Executive Summary
Summary | |
---|---|
Title | httpd24-httpd security, bug fix, and enhancement update |
Informations | |||
---|---|---|---|
Name | RHSA-2019:4126 | First vendor Publication | 2019-12-10 |
Vendor | RedHat | Last vendor Modification | 2019-12-10 |
Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An update for httpd24, httpd24-httpd, and httpd24-nghttp2 is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module. Security Fix(es): * httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199) * httpd: mod_auth_digest: access control bypass due to race condition (CVE-2019-0217) * httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097) * httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189) * httpd: URL normalization inconsistency (CVE-2019-0220) * httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang (BZ#1669213) * httpd can not be started with mod_md enabled (BZ#1673019) * Rebuild metapackage with latest scl-utils (BZ#1696527) * fix a regression introduced in r1740928 (BZ#1707636) * duplicated cookie in Apache httpd with mod_session (BZ#1725922) * Unexpected OCSP in proxy SSL connection (BZ#1744120) Enhancement(s): * RFE: updated collection for httpd 2.4 (BZ#1726706) Additional Changes: For detailed information on changes in this release, see the Red Hat Software Collections 3.4 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1668493 - CVE-2018-17199 httpd: mod_session_cookie does not respect expiry time 1668497 - CVE-2018-17189 httpd: mod_http2: DoS via slow, unneeded request bodies 1669213 - `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang 1673019 - httpd can not be started with mod_md enabled 1695020 - CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condition 1695036 - CVE-2019-0220 httpd: URL normalization inconsistency 1696527 - Rebuild metapackage with latest scl-utils 1707636 - fix a regression introduced in r1740928 1725922 - duplicated cookie in Apache httpd with mod_session 1743956 - CVE-2019-10092 httpd: limited cross-site scripting in mod_proxy error page 1743996 - CVE-2019-10097 httpd: null-pointer dereference in mod_remoteip 1744120 - Unexpected OCSP in proxy SSL connection |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2019-4126.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
14 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
14 % | CWE-706 | Use of Incorrectly-Resolved Name or Reference |
14 % | CWE-476 | NULL Pointer Dereference |
14 % | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
14 % | CWE-384 | Session Fixation |
14 % | CWE-362 | Race Condition |
14 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Snort® IPS/IDS
Date | Description |
---|---|
2021-01-12 | Apache Server mod_proxy Error Page cross site scripting attempt RuleID : 56563 - Revision : 1 - Type : SERVER-WEBAPP |
2020-01-21 | Apache httpd mod_remoteip heap buffer overflow attempt RuleID : 52494 - Revision : 1 - Type : SERVER-APACHE |
Alert History
Date | Informations |
---|---|
2020-03-19 13:19:43 |
|