(RHSA-2017:3018) Moderate: httpd24 security, bug fix, and enhancement update

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.

The following packages have been upgraded to a later upstream version: httpd24-httpd (2.4.27). (BZ#1461819)

Security Fix(es):

• A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)

Red Hat would like to thank Hanno Böck for reporting this issue.

Bug Fix(es):

• The httpd package installation script tried to create both the “apache” user and group in a single “useradd” command. Consequently, when the “apache” group had already been created on the system, the command failed, and the “apache” user was not created. To fix this bug, the “apache” group is now created by a separate command, and the “apache” user is correctly created during httpd installation even when the “apache” group exists. (BZ#1486843)

• When installing the httpd24 Software Collection using the “yum” command, if the “apache” group already existed on the system with GID other than 48, the “apache” user was not created. This update fixes the bug. (BZ#1487164)

• With this update, it is possible to run the mod_rewrite external mapping program as a non-root user. (BZ#1486832)

• On a Red Hat Enterprise Linux 6 system, when the httpd service was stopped twice in a row by running the “service httpd stop” command, a misleading message was returned: “Stopping httpd: [FAILED]”. This bug has been fixed. (BZ#1418395)

• When the “service httpd24-httpd graceful” command was used on Red Hat Enterprise Linux 7 while the httpd24-httpd service was not running, the daemon was started without being tracked by systemd. As a consequence, the daemon ran in an incorrect SELinux domain. This bug has been fixed, and the httpd daemon runs in the correct SELinux domain in the described scenario. (BZ#1440858)

Enhancement(s):

• With this update, the mod_ssl module supports the ALPN protocol on Red Hat Enterprise Linux 7.4 and later versions. (BZ#1327548)

For further details, see the Red Hat Software Collections 3.0 Release Notes linked from the References section.