-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update
Advisory ID:       RHSA-2018:2187-01
Product:           Red Hat JBoss Core Services
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2187
Issue date:        2018-07-12
CVE Names:         CVE-2016-2182 CVE-2016-6302 CVE-2016-6306 
                   CVE-2016-7055 CVE-2017-3731 CVE-2017-3732 
                   CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 
====================================================================
1. Summary:

Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are now
available.

Red Hat Product Security has rated this release as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This release adds the new Apache HTTP Server 2.4.29 packages that are part
of the JBoss Core Services offering.

This release serves as a replacement for Red Hat JBoss Core Services
Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer
to the Release Notes for information on the most significant bug fixes,
enhancements and component upgrades included in this release.

This release upgrades OpenSSL to version 1.0.2.n

Security Fix(es):

*  openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
(CVE-2016-2182)

*  openssl: Insufficient TLS session ticket HMAC length checks
(CVE-2016-6302)

*  openssl: certificate message OOB reads (CVE-2016-6306)

*  openssl: Carry propagating bug in Montgomery multiplication
(CVE-2016-7055)

*  openssl: Truncated packet could crash via OOB read (CVE-2017-3731)

*  openssl: BN_mod_exp may produce incorrect results on x86_64
(CVE-2017-3732)

*  openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)

*  openssl: Read/write after SSL object in error state (CVE-2017-3737)

*  openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306
and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360
Inc.) as the original reporter of CVE-2016-6306.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Web Server installation (including all applications
and configuration files).

After installing the updated packages, the httpd daemon will be restarted
automatically.

4. Bugs fixed (https://bugzilla.redhat.com/):

1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
1377594 - CVE-2016-6306 openssl: certificate message OOB reads
1393929 - CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication
1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read
1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64
1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64
1523504 - CVE-2017-3737 openssl: Read/write after SSL object in error state
1523510 - CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64

5. References:

https://access.redhat.com/security/cve/CVE-2016-2182
https://access.redhat.com/security/cve/CVE-2016-6302
https://access.redhat.com/security/cve/CVE-2016-6306
https://access.redhat.com/security/cve/CVE-2016-7055
https://access.redhat.com/security/cve/CVE-2017-3731
https://access.redhat.com/security/cve/CVE-2017-3732
https://access.redhat.com/security/cve/CVE-2017-3736
https://access.redhat.com/security/cve/CVE-2017-3737
https://access.redhat.com/security/cve/CVE-2017-3738
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.29/

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW0d8NNzjgjWX9erEAQj/dg/8DXzbGICsuO3NIx6T1zbPEi7K8V4mQuAa
rf2sHLJ/z4V3d1bTzEKMvXZHpbFD1BUMlmd7gi9nP0jS2Fv6sN9ka0KBctDWH7so
HxZEaASTPGjw6BPFryzEJ6wko1opAj5+rKbkbRhH+yl4PjfHkLsre8cW0ClUBGPk
2k7l0T5u0GLqz4Xc16XnMY7TBh81cCbQlVlblAaMQEapJwfFWPBmS8cPawgvg8sV
CHcTnXTc+GyQy+jch7mvzakDO5CBtZ2p1ztWMkOsCJjmY3Z4r38bYDfZ5Jst+Y/l
iEJqX7hnhTZjkiC+t/cOTId46ZFC2jEDQJptF9ObHML0MFWPD/m0RWoZ56lUobjN
JHjfSMkmzOI3QKQopDXQnabvQ6D37UNxBDvepRe2liQw5lmDUeQD1l8JEg8o+AbV
WEZTxs2c1UGFUDG5oUmRRauBktGsMTgWWk5f2++UJa52423EuberV4CuvyR2y+tM
Zk9tkF0PZ9oH/NMtWwdc2KbXStZCQEBxj4zbIZeqxghYAKfa8nCj/RPCyP2Gqab9
wPnsDLor+86DvAro90DqsvKyvO9WHA7al1Zes8T5fH7z+++vClfX6J1/bIumD+IZ
UWqwOej6rCSQf/fb59NubpURHlKacNDh5rdsUsAL8SpZtEpGrzg60cAyuWkTr3eA
t08WCwO5Mmw=l1qZ
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2018-2187:01 Moderate: Red Hat JBoss Core Services Apache HTTP

Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are now available

Summary

This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes, enhancements and component upgrades included in this release.
This release upgrades OpenSSL to version 1.0.2.n
Security Fix(es):
* openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182)
* openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302)
* openssl: certificate message OOB reads (CVE-2016-6306)
* openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055)
* openssl: Truncated packet could crash via OOB read (CVE-2017-3731)
* openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
* openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* openssl: Read/write after SSL object in error state (CVE-2017-3737)
* openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306 and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6306.



Summary


Solution

The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).
After installing the updated packages, the httpd daemon will be restarted automatically.

References

https://access.redhat.com/security/cve/CVE-2016-2182 https://access.redhat.com/security/cve/CVE-2016-6302 https://access.redhat.com/security/cve/CVE-2016-6306 https://access.redhat.com/security/cve/CVE-2016-7055 https://access.redhat.com/security/cve/CVE-2017-3731 https://access.redhat.com/security/cve/CVE-2017-3732 https://access.redhat.com/security/cve/CVE-2017-3736 https://access.redhat.com/security/cve/CVE-2017-3737 https://access.redhat.com/security/cve/CVE-2017-3738 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.29/

Package List


Severity
Advisory ID: RHSA-2018:2187-01
Product: Red Hat JBoss Core Services
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2187
Issued Date: : 2018-07-12
CVE Names: CVE-2016-2182 CVE-2016-6302 CVE-2016-6306 CVE-2016-7055 CVE-2017-3731 CVE-2017-3732 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738

Topic

Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are nowavailable.Red Hat Product Security has rated this release as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()

1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks

1377594 - CVE-2016-6306 openssl: certificate message OOB reads

1393929 - CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication

1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read

1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64

1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64

1523504 - CVE-2017-3737 openssl: Read/write after SSL object in error state

1523510 - CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64


Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved