9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.963 High
EPSS
Percentile
99.5%
The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.
The following packages have been upgraded to a later upstream version: httpd24-httpd (2.4.34), httpd24-curl (7.61.1). (BZ#1590833, BZ#1648928)
Security Fix(es):
httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications (CVE-2018-1283)
httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause DoS (CVE-2018-1303)
httpd: mod_http2: Too much time allocated to workers, possibly leading to DoS (CVE-2018-1333)
httpd: DoS for HTTP/2 connections by continuous SETTINGS frames (CVE-2018-11763)
httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)
httpd: <FilesMatch> bypass with a trailing newline in the file name (CVE-2017-15715)
httpd: Out of bounds access after failure in reading the HTTP request (CVE-2018-1301)
httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)
curl: Multiple security issues were fixed in httpd24-curl (CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254, CVE-2017-1000257, CVE-2017-7407, CVE-2017-8816, CVE-2017-8817, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122, CVE-2018-1000301, CVE-2018-14618)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank the Curl project for reporting CVE-2017-8816, CVE-2017-8817, CVE-2017-1000254, CVE-2017-1000257, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000122, CVE-2018-1000301, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2018-14618, and CVE-2018-1000121. Upstream acknowledges Alex Nichols as the original reporter of CVE-2017-8816; the OSS-Fuzz project as the original reporter of CVE-2017-8817 and CVE-2018-1000301; Max Dymond as the original reporter of CVE-2017-1000254 and CVE-2018-1000122; Brian Carpenter and the OSS-Fuzz project as the original reporters of CVE-2017-1000257; Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Even Rouault as the original reporter of CVE-2017-1000100; Brian Carpenter as the original reporter of CVE-2017-1000101; Zhaoyang Wu as the original reporter of CVE-2018-14618; and Dario Weisser as the original reporter of CVE-2018-1000121.
Bug Fix(es):
Enhancement(s):
Additional Changes:
For detailed information on changes in this release, see the Red Hat Software Collections 3.2 Release Notes linked from the References section.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | x86_64 | httpd24-httpd-devel | < 2.4.34-7.el6 | httpd24-httpd-devel-2.4.34-7.el6.x86_64.rpm |
RedHat | 7 | x86_64 | httpd24-mod_ldap | < 2.4.34-7.el7 | httpd24-mod_ldap-2.4.34-7.el7.x86_64.rpm |
RedHat | 7 | aarch64 | httpd24-curl | < 7.61.1-1.el7 | httpd24-curl-7.61.1-1.el7.aarch64.rpm |
RedHat | 7 | s390x | httpd24-mod_session | < 2.4.34-7.el7 | httpd24-mod_session-2.4.34-7.el7.s390x.rpm |
RedHat | 7 | x86_64 | httpd24-mod_session | < 2.4.34-7.el7 | httpd24-mod_session-2.4.34-7.el7.x86_64.rpm |
RedHat | 7 | aarch64 | httpd24-libcurl-devel | < 7.61.1-1.el7 | httpd24-libcurl-devel-7.61.1-1.el7.aarch64.rpm |
RedHat | 7 | x86_64 | httpd24-httpd-tools | < 2.4.34-7.el7 | httpd24-httpd-tools-2.4.34-7.el7.x86_64.rpm |
RedHat | 7 | aarch64 | httpd24-libnghttp2 | < 1.7.1-7.el7 | httpd24-libnghttp2-1.7.1-7.el7.aarch64.rpm |
RedHat | 6 | x86_64 | httpd24-httpd | < 2.4.34-7.el6 | httpd24-httpd-2.4.34-7.el6.x86_64.rpm |
RedHat | 7 | aarch64 | httpd24-httpd | < 2.4.34-7.el7 | httpd24-httpd-2.4.34-7.el7.aarch64.rpm |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.963 High
EPSS
Percentile
99.5%