Security Advisory Moderate: httpd security and bug fix update

Advisory: RHSA-2017:0906-1
Type: Security Advisory
Severity: Moderate
Issued on: 2017-04-12
Last updated on: 2017-04-12
Affected Products: Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server TUS (v. 7.3)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2016-0736
CVE-2016-2161
CVE-2016-8743

Details

An update for httpd is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and
extensible web server.

Security Fix(es):

* It was discovered that the mod_session_crypto module of httpd did not use any
mechanisms to verify integrity of the encrypted session data stored in the
user's browser. A remote attacker could use this flaw to decrypt and modify
session data using a padding oracle attack. (CVE-2016-0736)

* It was discovered that the mod_auth_digest module of httpd did not properly
check for memory allocation failures. A remote attacker could use this flaw to
cause httpd child processes to repeatedly crash if the server used HTTP digest
authentication. (CVE-2016-2161)

* It was discovered that the HTTP parser in httpd incorrectly allowed certain
characters not permitted by the HTTP protocol specification to appear unencoded
in HTTP request headers. If httpd was used in conjunction with a proxy or
backend server that interpreted those characters differently, a remote attacker
could possibly use this flaw to inject data into HTTP responses, resulting in
proxy cache poisoning. (CVE-2016-8743)

Note: The fix for the CVE-2016-8743 issue causes httpd to return "400 Bad
Request" error to HTTP clients which do not strictly follow HTTP protocol
specification. A newly introduced configuration directive "HttpProtocolOptions
Unsafe" can be used to re-enable the old less strict parsing. However, such
setting also re-introduces the CVE-2016-8743 issue.

Bug Fix(es):

* When waking up child processes during a graceful restart, the httpd parent
process could attempt to open more connections than necessary if a large number
of child processes had been active prior to the restart. Consequently, a
graceful restart could take a long time to complete. With this update, httpd has
been fixed to limit the number of connections opened during a graceful restart
to the number of active children, and the described problem no longer occurs.
(BZ#1420002)

* Previously, httpd running in a container returned the 500 HTTP status code
(Internal Server Error) when a connection to a WebSocket server was closed. As a
consequence, the httpd server failed to deliver the correct HTTP status and data
to a client. With this update, httpd correctly handles all proxied requests to
the WebSocket server, and the described problem no longer occurs. (BZ#1429947)

* In a configuration using LDAP authentication with the mod_authnz_ldap module,
the name set using the AuthLDAPBindDN directive was not correctly used to bind
to the LDAP server for all queries. Consequently, authorization attempts failed.
The LDAP modules have been fixed to ensure the configured name is correctly
bound for LDAP queries, and authorization using LDAP no longer fails.
(BZ#1420047)


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted
automatically.

Updated packages

Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
httpd-2.4.6-45.el7_3.4.src.rpm     MD5: 5e3bf1cc8af3bb7f84e608da238b4148
SHA-256: 8bb264647fb05ad756cb1487d27945c776237f95f60a11e4a15da481cb2d207e
 
x86_64:
httpd-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 3827ebd57a2b86b9afa577d0360caee4
SHA-256: a0c18d6edc13fc44d238fa12edfe36de733fab451a1b33378a00e5a1fef1fcef
httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 71c0b7d9814be7a385b3a904981eed11
SHA-256: fbb9aa7dc24d09ec1da835a56ad3ca5114f35a029c4a957f99e2e4fd7f106191
httpd-devel-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 54a73ce7248907a13849795ceb88cd9f
SHA-256: 004a26141c79cc818a53adf659f1a1cb9af5922d189a6c76984981651fb5a95d
httpd-manual-2.4.6-45.el7_3.4.noarch.rpm     MD5: bd121a6ba44679786f4246438a1c4554
SHA-256: bc485ab2172b464749372f82bff5c5c26f2ccb16eca9431df96d7d417b8c6839
httpd-tools-2.4.6-45.el7_3.4.x86_64.rpm     MD5: c579c20f1c3034a61c69edac77447935
SHA-256: 0343ba215ca3c48f26b4c52a01def095328d727d7b5dea9980b304ab202279eb
mod_ldap-2.4.6-45.el7_3.4.x86_64.rpm     MD5: f08d18ff21fec9e681f94e2dc7fcdc5e
SHA-256: 55df4072531d8e469a3b731a5eda39a75cad98963882e6210eda8a4ec1e71b34
mod_proxy_html-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 5abf3542f8454248a079e72b44dbcf71
SHA-256: df474e476a1c9c28d3b462f25fdfc00febf56cb22b42bf08bafc63454b63c193
mod_session-2.4.6-45.el7_3.4.x86_64.rpm     MD5: bfd3f3c676d96f1fefff41e8615fe846
SHA-256: fb1f3035d03280c04745d974c052b1ec6b66990f6462259f46b3f0408e2772ad
mod_ssl-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 2bbc7596c24e71833e3fb1f7d01c1612
SHA-256: a46844f6b90d2986880daab9cb279af540bd657f281b0bee5348c7bab5fecb7f
 
