RHSA-2021:2472: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 security update

This release adds the new Apache HTTP Server 2.4.37 Service Pack 8 packages that are part of the JBoss Core Services offering.<br>This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 7 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.<br>Security Fix(es):<br><li> curl: Use-after-free in TLS session handling when using OpenSSL TLS backend (CVE-2021-22901)</li> <li> httpd: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618)</li> <li> libcurl: partial password leak over DNS on HTTP redirect (CVE-2020-8169)</li> <li> curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284)</li> <li> curl: Malicious FTP server can trigger stack overflow when CURLOPTCHUNKBGNFUNCTION is used (CVE-2020-8285)</li> <li> curl: Inferior OCSP verification (CVE-2020-8286)</li> <li> curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876)</li> <li> curl: TLS 1.3 session ticket mix-up with HTTPS proxy host (CVE-2021-22890)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.