what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2019-3436-01

Red Hat Security Advisory 2019-3436-01
Posted Nov 6, 2019
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2019-3436-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include a bypass vulnerability.

tags | advisory, web, bypass
systems | linux, redhat
advisories | CVE-2019-0217, CVE-2019-0220
SHA-256 | 197db91df8c41dc3f8c39be0b4314dbf16142a8bc3fa91c06006a76563d65737

Red Hat Security Advisory 2019-3436-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: httpd:2.4 security and bug fix update
Advisory ID: RHSA-2019:3436-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3436
Issue date: 2019-11-05
CVE Names: CVE-2019-0217 CVE-2019-0220
=====================================================================

1. Summary:

An update for the httpd:2.4 module is now available for Red Hat Enterprise
Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.

Security Fix(es):

* httpd: mod_auth_digest: access control bypass due to race condition
(CVE-2019-0217)

* httpd: URL normalization inconsistency (CVE-2019-0220)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1669221 - `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang
1673022 - httpd can not be started with mod_md enabled
1695020 - CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condition
1695036 - CVE-2019-0220 httpd: URL normalization inconsistency
1724549 - httpd response contains garbage in Content-Type header
1730721 - absolute path used for default state and runtime dir by default

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.src.rpm
mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.src.rpm

aarch64:
httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm

noarch:
httpd-filesystem-2.4.37-16.module+el8.1.0+4134+e6bad0ed.noarch.rpm
httpd-manual-2.4.37-16.module+el8.1.0+4134+e6bad0ed.noarch.rpm

ppc64le:
httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm

s390x:
httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm

x86_64:
httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-0217
https://access.redhat.com/security/cve/CVE-2019-0220
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXcHqAdzjgjWX9erEAQgpEA//avVkgMnuW9zYpnQoZzYKhFCUBa0oIfVm
5mfOqRVFoIbc6V3o5tjFPFMiRsENrBgJh5TDwfDYQC3K7bAAACkJbDWX7f/ICkeL
N7sBoFyjjlGSzlZIc7mRwXfgBABGVWuhzheUjNo79tbSl9/Pc1c48CkBLp8y6oWh
/0NkPSoBBNbFRXTfH+n08g23pRt3bCOKYD2eyKy9YDkt44B4xquaZ10BlGgUecSF
VbCPxqDbBf5/YTLUs7oQxxAVpDNXjLDU/vCyoyPs1t+xZfO4A1FUVkjWWzgvsRsi
nsp+hev4krSSsXgyY4RCXPlyzg8ZS26z1vjYoFE76Lwgx1hWPw8uGwMuytgiSD+4
0j1Rm2eZU5RpVk2qWFlmWqgUzh7gUuo2DX/LDx7t8tAirJqhyA1sJcTF716yAWvm
r+oUHLJWDHUZlu3HxRHVnI7j4cbrt9NcpTQ1Ff5k8s9/Co6TIi4mmjgKO2HuZzpa
DlL7P2khZsC+ZevQPql9NT5hZsPqIPzFp7vFGLRTMbZwQHpSLu/oOJK4K+VtQ6T2
adsBcKk9Sj37l7FSv1+cvzNNDko+RyRzgpqqhUDJE1m4uLjzLMrmH5mC+AzoC8ha
oiVasqJTmjxbfPq/t0ylKzKEPK3UhNHmXFgbVIbeSqUCab9GjkHDL0Bg5Jr55Ia3
X1dPeeL6YJ4=
=TB9K
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close