Red Hat Enterprise Linux HPC Node (v. 7)

SRPMS:
httpd-2.4.6-45.el7_3.4.src.rpm     MD5: 5e3bf1cc8af3bb7f84e608da238b4148
SHA-256: 8bb264647fb05ad756cb1487d27945c776237f95f60a11e4a15da481cb2d207e
 
x86_64:
httpd-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 3827ebd57a2b86b9afa577d0360caee4
SHA-256: a0c18d6edc13fc44d238fa12edfe36de733fab451a1b33378a00e5a1fef1fcef
httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 71c0b7d9814be7a385b3a904981eed11
SHA-256: fbb9aa7dc24d09ec1da835a56ad3ca5114f35a029c4a957f99e2e4fd7f106191
httpd-devel-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 54a73ce7248907a13849795ceb88cd9f
SHA-256: 004a26141c79cc818a53adf659f1a1cb9af5922d189a6c76984981651fb5a95d
httpd-manual-2.4.6-45.el7_3.4.noarch.rpm     MD5: bd121a6ba44679786f4246438a1c4554
SHA-256: bc485ab2172b464749372f82bff5c5c26f2ccb16eca9431df96d7d417b8c6839
httpd-tools-2.4.6-45.el7_3.4.x86_64.rpm     MD5: c579c20f1c3034a61c69edac77447935
SHA-256: 0343ba215ca3c48f26b4c52a01def095328d727d7b5dea9980b304ab202279eb
mod_ldap-2.4.6-45.el7_3.4.x86_64.rpm     MD5: f08d18ff21fec9e681f94e2dc7fcdc5e
SHA-256: 55df4072531d8e469a3b731a5eda39a75cad98963882e6210eda8a4ec1e71b34
mod_proxy_html-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 5abf3542f8454248a079e72b44dbcf71
SHA-256: df474e476a1c9c28d3b462f25fdfc00febf56cb22b42bf08bafc63454b63c193
mod_session-2.4.6-45.el7_3.4.x86_64.rpm     MD5: bfd3f3c676d96f1fefff41e8615fe846
SHA-256: fb1f3035d03280c04745d974c052b1ec6b66990f6462259f46b3f0408e2772ad
mod_ssl-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 2bbc7596c24e71833e3fb1f7d01c1612
SHA-256: a46844f6b90d2986880daab9cb279af540bd657f281b0bee5348c7bab5fecb7f
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
httpd-2.4.6-45.el7_3.4.src.rpm     MD5: 5e3bf1cc8af3bb7f84e608da238b4148
SHA-256: 8bb264647fb05ad756cb1487d27945c776237f95f60a11e4a15da481cb2d207e
 
