[RHSA-2016:2957-01] Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release

Thu Dec 15 22:15:12 UTC 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release
Advisory ID:       RHSA-2016:2957-01
Product:           Red Hat JBoss Core Services
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2957.html
Issue date:        2016-12-15
CVE Names:         CVE-2012-1148 CVE-2014-3523 CVE-2014-8176 
                   CVE-2015-0209 CVE-2015-0286 CVE-2015-3185 
                   CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 
                   CVE-2015-3216 CVE-2016-0702 CVE-2016-0705 
                   CVE-2016-0797 CVE-2016-0799 CVE-2016-1762 
                   CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 
                   CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 
                   CVE-2016-1839 CVE-2016-1840 CVE-2016-2105 
                   CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 
                   CVE-2016-2109 CVE-2016-2177 CVE-2016-2178 
                   CVE-2016-2842 CVE-2016-3627 CVE-2016-3705 
                   CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 
                   CVE-2016-4459 CVE-2016-4483 CVE-2016-5419 
                   CVE-2016-5420 CVE-2016-6808 CVE-2016-7141 
                   CVE-2016-8612 
=====================================================================

1. Summary:

Red Hat JBoss Core Services httpd 2.4.23 is now available from the Red Hat
Customer Portal for Solaris and Microsoft Windows systems.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat JBoss Core Services httpd 2.4.23 serves as a
replacement for JBoss Core Services Apache HTTP Server 2.4.6.

Security Fix(es):

* This update fixes several flaws in OpenSSL. (CVE-2014-8176,
CVE-2015-0209, CVE-2015-0286, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196,
CVE-2015-3216, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799,
CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109,
CVE-2016-2177, CVE-2016-2178, CVE-2016-2842)

* This update fixes several flaws in libxml2. (CVE-2016-1762,
CVE-2016-1833, CVE-2016-1834, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837,
CVE-2016-1838, CVE-2016-1839, CVE-2016-1840, CVE-2016-3627, CVE-2016-3705,
CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, CVE-2016-4483)

* This update fixes three flaws in curl. (CVE-2016-5419, CVE-2016-5420,
CVE-2016-7141)

* This update fixes two flaws in httpd. (CVE-2014-3523, CVE-2015-3185)

* This update fixes two flaws in mod_cluster. (CVE-2016-4459,
CVE-2016-8612)

* A buffer overflow flaw when concatenating virtual host names and URIs was
fixed in mod_jk. (CVE-2016-6808)

* A memory leak flaw was fixed in expat. (CVE-2012-1148)

Red Hat would like to thank the OpenSSL project for reporting
CVE-2014-8176, CVE-2015-0286, CVE-2016-2108, CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799,
and CVE-2016-2842. The CVE-2016-4459 issue was discovered by Robert Bost
(Red Hat). Upstream acknowledges Stephen Henson (OpenSSL development team)
as the original reporter of CVE-2015-0286; Huzaifa Sidhpurwala (Red Hat),
Hanno Böck, and David Benjamin (Google) as the original reporters of
CVE-2016-2108; Guido Vranken as the original reporter of CVE-2016-2105,
CVE-2016-2106, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842; Juraj
Somorovsky as the original reporter of CVE-2016-2107; Yuval Yarom
(University of Adelaide and NICTA), Daniel Genkin (Technion and Tel Aviv
University), and Nadia Heninger (University of Pennsylvania) as the
original reporters of CVE-2016-0702; and Adam Langley (Google/BoringSSL) as
the original reporter of CVE-2016-0705.

See the corresponding CVE pages linked to in the References section for
more information about each of the flaws listed in this advisory.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Web Server installation (including all applications
and configuration files).

After installing the updated packages, the httpd daemon will be restarted
automatically.

