-1.1-18.el7.x86_64.rpm
httpd24-curl-7.47.1-4.el7.x86_64.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.x86_64.rpm
httpd24-httpd-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-devel-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-tools-2.4.27-8.el7.x86_64.rpm
httpd24-libcurl-7.47.1-4.el7.x86_64.rpm
httpd24-libcurl-devel-7.47.1-4.el7.x86_64.rpm
httpd24-libnghttp2-1.7.1-6.el7.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.x86_64.rpm
httpd24-mod_auth_kerb-5.4-33.el7.x86_64.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.x86_64.rpm
httpd24-mod_ldap-2.4.27-8.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.x86_64.rpm
httpd24-mod_session-2.4.27-8.el7.x86_64.rpm
httpd24-mod_ssl-2.4.27-8.el7.x86_64.rpm
httpd24-nghttp2-1.7.1-6.el7.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.x86_64.rpm
httpd24-runtime-1.1-18.el7.x86_64.rpm
httpd24-scldevel-1.1-18.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3):

Source:
httpd24-1.1-18.el7.src.rpm
httpd24-curl-7.47.1-4.el7.src.rpm
httpd24-httpd-2.4.27-8.el7.src.rpm
httpd24-mod_auth_kerb-5.4-33.el7.src.rpm
httpd24-nghttp2-1.7.1-6.el7.src.rpm

aarch64:
httpd24-1.1-18.el7.aarch64.rpm
httpd24-curl-7.47.1-4.el7.aarch64.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.aarch64.rpm
httpd24-httpd-2.4.27-8.el7.aarch64.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.aarch64.rpm
httpd24-httpd-devel-2.4.27-8.el7.aarch64.rpm
httpd24-httpd-tools-2.4.27-8.el7.aarch64.rpm
httpd24-libcurl-7.47.1-4.el7.aarch64.rpm
httpd24-libcurl-devel-7.47.1-4.el7.aarch64.rpm
httpd24-libnghttp2-1.7.1-6.el7.aarch64.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.aarch64.rpm
httpd24-mod_auth_kerb-5.4-33.el7.aarch64.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.aarch64.rpm
httpd24-mod_ldap-2.4.27-8.el7.aarch64.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.aarch64.rpm
httpd24-mod_session-2.4.27-8.el7.aarch64.rpm
httpd24-mod_ssl-2.4.27-8.el7.aarch64.rpm
httpd24-nghttp2-1.7.1-6.el7.aarch64.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.aarch64.rpm
httpd24-runtime-1.1-18.el7.aarch64.rpm
httpd24-scldevel-1.1-18.el7.aarch64.rpm

noarch:
httpd24-httpd-manual-2.4.27-8.el7.noarch.rpm

ppc64le:
httpd24-1.1-18.el7.ppc64le.rpm
httpd24-curl-7.47.1-4.el7.ppc64le.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.ppc64le.rpm
httpd24-httpd-2.4.27-8.el7.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.ppc64le.rpm
httpd24-httpd-devel-2.4.27-8.el7.ppc64le.rpm
httpd24-httpd-tools-2.4.27-8.el7.ppc64le.rpm
httpd24-libcurl-7.47.1-4.el7.ppc64le.rpm
httpd24-libcurl-devel-7.47.1-4.el7.ppc64le.rpm
httpd24-libnghttp2-1.7.1-6.el7.ppc64le.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.ppc64le.rpm
httpd24-mod_auth_kerb-5.4-33.el7.ppc64le.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.ppc64le.rpm
httpd24-mod_ldap-2.4.27-8.el7.ppc64le.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.ppc64le.rpm
httpd24-mod_session-2.4.27-8.el7.ppc64le.rpm
httpd24-mod_ssl-2.4.27-8.el7.ppc64le.rpm
httpd24-nghttp2-1.7.1-6.el7.ppc64le.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.ppc64le.rpm
httpd24-runtime-1.1-18.el7.ppc64le.rpm
httpd24-scldevel-1.1-18.el7.ppc64le.rpm

s390x:
httpd24-1.1-18.el7.s390x.rpm
httpd24-curl-7.47.1-4.el7.s390x.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.s390x.rpm
httpd24-httpd-2.4.27-8.el7.s390x.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.s390x.rpm
httpd24-httpd-devel-2.4.27-8.el7.s390x.rpm
httpd24-httpd-tools-2.4.27-8.el7.s390x.rpm
httpd24-libcurl-7.47.1-4.el7.s390x.rpm
httpd24-libcurl-devel-7.47.1-4.el7.s390x.rpm
httpd24-libnghttp2-1.7.1-6.el7.s390x.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.s390x.rpm
httpd24-mod_auth_kerb-5.4-33.el7.s390x.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.s390x.rpm
httpd24-mod_ldap-2.4.27-8.el7.s390x.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.s390x.rpm
httpd24-mod_session-2.4.27-8.el7.s390x.rpm
httpd24-mod_ssl-2.4.27-8.el7.s390x.rpm
httpd24-nghttp2-1.7.1-6.el7.s390x.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.s390x.rpm
httpd24-runtime-1.1-18.el7.s390x.rpm
httpd24-scldevel-1.1-18.el7.s390x.rpm