PPC:
httpd-2.4.6-45.el7_3.4.ppc64.rpm     MD5: 8450d5e661abd148b4620c641ac4a999
SHA-256: 7a37af25298f7e0d3bb7559cc905f265855c00b12cedd880c8aa05a51e201670
httpd-debuginfo-2.4.6-45.el7_3.4.ppc64.rpm     MD5: cefc6e3aafaa899df92aabb367a8f372
SHA-256: 00756c3aac4c20845d5e6dc025fd8abf15807d9c2c037a7046f6d4bf534bd547
httpd-devel-2.4.6-45.el7_3.4.ppc64.rpm     MD5: 7f3077b369f2a021b62aaa32f87dc51d
SHA-256: a2f26d94648cd55d775fea9a2251825b711f703abcbcc3812a5e21468734c12e
httpd-manual-2.4.6-45.el7_3.4.noarch.rpm     MD5: bd121a6ba44679786f4246438a1c4554
SHA-256: bc485ab2172b464749372f82bff5c5c26f2ccb16eca9431df96d7d417b8c6839
httpd-tools-2.4.6-45.el7_3.4.ppc64.rpm     MD5: a1740dcd3a8c3acc2713c5e659153048
SHA-256: f32e5fe240576c640797ccd29e271b8a83ae4a5927172fdec9366a9d7dfd0bca
mod_ldap-2.4.6-45.el7_3.4.ppc64.rpm     MD5: 7ff9e5c014a6e455a97706be88a7b48a
SHA-256: 6c76f698d592dd5b3d4cb82d4b60a7d36076057c85a54ffaecbe401116286b64
mod_proxy_html-2.4.6-45.el7_3.4.ppc64.rpm     MD5: fa03447ff195e30172873edcc07c1a1c
SHA-256: af19953cb68344d35f085021ec52418cfd9b53193eb7e10103bb9f076bce3450
mod_session-2.4.6-45.el7_3.4.ppc64.rpm     MD5: f9507caefb2d622689cad5c6dcd4cfd3
SHA-256: d627ef2f4d83ba1a7666a32392ad0f8dc8ebb78aaad4352ca3be3c946e7b4697
mod_ssl-2.4.6-45.el7_3.4.ppc64.rpm     MD5: e36d2cc7691c34e94da208ce9219069a
SHA-256: 38b1627e0b6e2f4198370d8004cbfee2102ef6433fef63a5f742424e189a9cb4
 
PPC64LE:
httpd-2.4.6-45.el7_3.4.ppc64le.rpm     MD5: babff913582317fb4db31f80fb5a3185
SHA-256: 01cf83e4404ef1e3b95cdaa261a36d2d76ab10ef2e2868540f1511c6c93eab99
httpd-debuginfo-2.4.6-45.el7_3.4.ppc64le.rpm     MD5: f335f86fdebecae2a8a18c7187c4607a
SHA-256: 8cc31ba614e7ca182668c399d05cfeed8c4442d1ada7207010ad31af2f631e32
httpd-devel-2.4.6-45.el7_3.4.ppc64le.rpm     MD5: a9cb8b4086e3a015cc582332eb02bfa6
SHA-256: 1c7729a1a0a83111d36fe019150b348dd869cb7b0cbc2585737e746dd7153206
httpd-manual-2.4.6-45.el7_3.4.noarch.rpm     MD5: bd121a6ba44679786f4246438a1c4554
SHA-256: bc485ab2172b464749372f82bff5c5c26f2ccb16eca9431df96d7d417b8c6839
httpd-tools-2.4.6-45.el7_3.4.ppc64le.rpm     MD5: 5ab4fc91921898930bc3dfba3ec98bb6
SHA-256: ecd5809b2a95f6f0c7fcf51e3e5229ea2998694d6af9390ed1dcdccac904d4ee
mod_ldap-2.4.6-45.el7_3.4.ppc64le.rpm     MD5: dde562bec6aa6d122cd6d3189af0fcaa
SHA-256: cafd8d1e4a573ef3cd4fe40327cf6d8d6a6d4b6a750491cb6c1fa02a0ea91efb
mod_proxy_html-2.4.6-45.el7_3.4.ppc64le.rpm     MD5: 571ebd2fc98398304974fb6da2afea54
SHA-256: 77f1dc692f53336d5b3f1fe0726e5da283add47cca434d65da8c0674b8fbcf34
mod_session-2.4.6-45.el7_3.4.ppc64le.rpm     MD5: 2abb45e92ab8d0adb2d6fc857e0528d4
SHA-256: 7522f5c79adc19b126ea2961f29b9d1e8c6f3916065f77f9db2ce23e3bb04245
mod_ssl-2.4.6-45.el7_3.4.ppc64le.rpm     MD5: 3158886a1932e3678769f81c101c760d
SHA-256: 192e4469c98888d923be88bc257099164dd7f9cdc64afc59cd71ac9380263760
 