4. Bugs fixed (https://bugzilla.redhat.com/):

801648 - CVE-2012-1148 expat: Memory leak in poolGrow
1121519 - CVE-2014-3523 httpd: WinNT MPM denial of service
1196737 - CVE-2015-0209 openssl: use-after-free on invalid EC private key import
1202366 - CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp()
1227574 - CVE-2015-3216 openssl: Crash in ssleay_rand_bytes due to locking regression
1228611 - CVE-2014-8176 OpenSSL: Invalid free in DTLS
1243888 - CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4
1288320 - CVE-2015-3194 OpenSSL: Certificate verify crash with missing PSS parameter
1288322 - CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak
1288326 - CVE-2015-3196 OpenSSL: Race condition handling PSK identify hint
1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code
1310599 - CVE-2016-0702 OpenSSL: Side channel attack on modular exponentiation
1311880 - CVE-2016-0797 OpenSSL: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
1312219 - CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions
1314757 - CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds
1319829 - CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode
1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data
1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder
1331426 - CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check
1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow
1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow
1332443 - CVE-2016-3705 libxml2: stack overflow before detecting invalid XML file
1332820 - CVE-2016-4483 libxml2: out-of-bounds read
1338682 - CVE-2016-1833 libxml2: Heap-based buffer overread in htmlCurrentChar
1338686 - CVE-2016-4447 libxml2: Heap-based buffer underreads due to xmlParseName
1338691 - CVE-2016-1835 libxml2: Heap use-after-free in xmlSAX2AttributeNs
1338696 - CVE-2016-1837 libxml2: Heap use-after-free in htmlPArsePubidLiteral and htmlParseSystemiteral
1338700 - CVE-2016-4448 libxml2: Format string vulnerability
1338701 - CVE-2016-4449 libxml2: Inappropriate fetch of entities content
1338702 - CVE-2016-1836 libxml2: Heap use-after-free in xmlDictComputeFastKey
1338703 - CVE-2016-1839 libxml2: Heap-based buffer overread in xmlDictAddString
1338705 - CVE-2016-1838 libxml2: Heap-based buffer overread in xmlPArserPrintFileContextInternal
1338706 - CVE-2016-1840 libxml2: Heap-buffer-overflow in xmlFAParserPosCharGroup
1338708 - CVE-2016-1834 libxml2: Heap-buffer-overflow in xmlStrncat
1338711 - CVE-2016-1762 libxml2: Heap-based buffer-overread in xmlNextChar
1341583 - CVE-2016-4459 mod_cluster: Buffer overflow in mod_manager when sending request with long JVMRoute
1341705 - CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
1343400 - CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation
1362183 - CVE-2016-5419 curl: TLS session resumption client cert bypass
1362190 - CVE-2016-5420 curl: Re-using connection with wrong client cert
1373229 - CVE-2016-7141 curl: Incorrect reuse of client certificates
1382352 - CVE-2016-6808 mod_jk: Buffer overflow when concatenating virtual host name and URI
1387605 - CVE-2016-8612 JBCS mod_cluster: Protocol parsing logic error

5. JIRA issues fixed (https://issues.jboss.org/):

JBCS-50 - CVE-2012-1148 CVE-2012-0876 expat: various flaws [jbews-3.0.0]
JBCS-95 - CVE-2014-3523 httpd: WinNT MPM denial of service

6. References:

https://access.redhat.com/security/cve/CVE-2012-1148
https://access.redhat.com/security/cve/CVE-2014-3523
https://access.redhat.com/security/cve/CVE-2014-8176
https://access.redhat.com/security/cve/CVE-2015-0209
https://access.redhat.com/security/cve/CVE-2015-0286
https://access.redhat.com/security/cve/CVE-2015-3185
https://access.redhat.com/security/cve/CVE-2015-3194
https://access.redhat.com/security/cve/CVE-2015-3195
https://access.redhat.com/security/cve/CVE-2015-3196
https://access.redhat.com/security/cve/CVE-2015-3216
https://access.redhat.com/security/cve/CVE-2016-0702
https://access.redhat.com/security/cve/CVE-2016-0705
https://access.redhat.com/security/cve/CVE-2016-0797
https://access.redhat.com/security/cve/CVE-2016-0799
https://access.redhat.com/security/cve/CVE-2016-1762
https://access.redhat.com/security/cve/CVE-2016-1833
https://access.redhat.com/security/cve/CVE-2016-1834
https://access.redhat.com/security/cve/CVE-2016-1835
https://access.redhat.com/security/cve/CVE-2016-1836
https://access.redhat.com/security/cve/CVE-2016-1837
https://access.redhat.com/security/cve/CVE-2016-1838
https://access.redhat.com/security/cve/CVE-2016-1839
https://access.redhat.com/security/cve/CVE-2016-1840
https://access.redhat.com/security/cve/CVE-2016-2105
https://access.redhat.com/security/cve/CVE-2016-2106
https://access.redhat.com/security/cve/CVE-2016-2107
https://access.redhat.com/security/cve/CVE-2016-2108
https://access.redhat.com/security/cve/CVE-2016-2109
https://access.redhat.com/security/cve/CVE-2016-2177
https://access.redhat.com/security/cve/CVE-2016-2178
https://access.redhat.com/security/cve/CVE-2016-2842
https://access.redhat.com/security/cve/CVE-2016-3627
https://access.redhat.com/security/cve/CVE-2016-3705
https://access.redhat.com/security/cve/CVE-2016-4447
https://access.redhat.com/security/cve/CVE-2016-4448
https://access.redhat.com/security/cve/CVE-2016-4449
https://access.redhat.com/security/cve/CVE-2016-4459
https://access.redhat.com/security/cve/CVE-2016-4483
https://access.redhat.com/security/cve/CVE-2016-5419
https://access.redhat.com/security/cve/CVE-2016-5420
https://access.redhat.com/security/cve/CVE-2016-6808
https://access.redhat.com/security/cve/CVE-2016-7141
https://access.redhat.com/security/cve/CVE-2016-8612
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=distributions&version=2.4.23
https://access.redhat.com/documentation/en/red-hat-jboss-core-services-apache-http-server/version-2.4.23/apache-http-server-2423-release-notes/

7. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYUxXtXlSAg2UNWIIRAm8yAKCDdIPhumydPcD3R7BVWXFnyHP/ZwCeJtAh
OqjNSGx5/peirmVPrdVKUYE=
=TZLU
-----END PGP SIGNATURE-----