Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:3292: Red Hat Security Advisory: httpd24-httpd security update

An update for httpd24-httpd is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
Red Hat Security Data
#vulnerability#web#linux#red_hat#apache#nodejs#js#java#kubernetes#ldap#aws#ibm#ssl

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-05-24

Updated:

2023-05-24

RHSA-2023:3292 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: httpd24-httpd security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for httpd24-httpd is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

  • httpd: HTTP request splitting with mod_rewrite and mod_proxy (CVE-2023-25690)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

Fixes

  • BZ - 2176209 - CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM

httpd24-httpd-2.4.34-23.el7.6.src.rpm

SHA-256: 6c693486166afd2db98a192e15e066815497852d1a1b829cd88b1db8941b90a4

x86_64

httpd24-httpd-2.4.34-23.el7.6.x86_64.rpm

SHA-256: d04aed76b461e887b3383efdc6da8c3bdbeaa80630f0ea18ed764f30eef6bc2a

httpd24-httpd-debuginfo-2.4.34-23.el7.6.x86_64.rpm

SHA-256: ec90257163dadc4f479da1e0710aa0a98995ca62ab5b3095f5cf3725f7859062

httpd24-httpd-devel-2.4.34-23.el7.6.x86_64.rpm

SHA-256: b1f6668b598c6e23029b32af0aa6733e9733c595197b38746d9a886e991c32a2

httpd24-httpd-manual-2.4.34-23.el7.6.noarch.rpm

SHA-256: f07cfeeacc8ff85ec3ba3edd2dfe6343a14c8673a9c55478d1f8e8614265e94e

httpd24-httpd-tools-2.4.34-23.el7.6.x86_64.rpm

SHA-256: 88dbd221517a3d13bdb69c69ffc93b91269c016f84d100a3e7c0a2dfcd645198

httpd24-mod_ldap-2.4.34-23.el7.6.x86_64.rpm

SHA-256: 3398b4ae96858861959a3945c8650085d07f72bcc0d6b6e34b82fe80ee3a1c0b

httpd24-mod_proxy_html-2.4.34-23.el7.6.x86_64.rpm

SHA-256: 01fbf418a595dd95647104e56ddd8c5f350d1a84837ebc8b8f8419699c9cad31

httpd24-mod_session-2.4.34-23.el7.6.x86_64.rpm

SHA-256: ca9b057e7163ee7c72eeacbee2bfad97a32c7fc35c222b34918d950b14a16f2b

httpd24-mod_ssl-2.4.34-23.el7.6.x86_64.rpm

SHA-256: 56f8f497a9778a1eb3b655b2e7972308caa130e29bda39d0989286a2bfe767fe

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7

SRPM

httpd24-httpd-2.4.34-23.el7.6.src.rpm

SHA-256: 6c693486166afd2db98a192e15e066815497852d1a1b829cd88b1db8941b90a4

s390x

httpd24-httpd-2.4.34-23.el7.6.s390x.rpm

SHA-256: 9dffd34d442ad0ff6cf2e836799577234dc98c39191a02f408cda3dcd50fae28

httpd24-httpd-debuginfo-2.4.34-23.el7.6.s390x.rpm

SHA-256: 58327c6145d7cdf919f46999698622ea0811bd55f64a694cbb5a5261ff383c17

httpd24-httpd-devel-2.4.34-23.el7.6.s390x.rpm

SHA-256: 0fe34f39839a9ed495ebdb35f4dbf809eec2b0e0a8ec4e04480cc179124a4a46

httpd24-httpd-manual-2.4.34-23.el7.6.noarch.rpm

SHA-256: f07cfeeacc8ff85ec3ba3edd2dfe6343a14c8673a9c55478d1f8e8614265e94e

httpd24-httpd-tools-2.4.34-23.el7.6.s390x.rpm

SHA-256: 243d5a3192ec0930071cc5efdbacd6d8a620569929f648d70ae41065d4ab6ce1

httpd24-mod_ldap-2.4.34-23.el7.6.s390x.rpm

SHA-256: d41184c0523ea57d84dc264d537112fc21a8cde2cfe2cdc5b7f30c1472b0e9a8

httpd24-mod_proxy_html-2.4.34-23.el7.6.s390x.rpm

SHA-256: 1301f81515b1793541953fd01ff497568f0facc397fd6bca3932c93b921f2e5b

httpd24-mod_session-2.4.34-23.el7.6.s390x.rpm

SHA-256: 07ce721d8d85273caf6e184f8dd8fa11afdd4387e76468aae8202dfa739a2d41

httpd24-mod_ssl-2.4.34-23.el7.6.s390x.rpm

SHA-256: 5847325758c6870f276cffc210036b036ae0996e39f2e1647409c3d1bf1f40f9

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7

SRPM

httpd24-httpd-2.4.34-23.el7.6.src.rpm

SHA-256: 6c693486166afd2db98a192e15e066815497852d1a1b829cd88b1db8941b90a4

ppc64le

httpd24-httpd-2.4.34-23.el7.6.ppc64le.rpm

SHA-256: 1b735cde4107fe3c2d4db1c71a86923a028e82ea5c53e495043a7c86ea6b643a

httpd24-httpd-debuginfo-2.4.34-23.el7.6.ppc64le.rpm

SHA-256: b9a5f473a2a33694f138bf4510cfa4886cc4a2e0ad23b4e658207858ba494542

httpd24-httpd-devel-2.4.34-23.el7.6.ppc64le.rpm

SHA-256: 2075003e101b9a8e4d6e6a76c2fc70e247360e9892ae494ed89f1aaf628e7b7e

httpd24-httpd-manual-2.4.34-23.el7.6.noarch.rpm

SHA-256: f07cfeeacc8ff85ec3ba3edd2dfe6343a14c8673a9c55478d1f8e8614265e94e

httpd24-httpd-tools-2.4.34-23.el7.6.ppc64le.rpm