s390x:
httpd-2.4.6-45.el7_3.4.s390x.rpm     MD5: 5c9d6abdcb3e9a3277e3b3205f6d4af1
SHA-256: 522467f1bd73133c376e31764fdb801f95d7a341b4cea89fa998ce4fc6c74bce
httpd-debuginfo-2.4.6-45.el7_3.4.s390x.rpm     MD5: 3f58081ded56bd9145768a01f90ef60c
SHA-256: 1d5ba080a015175f4aa55cc5d6df97212f2f4bdf9e7a4d910e772b77908810c9
httpd-devel-2.4.6-45.el7_3.4.s390x.rpm     MD5: 6bd0c0bb66ff7a40eea3b53c0657ff76
SHA-256: 068b7af8e903a6469abcd25aa94511067f037ee2b3a145b55fd2d94dacbe4949
httpd-manual-2.4.6-45.el7_3.4.noarch.rpm     MD5: bd121a6ba44679786f4246438a1c4554
SHA-256: bc485ab2172b464749372f82bff5c5c26f2ccb16eca9431df96d7d417b8c6839
httpd-tools-2.4.6-45.el7_3.4.s390x.rpm     MD5: 4f771a6b46977ce1d3fc737c9260e11c
SHA-256: 3208b6dde6a6152027c04cc3ca0f293dc3d1775c2183023774db4a98af412afc
mod_ldap-2.4.6-45.el7_3.4.s390x.rpm     MD5: 305bbf5f603ec8610380dc6f2bb7e716
SHA-256: 4e5ff90ae8dbcbe267cfc39752f29e6ff7a62fe2e34bbc6f7276c7ba80f78de1
mod_proxy_html-2.4.6-45.el7_3.4.s390x.rpm     MD5: 5e73c227756ee789bfb67d38452d6de5
SHA-256: db5007e33c3eb01dd36096d5b388eac7946f7aee7371ed55810636ba2424de4a
mod_session-2.4.6-45.el7_3.4.s390x.rpm     MD5: f38fe6d94e7d4098e9b2b66bceb883ee
SHA-256: 15ca4b8d245a5da931e182616a3d57705dc146a41199b87f210ab871ff2c31b3
mod_ssl-2.4.6-45.el7_3.4.s390x.rpm     MD5: 2f2c9c6bd2d799c88513c78b785c4709
SHA-256: 18060710e65b383604cc3ab6c464d335e53091624700eca74f23722400cb927d
 
x86_64:
httpd-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 3827ebd57a2b86b9afa577d0360caee4
SHA-256: a0c18d6edc13fc44d238fa12edfe36de733fab451a1b33378a00e5a1fef1fcef
httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 71c0b7d9814be7a385b3a904981eed11
SHA-256: fbb9aa7dc24d09ec1da835a56ad3ca5114f35a029c4a957f99e2e4fd7f106191
httpd-devel-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 54a73ce7248907a13849795ceb88cd9f
SHA-256: 004a26141c79cc818a53adf659f1a1cb9af5922d189a6c76984981651fb5a95d
httpd-manual-2.4.6-45.el7_3.4.noarch.rpm     MD5: bd121a6ba44679786f4246438a1c4554
SHA-256: bc485ab2172b464749372f82bff5c5c26f2ccb16eca9431df96d7d417b8c6839
httpd-tools-2.4.6-45.el7_3.4.x86_64.rpm     MD5: c579c20f1c3034a61c69edac77447935
SHA-256: 0343ba215ca3c48f26b4c52a01def095328d727d7b5dea9980b304ab202279eb
mod_ldap-2.4.6-45.el7_3.4.x86_64.rpm     MD5: f08d18ff21fec9e681f94e2dc7fcdc5e
SHA-256: 55df4072531d8e469a3b731a5eda39a75cad98963882e6210eda8a4ec1e71b34
mod_proxy_html-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 5abf3542f8454248a079e72b44dbcf71
SHA-256: df474e476a1c9c28d3b462f25fdfc00febf56cb22b42bf08bafc63454b63c193
mod_session-2.4.6-45.el7_3.4.x86_64.rpm     MD5: bfd3f3c676d96f1fefff41e8615fe846
SHA-256: fb1f3035d03280c04745d974c052b1ec6b66990f6462259f46b3f0408e2772ad
mod_ssl-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 2bbc7596c24e71833e3fb1f7d01c1612
SHA-256: a46844f6b90d2986880daab9cb279af540bd657f281b0bee5348c7bab5fecb7f
 
Red Hat Enterprise Linux Server TUS (v. 7.3)