x86_64:
httpd24-1.1-18.el7.x86_64.rpm
httpd24-curl-7.47.1-4.el7.x86_64.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.x86_64.rpm
httpd24-httpd-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-devel-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-tools-2.4.27-8.el7.x86_64.rpm
httpd24-libcurl-7.47.1-4.el7.x86_64.rpm
httpd24-libcurl-devel-7.47.1-4.el7.x86_64.rpm
httpd24-libnghttp2-1.7.1-6.el7.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.x86_64.rpm
httpd24-mod_auth_kerb-5.4-33.el7.x86_64.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.x86_64.rpm
httpd24-mod_ldap-2.4.27-8.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.x86_64.rpm
httpd24-mod_session-2.4.27-8.el7.x86_64.rpm
httpd24-mod_ssl-2.4.27-8.el7.x86_64.rpm
httpd24-nghttp2-1.7.1-6.el7.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.x86_64.rpm
httpd24-runtime-1.1-18.el7.x86_64.rpm
httpd24-scldevel-1.1-18.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):

Source:
httpd24-1.1-18.el7.src.rpm
httpd24-curl-7.47.1-4.el7.src.rpm
httpd24-httpd-2.4.27-8.el7.src.rpm
httpd24-mod_auth_kerb-5.4-33.el7.src.rpm
httpd24-nghttp2-1.7.1-6.el7.src.rpm

aarch64:
httpd24-1.1-18.el7.aarch64.rpm
httpd24-curl-7.47.1-4.el7.aarch64.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.aarch64.rpm
httpd24-httpd-2.4.27-8.el7.aarch64.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.aarch64.rpm
httpd24-httpd-devel-2.4.27-8.el7.aarch64.rpm
httpd24-httpd-tools-2.4.27-8.el7.aarch64.rpm
httpd24-libcurl-7.47.1-4.el7.aarch64.rpm
httpd24-libcurl-devel-7.47.1-4.el7.aarch64.rpm
httpd24-libnghttp2-1.7.1-6.el7.aarch64.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.aarch64.rpm
httpd24-mod_auth_kerb-5.4-33.el7.aarch64.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.aarch64.rpm
httpd24-mod_ldap-2.4.27-8.el7.aarch64.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.aarch64.rpm
httpd24-mod_session-2.4.27-8.el7.aarch64.rpm
httpd24-mod_ssl-2.4.27-8.el7.aarch64.rpm
httpd24-nghttp2-1.7.1-6.el7.aarch64.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.aarch64.rpm
httpd24-runtime-1.1-18.el7.aarch64.rpm
httpd24-scldevel-1.1-18.el7.aarch64.rpm

noarch:
httpd24-httpd-manual-2.4.27-8.el7.noarch.rpm

ppc64le:
httpd24-1.1-18.el7.ppc64le.rpm
httpd24-curl-7.47.1-4.el7.ppc64le.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.ppc64le.rpm
httpd24-httpd-2.4.27-8.el7.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.ppc64le.rpm
httpd24-httpd-devel-2.4.27-8.el7.ppc64le.rpm
httpd24-httpd-tools-2.4.27-8.el7.ppc64le.rpm
httpd24-libcurl-7.47.1-4.el7.ppc64le.rpm
httpd24-libcurl-devel-7.47.1-4.el7.ppc64le.rpm
httpd24-libnghttp2-1.7.1-6.el7.ppc64le.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.ppc64le.rpm
httpd24-mod_auth_kerb-5.4-33.el7.ppc64le.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.ppc64le.rpm
httpd24-mod_ldap-2.4.27-8.el7.ppc64le.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.ppc64le.rpm
httpd24-mod_session-2.4.27-8.el7.ppc64le.rpm
httpd24-mod_ssl-2.4.27-8.el7.ppc64le.rpm
httpd24-nghttp2-1.7.1-6.el7.ppc64le.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.ppc64le.rpm
httpd24-runtime-1.1-18.el7.ppc64le.rpm
httpd24-scldevel-1.1-18.el7.ppc64le.rpm

s390x:
httpd24-1.1-18.el7.s390x.rpm
httpd24-curl-7.47.1-4.el7.s390x.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.s390x.rpm
httpd24-httpd-2.4.27-8.el7.s390x.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.s390x.rpm
httpd24-httpd-devel-2.4.27-8.el7.s390x.rpm
httpd24-httpd-tools-2.4.27-8.el7.s390x.rpm
httpd24-libcurl-7.47.1-4.el7.s390x.rpm
httpd24-libcurl-devel-7.47.1-4.el7.s390x.rpm
httpd24-libnghttp2-1.7.1-6.el7.s390x.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.s390x.rpm
httpd24-mod_auth_kerb-5.4-33.el7.s390x.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.s390x.rpm
httpd24-mod_ldap-2.4.27-8.el7.s390x.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.s390x.rpm
httpd24-mod_session-2.4.27-8.el7.s390x.rpm
httpd24-mod_ssl-2.4.27-8.el7.s390x.rpm
httpd24-nghttp2-1.7.1-6.el7.s390x.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.s390x.rpm
httpd24-runtime-1.1-18.el7.s390x.rpm
httpd24-scldevel-1.1-18.el7.s390x.rpm