SHA-256: c5cb9142fd9d069e3f73a2d310ac3f02f9590ebd27c7edbb7c72ddaf1264eb3b

httpd24-mod_ldap-2.4.34-23.el7.6.ppc64le.rpm

SHA-256: 8b54506960a6373e1367300a0e2bcdb719a3659c6bf9e9f43eeaca636d2a6ce4

httpd24-mod_proxy_html-2.4.34-23.el7.6.ppc64le.rpm

SHA-256: ace48e9cb1a0b567f2f346b6b30ee8fa1eedab5f5cc7f64a0f997a826c4e7583

httpd24-mod_session-2.4.34-23.el7.6.ppc64le.rpm

SHA-256: 6e4b0bd0267c6ce4eb31aa123cdf7cea31ccc083772d240849e4283c2fcc5400

httpd24-mod_ssl-2.4.34-23.el7.6.ppc64le.rpm

SHA-256: c38d99d9a4557d4b4d71f5f218c2b7f8a1786399f72f2663a00f56ae604951f9

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM

httpd24-httpd-2.4.34-23.el7.6.src.rpm

SHA-256: 6c693486166afd2db98a192e15e066815497852d1a1b829cd88b1db8941b90a4

x86_64

httpd24-httpd-2.4.34-23.el7.6.x86_64.rpm

SHA-256: d04aed76b461e887b3383efdc6da8c3bdbeaa80630f0ea18ed764f30eef6bc2a

httpd24-httpd-debuginfo-2.4.34-23.el7.6.x86_64.rpm

SHA-256: ec90257163dadc4f479da1e0710aa0a98995ca62ab5b3095f5cf3725f7859062

httpd24-httpd-devel-2.4.34-23.el7.6.x86_64.rpm

SHA-256: b1f6668b598c6e23029b32af0aa6733e9733c595197b38746d9a886e991c32a2

httpd24-httpd-manual-2.4.34-23.el7.6.noarch.rpm

SHA-256: f07cfeeacc8ff85ec3ba3edd2dfe6343a14c8673a9c55478d1f8e8614265e94e

httpd24-httpd-tools-2.4.34-23.el7.6.x86_64.rpm

SHA-256: 88dbd221517a3d13bdb69c69ffc93b91269c016f84d100a3e7c0a2dfcd645198

httpd24-mod_ldap-2.4.34-23.el7.6.x86_64.rpm

SHA-256: 3398b4ae96858861959a3945c8650085d07f72bcc0d6b6e34b82fe80ee3a1c0b

httpd24-mod_proxy_html-2.4.34-23.el7.6.x86_64.rpm

SHA-256: 01fbf418a595dd95647104e56ddd8c5f350d1a84837ebc8b8f8419699c9cad31

httpd24-mod_session-2.4.34-23.el7.6.x86_64.rpm

SHA-256: ca9b057e7163ee7c72eeacbee2bfad97a32c7fc35c222b34918d950b14a16f2b

httpd24-mod_ssl-2.4.34-23.el7.6.x86_64.rpm

SHA-256: 56f8f497a9778a1eb3b655b2e7972308caa130e29bda39d0989286a2bfe767fe

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

CVE-2023-26298: HP Device Manager Security Updates

Previous versions of HP Device Manager (prior to HPDM 5.0.10) could potentially allow command injection and/or elevation of privileges.

RHSA-2023:3355: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP2 security update

Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficien...

CVE-2023-28043: DSA-2023-164: Dell Secure Connect Gateway Security Update for Multiple Vulnerabilities

Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.

RHSA-2023:1916: Red Hat Security Advisory: httpd and mod_http2 security update

An update for httpd and mod_http2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches s...

RHSA-2023:1672: Red Hat Security Advisory: httpd:2.4 security update

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations a...

RHSA-2023:1670: Red Hat Security Advisory: httpd and mod_http2 security update

An update for httpd and mod_http2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-su...

Red Hat Security Advisory 2023-1597-01

Red Hat Security Advisory 2023-1597-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Red Hat Security Advisory 2023-1547-01

Red Hat Security Advisory 2023-1547-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

RHSA-2023:1597: Red Hat Security Advisory: httpd:2.4 security update

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches ...

RHSA-2023:1593: Red Hat Security Advisory: httpd security update

An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request...

RHSA-2023:1596: Red Hat Security Advisory: httpd:2.4 security update

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25690: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches ...

Ubuntu Security Notice USN-5942-2

Ubuntu Security Notice 5942-2 - USN-5942-1 fixed vulnerabilities in Apache HTTP Server. This update provides the corresponding update for CVE-2023-25690 for Ubuntu 16.04 ESM. Lars Krapf discovered that the Apache HTTP Server mod_proxy module incorrectly handled certain configurations. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

Debian Security Advisory 5376-1

Debian Linux Security Advisory 5376-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.