RHSA-2017:3018: Moderate: httpd24 security, bug fix, and enhancement update

Published Oct 24, 2017
·
Updated

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the modauthkerb module.The following packages have been upgraded to a later upstream version: httpd24-httpd (2.4.27). (BZ#1461819)Security Fix(es): A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Red Hat would like to thank Hanno Böck for reporting this issue.Bug Fix(es): The httpd package installation script tried to create both the "apache" user and group in a single "useradd" command. Consequently, when the "apache" group had already been created on the system, the command failed, and the "apache" user was not created. To fix this bug, the "apache" group is now created by a separate command, and the "apache" user is correctly created during httpd installation even when the "apache" group exists. (BZ#1486843) When installing the httpd24 Software Collection using the "yum" command, if the "apache" group already existed on the system with GID other than 48, the "apache" user was not created. This update fixes the bug. (BZ#1487164) With this update, it is possible to run the modrewrite external mapping program as a non-root user. (BZ#1486832) On a Red Hat Enterprise Linux 6 system, when the httpd service was stopped twice in a row by running the "service httpd stop" command, a misleading message was returned: "Stopping httpd: [FAILED]". This bug has been fixed. (BZ#1418395) When the "service httpd24-httpd graceful" command was used on Red Hat Enterprise Linux 7 while the httpd24-httpd service was not running, the daemon was started without being tracked by systemd. As a consequence, the daemon ran in an incorrect SELinux domain. This bug has been fixed, and the httpd daemon runs in the correct SELinux domain in the described scenario. (BZ#1440858) Enhancement(s): With this update, the modssl module supports the ALPN protocol on Red Hat Enterprise Linux 7.4 and later versions. (BZ#1327548) For further details, see the Red Hat Software Collections 3.0 Release Notes linked from the References section.

Affected Software

71 affected componentsFixes available
redhat/httpd24<1.1-18.el7
1.1-18.el7
redhat/httpd24-curl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-httpd<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-nghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24<1.1-18.el7
1.1-18.el7
redhat/httpd24-curl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-curl-debuginfo<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-httpd<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-debuginfo<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-devel<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-manual<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-tools<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-libcurl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libcurl-devel<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libnghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-libnghttp2-devel<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-nghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-nghttp2-debuginfo<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-runtime<1.1-18.el7
1.1-18.el7
redhat/httpd24-scldevel<1.1-18.el7
1.1-18.el7
redhat/httpd24-curl-debuginfo<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-httpd-debuginfo<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-devel<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-tools<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-libcurl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libcurl-devel<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libnghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-libnghttp2-devel<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-nghttp2-debuginfo<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-runtime<1.1-18.el7
1.1-18.el7
redhat/httpd24-scldevel<1.1-18.el7
1.1-18.el7
redhat/httpd24<1.1-18.el7
1.1-18.el7
redhat/httpd24-curl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-curl-debuginfo<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-httpd<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-debuginfo<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-devel<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-httpd-tools<2.4.27-8.el7
2.4.27-8.el7
redhat/httpd24-libcurl<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libcurl-devel<7.47.1-4.el7
7.47.1-4.el7
redhat/httpd24-libnghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-libnghttp2-devel<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-nghttp2<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-nghttp2-debuginfo<1.7.1-6.el7
1.7.1-6.el7
redhat/httpd24-runtime<1.1-18.el7
1.1-18.el7
redhat/httpd24-scldevel<1.1-18.el7
1.1-18.el7
redhat/httpd24<1.1-18.el7.aa
1.1-18.el7.aa
redhat/httpd24-curl<7.47.1-4.el7.aa
7.47.1-4.el7.aa
redhat/httpd24-curl-debuginfo<7.47.1-4.el7.aa
7.47.1-4.el7.aa
redhat/httpd24-httpd<2.4.27-8.el7.aa
2.4.27-8.el7.aa
redhat/httpd24-httpd-debuginfo<2.4.27-8.el7.aa
2.4.27-8.el7.aa
redhat/httpd24-httpd-devel<2.4.27-8.el7.aa
2.4.27-8.el7.aa
redhat/httpd24-httpd-tools<2.4.27-8.el7.aa
2.4.27-8.el7.aa
redhat/httpd24-libcurl<7.47.1-4.el7.aa
7.47.1-4.el7.aa
redhat/httpd24-libcurl-devel<7.47.1-4.el7.aa
7.47.1-4.el7.aa
redhat/httpd24-libnghttp2<1.7.1-6.el7.aa
1.7.1-6.el7.aa
redhat/httpd24-libnghttp2-devel<1.7.1-6.el7.aa
1.7.1-6.el7.aa
redhat/httpd24-nghttp2<1.7.1-6.el7.aa
1.7.1-6.el7.aa
redhat/httpd24-nghttp2-debuginfo<1.7.1-6.el7.aa
1.7.1-6.el7.aa
redhat/httpd24-runtime<1.1-18.el7.aa
1.1-18.el7.aa
redhat/httpd24-scldevel<1.1-18.el7.aa
1.1-18.el7.aa
redhat/httpd24<1.1-18.el6
1.1-18.el6
redhat/httpd24-httpd<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24<1.1-18.el6
1.1-18.el6
redhat/httpd24-httpd<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24-httpd-debuginfo<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24-httpd-devel<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24-httpd-manual<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24-httpd-tools<2.4.27-8.el6
2.4.27-8.el6
redhat/httpd24-runtime<1.1-18.el6
1.1-18.el6
redhat/httpd24-scldevel<1.1-18.el6
1.1-18.el6

Remediation

Event History

Oct 24, 2017
Advisory Published
via Red Hat·12:00 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of RHSA-2017:3018?

The severity of RHSA-2017:3018 is classified as important.

2

How do I fix RHSA-2017:3018?

To fix RHSA-2017:3018, update the affected packages to the specified versions as recommended in the advisory.

3

What packages are affected by RHSA-2017:3018?

Affected packages include httpd24, httpd24-httpd, httpd24-curl, and others as detailed in the advisory.

4

Is RHSA-2017:3018 applicable to all Red Hat versions?

RHSA-2017:3018 specifically pertains to Red Hat Enterprise Linux versions 6 and 7.

5

What potential risks are associated with RHSA-2017:3018?

Ignoring RHSA-2017:3018 may expose the system to security vulnerabilities that could be exploited by attackers.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203