-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: httpd:2.4 security and bug fix update
Advisory ID:       RHSA-2019:3436-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3436
Issue date:        2019-11-05
CVE Names:         CVE-2019-0217 CVE-2019-0220 
====================================================================
1. Summary:

An update for the httpd:2.4 module is now available for Red Hat Enterprise
Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.

Security Fix(es):

* httpd: mod_auth_digest: access control bypass due to race condition
(CVE-2019-0217)

* httpd: URL normalization inconsistency (CVE-2019-0220)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1669221 - `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang
1673022 - httpd can not be started with mod_md enabled
1695020 - CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condition
1695036 - CVE-2019-0220 httpd: URL normalization inconsistency
1724549 - httpd response contains garbage in Content-Type header
1730721 - absolute path used for default state and runtime dir by default

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.src.rpm
mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.src.rpm

aarch64:
httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm

noarch:
httpd-filesystem-2.4.37-16.module+el8.1.0+4134+e6bad0ed.noarch.rpm
httpd-manual-2.4.37-16.module+el8.1.0+4134+e6bad0ed.noarch.rpm

ppc64le:
httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm

s390x:
httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm

x86_64:
httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-0217
https://access.redhat.com/security/cve/CVE-2019-0220
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----Version: GnuPG v1

iQIVAwUBXcHqAdzjgjWX9erEAQgpEA//avVkgMnuW9zYpnQoZzYKhFCUBa0oIfVm
5mfOqRVFoIbc6V3o5tjFPFMiRsENrBgJh5TDwfDYQC3K7bAAACkJbDWX7f/ICkeL
N7sBoFyjjlGSzlZIc7mRwXfgBABGVWuhzheUjNo79tbSl9/Pc1c48CkBLp8y6oWh
/0NkPSoBBNbFRXTfH+n08g23pRt3bCOKYD2eyKy9YDkt44B4xquaZ10BlGgUecSF
VbCPxqDbBf5/YTLUs7oQxxAVpDNXjLDU/vCyoyPs1t+xZfO4A1FUVkjWWzgvsRsi
nsp+hev4krSSsXgyY4RCXPlyzg8ZS26z1vjYoFE76Lwgx1hWPw8uGwMuytgiSD+4
0j1Rm2eZU5RpVk2qWFlmWqgUzh7gUuo2DX/LDx7t8tAirJqhyA1sJcTF716yAWvm
r+oUHLJWDHUZlu3HxRHVnI7j4cbrt9NcpTQ1Ff5k8s9/Co6TIi4mmjgKO2HuZzpa
DlL7P2khZsC+ZevQPql9NT5hZsPqIPzFp7vFGLRTMbZwQHpSLu/oOJK4K+VtQ6T2
adsBcKk9Sj37l7FSv1+cvzNNDko+RyRzgpqqhUDJE1m4uLjzLMrmH5mC+AzoC8ha
oiVasqJTmjxbfPq/t0ylKzKEPK3UhNHmXFgbVIbeSqUCab9GjkHDL0Bg5Jr55Ia3
X1dPeeL6YJ4=TB9K
-----END PGP SIGNATURE-------RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2019-3436:01 Moderate: httpd:2.4 security and bug fix update

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
* httpd: mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)
* httpd: URL normalization inconsistency (CVE-2019-0220)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.

Summary

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.

References

https://access.redhat.com/security/cve/CVE-2019-0217 https://access.redhat.com/security/cve/CVE-2019-0220 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.src.rpm mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.src.rpm
aarch64: httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.aarch64.rpm
noarch: httpd-filesystem-2.4.37-16.module+el8.1.0+4134+e6bad0ed.noarch.rpm httpd-manual-2.4.37-16.module+el8.1.0+4134+e6bad0ed.noarch.rpm
ppc64le: httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.ppc64le.rpm
s390x: httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.s390x.rpm
x86_64: httpd-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm httpd-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm httpd-debugsource-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm httpd-devel-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm httpd-tools-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm httpd-tools-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_http2-1.11.3-3.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_http2-debuginfo-1.11.3-3.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_http2-debugsource-1.11.3-3.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_ldap-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_ldap-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_md-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_md-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_proxy_html-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_proxy_html-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_session-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_session-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_ssl-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm mod_ssl-debuginfo-2.4.37-16.module+el8.1.0+4134+e6bad0ed.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity

Advisory ID: RHSA-2019:3436-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2019:3436

Issued Date: : 2019-11-05

CVE Names: CVE-2019-0217 CVE-2019-0220

Topic

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.