Headline
RHSA-2023:3292: Red Hat Security Advisory: httpd24-httpd security update
An update for httpd24-httpd is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-24
Updated:
2023-05-24
RHSA-2023:3292 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: httpd24-httpd security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for httpd24-httpd is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
- httpd: HTTP request splitting with mod_rewrite and mod_proxy (CVE-2023-25690)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
- Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Fixes
- BZ - 2176209 - CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
SRPM
httpd24-httpd-2.4.34-23.el7.6.src.rpm
SHA-256: 6c693486166afd2db98a192e15e066815497852d1a1b829cd88b1db8941b90a4
x86_64
httpd24-httpd-2.4.34-23.el7.6.x86_64.rpm
SHA-256: d04aed76b461e887b3383efdc6da8c3bdbeaa80630f0ea18ed764f30eef6bc2a
httpd24-httpd-debuginfo-2.4.34-23.el7.6.x86_64.rpm
SHA-256: ec90257163dadc4f479da1e0710aa0a98995ca62ab5b3095f5cf3725f7859062
httpd24-httpd-devel-2.4.34-23.el7.6.x86_64.rpm
SHA-256: b1f6668b598c6e23029b32af0aa6733e9733c595197b38746d9a886e991c32a2
httpd24-httpd-manual-2.4.34-23.el7.6.noarch.rpm
SHA-256: f07cfeeacc8ff85ec3ba3edd2dfe6343a14c8673a9c55478d1f8e8614265e94e
httpd24-httpd-tools-2.4.34-23.el7.6.x86_64.rpm
SHA-256: 88dbd221517a3d13bdb69c69ffc93b91269c016f84d100a3e7c0a2dfcd645198
httpd24-mod_ldap-2.4.34-23.el7.6.x86_64.rpm
SHA-256: 3398b4ae96858861959a3945c8650085d07f72bcc0d6b6e34b82fe80ee3a1c0b
httpd24-mod_proxy_html-2.4.34-23.el7.6.x86_64.rpm
SHA-256: 01fbf418a595dd95647104e56ddd8c5f350d1a84837ebc8b8f8419699c9cad31
httpd24-mod_session-2.4.34-23.el7.6.x86_64.rpm
SHA-256: ca9b057e7163ee7c72eeacbee2bfad97a32c7fc35c222b34918d950b14a16f2b
httpd24-mod_ssl-2.4.34-23.el7.6.x86_64.rpm
SHA-256: 56f8f497a9778a1eb3b655b2e7972308caa130e29bda39d0989286a2bfe767fe
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7
SRPM
httpd24-httpd-2.4.34-23.el7.6.src.rpm
SHA-256: 6c693486166afd2db98a192e15e066815497852d1a1b829cd88b1db8941b90a4
s390x
httpd24-httpd-2.4.34-23.el7.6.s390x.rpm
SHA-256: 9dffd34d442ad0ff6cf2e836799577234dc98c39191a02f408cda3dcd50fae28
httpd24-httpd-debuginfo-2.4.34-23.el7.6.s390x.rpm
SHA-256: 58327c6145d7cdf919f46999698622ea0811bd55f64a694cbb5a5261ff383c17
httpd24-httpd-devel-2.4.34-23.el7.6.s390x.rpm
SHA-256: 0fe34f39839a9ed495ebdb35f4dbf809eec2b0e0a8ec4e04480cc179124a4a46
httpd24-httpd-manual-2.4.34-23.el7.6.noarch.rpm
SHA-256: f07cfeeacc8ff85ec3ba3edd2dfe6343a14c8673a9c55478d1f8e8614265e94e
httpd24-httpd-tools-2.4.34-23.el7.6.s390x.rpm
SHA-256: 243d5a3192ec0930071cc5efdbacd6d8a620569929f648d70ae41065d4ab6ce1
httpd24-mod_ldap-2.4.34-23.el7.6.s390x.rpm
SHA-256: d41184c0523ea57d84dc264d537112fc21a8cde2cfe2cdc5b7f30c1472b0e9a8
httpd24-mod_proxy_html-2.4.34-23.el7.6.s390x.rpm
SHA-256: 1301f81515b1793541953fd01ff497568f0facc397fd6bca3932c93b921f2e5b
httpd24-mod_session-2.4.34-23.el7.6.s390x.rpm
SHA-256: 07ce721d8d85273caf6e184f8dd8fa11afdd4387e76468aae8202dfa739a2d41
httpd24-mod_ssl-2.4.34-23.el7.6.s390x.rpm
SHA-256: 5847325758c6870f276cffc210036b036ae0996e39f2e1647409c3d1bf1f40f9
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7
SRPM
httpd24-httpd-2.4.34-23.el7.6.src.rpm
SHA-256: 6c693486166afd2db98a192e15e066815497852d1a1b829cd88b1db8941b90a4
ppc64le
httpd24-httpd-2.4.34-23.el7.6.ppc64le.rpm
SHA-256: 1b735cde4107fe3c2d4db1c71a86923a028e82ea5c53e495043a7c86ea6b643a
httpd24-httpd-debuginfo-2.4.34-23.el7.6.ppc64le.rpm
SHA-256: b9a5f473a2a33694f138bf4510cfa4886cc4a2e0ad23b4e658207858ba494542
httpd24-httpd-devel-2.4.34-23.el7.6.ppc64le.rpm
SHA-256: 2075003e101b9a8e4d6e6a76c2fc70e247360e9892ae494ed89f1aaf628e7b7e
httpd24-httpd-manual-2.4.34-23.el7.6.noarch.rpm
SHA-256: f07cfeeacc8ff85ec3ba3edd2dfe6343a14c8673a9c55478d1f8e8614265e94e
httpd24-httpd-tools-2.4.34-23.el7.6.ppc64le.rpm
SHA-256: c5cb9142fd9d069e3f73a2d310ac3f02f9590ebd27c7edbb7c72ddaf1264eb3b
httpd24-mod_ldap-2.4.34-23.el7.6.ppc64le.rpm
SHA-256: 8b54506960a6373e1367300a0e2bcdb719a3659c6bf9e9f43eeaca636d2a6ce4
httpd24-mod_proxy_html-2.4.34-23.el7.6.ppc64le.rpm
SHA-256: ace48e9cb1a0b567f2f346b6b30ee8fa1eedab5f5cc7f64a0f997a826c4e7583
httpd24-mod_session-2.4.34-23.el7.6.ppc64le.rpm
SHA-256: 6e4b0bd0267c6ce4eb31aa123cdf7cea31ccc083772d240849e4283c2fcc5400
httpd24-mod_ssl-2.4.34-23.el7.6.ppc64le.rpm
SHA-256: c38d99d9a4557d4b4d71f5f218c2b7f8a1786399f72f2663a00f56ae604951f9
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
SRPM
httpd24-httpd-2.4.34-23.el7.6.src.rpm
SHA-256: 6c693486166afd2db98a192e15e066815497852d1a1b829cd88b1db8941b90a4
x86_64
httpd24-httpd-2.4.34-23.el7.6.x86_64.rpm
SHA-256: d04aed76b461e887b3383efdc6da8c3bdbeaa80630f0ea18ed764f30eef6bc2a
httpd24-httpd-debuginfo-2.4.34-23.el7.6.x86_64.rpm
SHA-256: ec90257163dadc4f479da1e0710aa0a98995ca62ab5b3095f5cf3725f7859062
httpd24-httpd-devel-2.4.34-23.el7.6.x86_64.rpm
SHA-256: b1f6668b598c6e23029b32af0aa6733e9733c595197b38746d9a886e991c32a2
httpd24-httpd-manual-2.4.34-23.el7.6.noarch.rpm
SHA-256: f07cfeeacc8ff85ec3ba3edd2dfe6343a14c8673a9c55478d1f8e8614265e94e
httpd24-httpd-tools-2.4.34-23.el7.6.x86_64.rpm
SHA-256: 88dbd221517a3d13bdb69c69ffc93b91269c016f84d100a3e7c0a2dfcd645198
httpd24-mod_ldap-2.4.34-23.el7.6.x86_64.rpm
SHA-256: 3398b4ae96858861959a3945c8650085d07f72bcc0d6b6e34b82fe80ee3a1c0b
httpd24-mod_proxy_html-2.4.34-23.el7.6.x86_64.rpm
SHA-256: 01fbf418a595dd95647104e56ddd8c5f350d1a84837ebc8b8f8419699c9cad31
httpd24-mod_session-2.4.34-23.el7.6.x86_64.rpm
SHA-256: ca9b057e7163ee7c72eeacbee2bfad97a32c7fc35c222b34918d950b14a16f2b
httpd24-mod_ssl-2.4.34-23.el7.6.x86_64.rpm
SHA-256: 56f8f497a9778a1eb3b655b2e7972308caa130e29bda39d0989286a2bfe767fe
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Previous versions of HP Device Manager (prior to HPDM 5.0.10) could potentially allow command injection and/or elevation of privileges.
Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficien...
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.
An update for httpd and mod_http2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches s...
An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations a...
An update for httpd and mod_http2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-su...
Red Hat Security Advisory 2023-1597-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Red Hat Security Advisory 2023-1547-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches ...
An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request...
An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches ...
Ubuntu Security Notice 5942-2 - USN-5942-1 fixed vulnerabilities in Apache HTTP Server. This update provides the corresponding update for CVE-2023-25690 for Ubuntu 16.04 ESM. Lars Krapf discovered that the Apache HTTP Server mod_proxy module incorrectly handled certain configurations. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.
Debian Linux Security Advisory 5376-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.