(RHSA-2018:2187) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update

2018-07-12T20:04:13
ID RHSA-2018:2187
Type redhat
Reporter RedHat
Modified 2018-07-12T20:04:35

Description

This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering.

This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes, enhancements and component upgrades included in this release.

This release upgrades OpenSSL to version 1.0.2.n

Security Fix(es):

  • openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182)

  • openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302)

  • openssl: certificate message OOB reads (CVE-2016-6306)

  • openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055)

  • openssl: Truncated packet could crash via OOB read (CVE-2017-3731)

  • openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)

  • openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)

  • openssl: Read/write after SSL object in error state (CVE-2017-3737)

  • openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306 and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6306.