7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.972 High
EPSS
Percentile
99.8%
The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.
The following packages have been upgraded to a later upstream version: httpd24-httpd (2.4.27). (BZ#1461819)
Security Fix(es):
Red Hat would like to thank Hanno Böck for reporting this issue.
Bug Fix(es):
The httpd package installation script tried to create both the “apache” user and group in a single “useradd” command. Consequently, when the “apache” group had already been created on the system, the command failed, and the “apache” user was not created. To fix this bug, the “apache” group is now created by a separate command, and the “apache” user is correctly created during httpd installation even when the “apache” group exists. (BZ#1486843)
When installing the httpd24 Software Collection using the “yum” command, if the “apache” group already existed on the system with GID other than 48, the “apache” user was not created. This update fixes the bug. (BZ#1487164)
With this update, it is possible to run the mod_rewrite external mapping program as a non-root user. (BZ#1486832)
On a Red Hat Enterprise Linux 6 system, when the httpd service was stopped twice in a row by running the “service httpd stop” command, a misleading message was returned: “Stopping httpd: [FAILED]”. This bug has been fixed. (BZ#1418395)
When the “service httpd24-httpd graceful” command was used on Red Hat Enterprise Linux 7 while the httpd24-httpd service was not running, the daemon was started without being tracked by systemd. As a consequence, the daemon ran in an incorrect SELinux domain. This bug has been fixed, and the httpd daemon runs in the correct SELinux domain in the described scenario. (BZ#1440858)
Enhancement(s):
For further details, see the Red Hat Software Collections 3.0 Release Notes linked from the References section.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.972 High
EPSS
Percentile
99.8%