Issued:: 2015-11-19
Updated:: 2015-11-19

RHBA-2015:2194 - httpd bug fix and enhancement update

Synopsis

httpd bug fix and enhancement update

Type/Severity

Bug Fix Advisory

Topic

Updated httpd packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 7.

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

This update fixes the following bugs:

The httpd daemon did not reset an internal array for storing variables defined using the "Define" directive. Consequently, variables could be undefined after a graceful restart. httpd has been fixed to reset this internal array during a graceful restart, and variables are now correctly defined in this scenario. (BZ#1227219)
The SSL_CLIENT_VERIFY environment variable was incorrectly handled when the "SSLVerifyClient optional_no_ca" and "SSLSessionCache" options were used. Consequently, when an SSL session was resumed, the SSL_CLIENT_VERIFY value was set to "SUCCESS" instead of the previously set "GENEROUS". SSL_CLIENT_VERIFY is now correctly set to GENEROUS in this scenario. (BZ#1170206)
The mod_ssl module did not call the ERR_free_strings method during its cleanup. Consequently, during the httpd daemon's reload, mod_ssl leaked memory. Now, ERR_free_strings is called by mod_ssl during the httpd reload, and mod_ssl no longer leaks memory. (BZ#1181690)
The status line of an HTTP response message from a server did not include the HTTP Reason-Phrase if the original response from the mod_proxy back-end server contained only a Status Code. Consequently, the server displayed only the Status Code to an HTTP client. HTTP clients now receive both the Status Code and Reason-Phrase. (BZ#1162159)
The mod_authz_dbm module requires the mod_authz_owner module but this dependency was not reflected in the mod_authz_dbm code. Consequently, when the "Require dbm-file-group" directive was used and mod_authz_dbm was loaded before mod_authz_owner, the httpd daemon terminated unexpectedly with a segmentation fault. The mod_authz_dbm code now allows loading before the mod_authz_owner module, and httpd no loner crashes in this scenario. (BZ#1221575)
The mod_proxy_fcgi module had a hardcoded 30-second timeout for a request. Consequently, it was impossible to change the timeout. mod_proxy_fcgi has been fixed to honor the Timeout or ProxyTimeout directives, and users are now able to configure the timeout of mod_proxy_fcgi. (BZ#1222328)
The mod_ssl method used for enabling Next Protocol Negotiation (NPN) support returned incorrect exit status when NPN was disabled. Consequently, although NPN was disabled by the configuration, mod_ssl continued to send it. The mod_ssl method now returns the correct value in this scenario, and mod_ssl no longer sends NPN unless configured to do so. (BZ#1226015)

The update adds these enhancements:

The default configuration of the mod_ssl module in the Apache HTTP Server no longer enables support for SSL cipher suites using the single IDEA or SEED encryption algorithms, which are known to be easily exploitable. (BZ#1118476)
The mod_proxy_wstunnel module is now enabled by default and it includes support for SSL connections in the "wss://" scheme. Additionally, it is possible to use the "ws://" scheme in the "mod_rewrite" directives. This allows for using WebSockets as a target to "mod_rewrite" and enabling WebSockets in the proxy module. (BZ#1180745)
Apache HTTP Server now supports Microsoft User Principal Name (UPN) in the SSLUserName directive. Users can now authenticate with their Common Access Card (CAC) or certificate with a UPN in it, and have their UPN used as authenticated user information, consumed by both the access control in Apache and using the REMOTE_USER environment variable or a similar mechanism in applications. As a result, users can now set "SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0" for authentication using UPN. (BZ#1242503)

