logo
DATABASE RESOURCES PRICING ABOUT US

(RHSA-2017:3194) Important: httpd security update

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788) * It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167) * A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169) * A buffer over-read flaw was found in the httpd's ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. (CVE-2017-7668) * A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679) * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Red Hat would like to thank Hanno Böck for reporting CVE-2017-9798.


Affected Package


OS OS Version Package Name Package Version
RedHat 7 httpd-manual 2.4.6-45.el7_3.5
RedHat 7 httpd-devel 2.4.6-45.el7_3.5
RedHat 7 httpd-debuginfo 2.4.6-45.el7_3.5
RedHat 7 httpd 2.4.6-45.el7_3.5
RedHat 7 httpd 2.4.6-45.el7_3.5
RedHat 7 httpd-tools 2.4.6-45.el7_3.5
RedHat 7 mod_ldap 2.4.6-45.el7_3.5
RedHat 7 httpd-tools 2.4.6-45.el7_3.5
RedHat 7 mod_ssl 2.4.6-45.el7_3.5
RedHat 7 mod_proxy_html 2.4.6-45.el7_3.5
RedHat 7 httpd-debuginfo 2.4.6-45.el7_3.5
RedHat 7 httpd 2.4.6-45.el7_3.5
RedHat 7 mod_proxy_html 2.4.6-45.el7_3.5
RedHat 7 mod_session 2.4.6-45.el7_3.5
RedHat 7 httpd-devel 2.4.6-45.el7_3.5
RedHat 7 httpd-tools 2.4.6-45.el7_3.5
RedHat 7 mod_session 2.4.6-45.el7_3.5
RedHat 7 mod_ssl 2.4.6-45.el7_3.5
RedHat 7 httpd-devel 2.4.6-45.el7_3.5
RedHat 7 httpd-debuginfo 2.4.6-45.el7_3.5
RedHat 7 mod_proxy_html 2.4.6-45.el7_3.5
RedHat 7 httpd-devel 2.4.6-45.el7_3.5
RedHat 7 mod_ldap 2.4.6-45.el7_3.5
RedHat 7 mod_session 2.4.6-45.el7_3.5
RedHat 7 httpd-debuginfo 2.4.6-45.el7_3.5
RedHat 7 mod_ldap 2.4.6-45.el7_3.5
RedHat 7 mod_session 2.4.6-45.el7_3.5
RedHat 7 mod_proxy_html 2.4.6-45.el7_3.5
RedHat 7 mod_ssl 2.4.6-45.el7_3.5
RedHat 7 httpd 2.4.6-45.el7_3.5
RedHat 7 httpd-tools 2.4.6-45.el7_3.5
RedHat 7 mod_ldap 2.4.6-45.el7_3.5
RedHat 7 mod_ssl 2.4.6-45.el7_3.5
RedHat 7 httpd 2.4.6-45.el7_3.5

Related