- Issued:
- 2018-07-12
- Updated:
- 2018-07-12
RHSA-2018:2187 - Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update
Synopsis
Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update
Type/Severity
Security Advisory Moderate
Topic
Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are now available.
Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes, enhancements and component upgrades included in this release.
This release upgrades OpenSSL to version 1.0.2.n
Security Fix(es):
-
openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182)
-
openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302)
-
openssl: certificate message OOB reads (CVE-2016-6306)
-
openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055)
-
openssl: Truncated packet could crash via OOB read (CVE-2017-3731)
-
openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
-
openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
-
openssl: Read/write after SSL object in error state (CVE-2017-3737)
-
openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306 and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6306.
Solution
The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).
After installing the updated packages, the httpd daemon will be restarted automatically.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat JBoss Core Services | Text-Only Advisories | x86_64 |
Fixes
- This content is not included.BZ - 1367340
- This content is not included.BZ - 1369855
- This content is not included.BZ - 1377594
- This content is not included.BZ - 1393929
- This content is not included.BZ - 1416852
- This content is not included.BZ - 1416856
- This content is not included.BZ - 1509169
- This content is not included.BZ - 1523504
- This content is not included.BZ - 1523510
CVEs
- CVE-2016-2182
- CVE-2016-6302
- CVE-2016-6306
- CVE-2016-7055
- CVE-2017-3731
- CVE-2017-3732
- CVE-2017-3736
- CVE-2017-3737
- CVE-2017-3738
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.29/
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.