- Issued:
- 2015-08-24
- Updated:
- 2015-08-24
RHSA-2015:1666 - Moderate: httpd24-httpd security update
Synopsis
Moderate: httpd24-httpd security update
Type/Severity
Security Advisory Moderate
Topic
Updated httpd24-httpd packages that fix multiple security issues are now available for Red Hat Software Collections 2.
Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Description
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183)
It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185)
Note: This update introduces new a new API function, ap_some_authn_required(), which correctly indicates if a request is authenticated. External httpd modules using the old API function should be modified to use the new one to completely resolve this issue.
A denial of service flaw was found in the way the mod_lua httpd module processed certain WebSocket Ping requests. A remote attacker could send a specially crafted WebSocket Ping packet that would cause the httpd child process to crash. (CVE-2015-0228)
A NULL pointer dereference flaw was found in the way httpd generated certain error responses. A remote attacker could possibly use this flaw to crash the httpd child process using a request that triggers a certain HTTP error. (CVE-2015-0253)
All httpd24-httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd24-httpd service will be restarted automatically.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Software Collections (for RHEL Workstation) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Workstation) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) from RHUI | 1 | x86_64 |
| Red Hat Software Collections (for RHEL Server) from RHUI | 1 | x86_64 |
Updated Packages
- httpd24-httpd-2.4.12-6.el7.1.src.rpm
- httpd24-httpd-devel-2.4.12-6.el7.1.x86_64.rpm
- httpd24-httpd-2.4.12-4.el6.2.src.rpm
- httpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm
- httpd24-httpd-2.4.12-4.el6.2.x86_64.rpm
- httpd24-httpd-debuginfo-2.4.12-6.el7.1.x86_64.rpm
- httpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm
- httpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm
- httpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm
- httpd24-httpd-manual-2.4.12-6.el7.1.noarch.rpm
- httpd24-httpd-2.4.12-6.el7.1.x86_64.rpm
- httpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm
- httpd24-mod_ldap-2.4.12-6.el7.1.x86_64.rpm
- httpd24-mod_ssl-2.4.12-6.el7.1.x86_64.rpm
- httpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm
- httpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm
- httpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm
- httpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm
- httpd24-httpd-tools-2.4.12-6.el7.1.x86_64.rpm
- httpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm
Fixes
- This content is not included.BZ - 1202988
- This content is not included.BZ - 1243887
- This content is not included.BZ - 1243888
- This content is not included.BZ - 1243891
CVEs
References
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.