SRPMS:
httpd-2.4.6-45.el7_3.4.src.rpm     MD5: 5e3bf1cc8af3bb7f84e608da238b4148
SHA-256: 8bb264647fb05ad756cb1487d27945c776237f95f60a11e4a15da481cb2d207e
 
x86_64:
httpd-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 3827ebd57a2b86b9afa577d0360caee4
SHA-256: a0c18d6edc13fc44d238fa12edfe36de733fab451a1b33378a00e5a1fef1fcef
httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 71c0b7d9814be7a385b3a904981eed11
SHA-256: fbb9aa7dc24d09ec1da835a56ad3ca5114f35a029c4a957f99e2e4fd7f106191
httpd-devel-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 54a73ce7248907a13849795ceb88cd9f
SHA-256: 004a26141c79cc818a53adf659f1a1cb9af5922d189a6c76984981651fb5a95d
httpd-manual-2.4.6-45.el7_3.4.noarch.rpm     MD5: bd121a6ba44679786f4246438a1c4554
SHA-256: bc485ab2172b464749372f82bff5c5c26f2ccb16eca9431df96d7d417b8c6839
httpd-tools-2.4.6-45.el7_3.4.x86_64.rpm     MD5: c579c20f1c3034a61c69edac77447935
SHA-256: 0343ba215ca3c48f26b4c52a01def095328d727d7b5dea9980b304ab202279eb
mod_ldap-2.4.6-45.el7_3.4.x86_64.rpm     MD5: f08d18ff21fec9e681f94e2dc7fcdc5e
SHA-256: 55df4072531d8e469a3b731a5eda39a75cad98963882e6210eda8a4ec1e71b34
mod_proxy_html-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 5abf3542f8454248a079e72b44dbcf71
SHA-256: df474e476a1c9c28d3b462f25fdfc00febf56cb22b42bf08bafc63454b63c193
mod_session-2.4.6-45.el7_3.4.x86_64.rpm     MD5: bfd3f3c676d96f1fefff41e8615fe846
SHA-256: fb1f3035d03280c04745d974c052b1ec6b66990f6462259f46b3f0408e2772ad
mod_ssl-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 2bbc7596c24e71833e3fb1f7d01c1612
SHA-256: a46844f6b90d2986880daab9cb279af540bd657f281b0bee5348c7bab5fecb7f
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
httpd-2.4.6-45.el7_3.4.src.rpm     MD5: 5e3bf1cc8af3bb7f84e608da238b4148
SHA-256: 8bb264647fb05ad756cb1487d27945c776237f95f60a11e4a15da481cb2d207e
 
x86_64:
httpd-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 3827ebd57a2b86b9afa577d0360caee4
SHA-256: a0c18d6edc13fc44d238fa12edfe36de733fab451a1b33378a00e5a1fef1fcef
httpd-debuginfo-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 71c0b7d9814be7a385b3a904981eed11
SHA-256: fbb9aa7dc24d09ec1da835a56ad3ca5114f35a029c4a957f99e2e4fd7f106191
httpd-devel-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 54a73ce7248907a13849795ceb88cd9f
SHA-256: 004a26141c79cc818a53adf659f1a1cb9af5922d189a6c76984981651fb5a95d
httpd-manual-2.4.6-45.el7_3.4.noarch.rpm     MD5: bd121a6ba44679786f4246438a1c4554
SHA-256: bc485ab2172b464749372f82bff5c5c26f2ccb16eca9431df96d7d417b8c6839
httpd-tools-2.4.6-45.el7_3.4.x86_64.rpm     MD5: c579c20f1c3034a61c69edac77447935
SHA-256: 0343ba215ca3c48f26b4c52a01def095328d727d7b5dea9980b304ab202279eb
mod_ldap-2.4.6-45.el7_3.4.x86_64.rpm     MD5: f08d18ff21fec9e681f94e2dc7fcdc5e
SHA-256: 55df4072531d8e469a3b731a5eda39a75cad98963882e6210eda8a4ec1e71b34
mod_proxy_html-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 5abf3542f8454248a079e72b44dbcf71
SHA-256: df474e476a1c9c28d3b462f25fdfc00febf56cb22b42bf08bafc63454b63c193
mod_session-2.4.6-45.el7_3.4.x86_64.rpm     MD5: bfd3f3c676d96f1fefff41e8615fe846
SHA-256: fb1f3035d03280c04745d974c052b1ec6b66990f6462259f46b3f0408e2772ad
mod_ssl-2.4.6-45.el7_3.4.x86_64.rpm     MD5: 2bbc7596c24e71833e3fb1f7d01c1612
SHA-256: a46844f6b90d2986880daab9cb279af540bd657f281b0bee5348c7bab5fecb7f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1406744 - CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto
1406753 - CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest
1406822 - CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects
1420002 - Backport fix for issue with graceful restart taking very long time sometimes
1420047 - AuthLDAPBindDN might not be used for some LDAP searches causing LDAP authz failures
1429947 - Backport: mod_proxy_wstunnel - AH02447: err/hup on backconn


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/