FEDORA-2018-22b25bab31

security update in Fedora 26 for httpd

Status: obsolete

This update includes the latest upstream release of the Apache HTTP Server, version 2.4.33. A number of security vulnerabilities are fixed in this release:

  • Low: Possible out of bound read in mod_cache_socache (CVE-2018-1303)
  • Low: Possible out of bound access after failure in reading the HTTP request (CVE-2018-1301)
  • Low: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)
  • Low: <FilesMatch> bypass with a trailing newline in the file name (CVE-2017-15715)
  • Low: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)
  • Moderate: Tampering of mod_session data for CGI applications (CVE-2018-1283)

For more information about changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.33

Comments 13

This update has been submitted for testing by jorton.

jorton edited this update.

This update has been pushed to testing.

This will cause all existing deployments to fail to start: https://bugzilla.redhat.com/show_bug.cgi?id=1562413

karma: -1

adamwill edited this update.

New build(s):

  • httpd-2.4.33-2.fc26

Removed build(s):

  • httpd-2.4.33-1.fc26

Karma has been reset.

This update has been submitted for testing by adamwill.

thank you

karma: +1

This update has been pushed to testing.

works

karma: +1

Works

karma: +1

This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.

works for me in a VM

karma: +1

This update has been obsoleted by httpd-2.4.33-4.fc26.

Content Type
RPM
Status
obsolete
Test Gating
Submitted by
Update Type
security
Update Severity
medium
Karma
+4
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted a year ago
in testing a year ago
modified a year ago

Related Bugs 7

00 #1560174 httpd-2.4.33 is available
00 #1560396 CVE-2018-1283 httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications [fedora-all]
00 #1560400 CVE-2018-1303 httpd: http: Out of bounds read in mod_cache_socache can allow a remote attacker to cause a denial of service [fedora-all]
00 #1560616 CVE-2017-15710 httpd: Out of bound write in mod_authnz_ldap when using too small Accept-Language values [fedora-all]
00 #1560618 CVE-2017-15715 httpd: <filesmatch> bypass with a trailing newline in the file name [fedora-all]</filesmatch>
00 #1560635 CVE-2018-1312 httpd: Weak Digest auth nonce generation in mod_auth_digest [fedora-all]
00 #1560644 CVE-2018-1301 httpd: Out of bound access after failure in reading the HTTP request [fedora-all]

Automated Test Results

Test Cases

00 Test Case HTTPd