x86_64:
httpd24-1.1-18.el7.x86_64.rpm
httpd24-curl-7.47.1-4.el7.x86_64.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.x86_64.rpm
httpd24-httpd-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-devel-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-tools-2.4.27-8.el7.x86_64.rpm
httpd24-libcurl-7.47.1-4.el7.x86_64.rpm
httpd24-libcurl-devel-7.47.1-4.el7.x86_64.rpm
httpd24-libnghttp2-1.7.1-6.el7.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.x86_64.rpm
httpd24-mod_auth_kerb-5.4-33.el7.x86_64.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.x86_64.rpm
httpd24-mod_ldap-2.4.27-8.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.x86_64.rpm
httpd24-mod_session-2.4.27-8.el7.x86_64.rpm
httpd24-mod_ssl-2.4.27-8.el7.x86_64.rpm
httpd24-nghttp2-1.7.1-6.el7.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.x86_64.rpm
httpd24-runtime-1.1-18.el7.x86_64.rpm
httpd24-scldevel-1.1-18.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
httpd24-1.1-18.el7.src.rpm
httpd24-curl-7.47.1-4.el7.src.rpm
httpd24-httpd-2.4.27-8.el7.src.rpm
httpd24-mod_auth_kerb-5.4-33.el7.src.rpm
httpd24-nghttp2-1.7.1-6.el7.src.rpm

noarch:
httpd24-httpd-manual-2.4.27-8.el7.noarch.rpm

x86_64:
httpd24-1.1-18.el7.x86_64.rpm
httpd24-curl-7.47.1-4.el7.x86_64.rpm
httpd24-curl-debuginfo-7.47.1-4.el7.x86_64.rpm
httpd24-httpd-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-devel-2.4.27-8.el7.x86_64.rpm
httpd24-httpd-tools-2.4.27-8.el7.x86_64.rpm
httpd24-libcurl-7.47.1-4.el7.x86_64.rpm
httpd24-libcurl-devel-7.47.1-4.el7.x86_64.rpm
httpd24-libnghttp2-1.7.1-6.el7.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-6.el7.x86_64.rpm
httpd24-mod_auth_kerb-5.4-33.el7.x86_64.rpm
httpd24-mod_auth_kerb-debuginfo-5.4-33.el7.x86_64.rpm
httpd24-mod_ldap-2.4.27-8.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.27-8.el7.x86_64.rpm
httpd24-mod_session-2.4.27-8.el7.x86_64.rpm
httpd24-mod_ssl-2.4.27-8.el7.x86_64.rpm
httpd24-nghttp2-1.7.1-6.el7.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-6.el7.x86_64.rpm
httpd24-runtime-1.1-18.el7.x86_64.rpm
httpd24-scldevel-1.1-18.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-9798
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/3/html/3.0_Release_Notes/chap-RHSCL.html#sect-RHSCL-Changes-httpd

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZ7wx4XlSAg2UNWIIRAhuIAJwOb2Z0Ndz6Ur8jzqW9OEMryjNRAACfSdgu
C82ZB9puazWLsMKLiXLe25w=
=b3wH
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWe/f9ox+lLeg9Ub1AQj66A/9GhQoV01Cff6YW+8vIQKtEWtAi19t0hgn
wyeFhOPfuTf20XzTEhURGzHTSYAjCze1Wn+cCyHJTjEZLlcmUh/AV0l7gn7J/piY
ukIp5iNFrYO5enIQvisJDxmZVgN5MZXtSqudhXB8nWbga0YzoPZv19YQjhw2goD5
zbBUJjEl/Yib47cncW3jgCneh/M6Zclhd7Y8gjb3l/fzpUwoeU/vF2dAyDhRZ77+
tDpiozz3fgWu0IkrJX+pLHUJCIFeqi8lcIX6Ly3/5WHhrfVGxnzm+hYY97RjotGV
bmz1j6ssRCQX4PhzluW+PMSTupxnpO1z7ifiZqoDKuRFcUqJgD4mj+uIY3n7GO01
uS0GCL7SBzKJ1mGnfuDlwmtBgRm7dGk5iHPkF3dNPYkGJ93joLx5k3Xve1rk+JtP
THxfYZ3xO1PtLbYxxvnKRzmIEIE9GwZRjpYiAqOCkesLCnZZXj+CLDmyGn+1QzHd
C4f3ez1XIOhjjpa38B2GLVqjBTU6AuN/pg0kcYlpbYDzSk6tTSIP403Ynwi1MZYx
Ip6r88aTqd3W8O4D3s0TWFEUeyUw4iTMEV6P4C2xrs46Ox2ImYhh0ML4sMpMd5NG
yU23/jIkspSzZZTqeP4syjg8kOOfe7v16uAyfn3XoncNa87sBPf1jbdnHdVzdkFP
woVVgHg/Yf8=
=lGrd
-----END PGP SIGNATURE-----

« Back to bulletins