Users of httpd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Product	Version	Arch
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	7.7	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	7.6	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	7.4	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	7.3	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	7.7	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	7.6	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	7.5	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	7.4	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	7.3	x86_64
Red Hat Enterprise Linux for Scientific Computing	7	x86_64
Red Hat Enterprise Linux for Power, little endian	7	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	7.7	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	7.6	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	7.5	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	7.4	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	7.3	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	7.2	ppc64le
Red Hat Enterprise Linux for Power, big endian	7	ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support	7.7	ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support	7.6	ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support	7.5	ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support	7.4	ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support	7.3	ppc64
Red Hat Enterprise Linux for IBM z Systems	7	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	7.7	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	7.6	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	7.5	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	7.4	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	7.3	s390x
Red Hat Enterprise Linux Workstation	7	x86_64
Red Hat Enterprise Linux Server	7	x86_64
Red Hat Enterprise Linux Server from RHUI	7	x86_64
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	7.7	ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	7.6	ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	7.4	ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	7.3	ppc64le
Red Hat Enterprise Linux Server - TUS	7.7	x86_64
Red Hat Enterprise Linux Server - TUS	7.6	x86_64
Red Hat Enterprise Linux Server - TUS	7.3	x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support	7	x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian	7	ppc64le
Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian	7	ppc64
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems)	7	s390x
Red Hat Enterprise Linux Server - AUS	7.7	x86_64
Red Hat Enterprise Linux Server - AUS	7.6	x86_64
Red Hat Enterprise Linux Server - AUS	7.4	x86_64
Red Hat Enterprise Linux Server - AUS	7.3	x86_64
Red Hat Enterprise Linux EUS Compute Node	7.7	x86_64
Red Hat Enterprise Linux EUS Compute Node	7.6	x86_64
Red Hat Enterprise Linux EUS Compute Node	7.5	x86_64
Red Hat Enterprise Linux EUS Compute Node	7.4	x86_64
Red Hat Enterprise Linux EUS Compute Node	7.3	x86_64
Red Hat Enterprise Linux Desktop	7	x86_64

Updated Packages

httpd-debuginfo-2.4.6-40.el7.x86_64.rpm
mod_proxy_html-2.4.6-40.el7.ppc64.rpm
mod_proxy_html-2.4.6-40.el7.x86_64.rpm
httpd-2.4.6-40.el7.ppc64le.rpm
httpd-devel-2.4.6-40.el7.s390x.rpm
httpd-devel-2.4.6-40.el7.ppc64.rpm
mod_session-2.4.6-40.el7.ppc64le.rpm
mod_session-2.4.6-40.el7.s390x.rpm
mod_ldap-2.4.6-40.el7.ppc64.rpm
mod_ssl-2.4.6-40.el7.s390x.rpm
httpd-tools-2.4.6-40.el7.ppc64le.rpm
mod_ssl-2.4.6-40.el7.ppc64.rpm
httpd-2.4.6-40.el7.s390x.rpm
mod_proxy_html-2.4.6-40.el7.ppc64le.rpm
mod_ssl-2.4.6-40.el7.ppc64le.rpm
httpd-devel-2.4.6-40.el7.aarch64.rpm
httpd-2.4.6-40.el7.src.rpm
httpd-debuginfo-2.4.6-40.el7.s390x.rpm
httpd-debuginfo-2.4.6-40.el7.aarch64.rpm
httpd-manual-2.4.6-40.el7.noarch.rpm
mod_session-2.4.6-40.el7.aarch64.rpm
httpd-tools-2.4.6-40.el7.ppc64.rpm
httpd-2.4.6-40.el7.ppc64.rpm
httpd-tools-2.4.6-40.el7.s390x.rpm
mod_proxy_html-2.4.6-40.el7.aarch64.rpm
httpd-debuginfo-2.4.6-40.el7.ppc64le.rpm
httpd-debuginfo-2.4.6-40.el7.ppc64.rpm
httpd-tools-2.4.6-40.el7.aarch64.rpm
mod_ldap-2.4.6-40.el7.ppc64le.rpm
httpd-2.4.6-40.el7.x86_64.rpm
httpd-devel-2.4.6-40.el7.ppc64le.rpm
httpd-tools-2.4.6-40.el7.x86_64.rpm
mod_session-2.4.6-40.el7.x86_64.rpm
mod_ssl-2.4.6-40.el7.aarch64.rpm
mod_ldap-2.4.6-40.el7.x86_64.rpm
httpd-devel-2.4.6-40.el7.x86_64.rpm
httpd-2.4.6-40.el7.aarch64.rpm
mod_ldap-2.4.6-40.el7.aarch64.rpm
mod_proxy_html-2.4.6-40.el7.s390x.rpm
mod_ldap-2.4.6-40.el7.s390x.rpm
mod_ssl-2.4.6-40.el7.x86_64.rpm
mod_session-2.4.6-40.el7.ppc64.rpm

Fixes

CVEs

CVE-2020-11985

References

http://www.redhat.com/security/updates/classification/#normal

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.