Apache HTTP Server, prior to release 2.4.25, accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member "the_request", while a bare CR in the request header field name would be honored as whitespace, and a bare CR in the request header field value was retained the input headers array. Implied additional whitespace was accepted in the request line and prior to the ':' delimiter of any request header lines. These defects represent a security concern when httpd is participating in any chain of proxies or interacting with back-end application servers, either through mod_proxy or using conventional CGI mechanisms. In each case where one agent accepts such CTL characters and does not treat them as whitespace, there is the possiblity in a proxy chain of generating two responses from a server behind the uncautious proxy agent. In a sequence of two requests, this results in request A to the first proxy being interpreted as requests A + A' by the backend server, and if requests A and B were submitted to the first proxy in a keepalive connection, the proxy may interpret response A' as the response to request B, polluting the cache or potentially serving the A' content to a different downstream user-agent. Affects versions since 2.2.0 up to 2.4.23 External Reference: https://httpd.apache.org/security/vulnerabilities_24.html#2.4.25
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1406823]
I realize that backporting the upstream fix is non-trivial, but is there any kind of status update that you can provide regarding a potential errata release date? The status is still marked as "NEW", which implies that it's not even being worked on... Thanks in advance.
Dear Brian, please check bugs for RHEL-7, RHEL-7 Z-stream and RHEL-6. They are all in modified state. I've finished backporting and QE should now take care of it. This is just tracking bug. Thanks for understanding.
I am unable to access any of the related bugs for this to see what is going on. Can someone working this issue post a status update here? Thanks
Hi Dan, what exactly would you like to learn? If you seek support, use the Customer Portal, please. If you are coming from the community, you could find all pertinent information here [1] and a small clarification here [2]. Cheers -K- [1] https://httpd.apache.org/security/vulnerabilities_24.html [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=60783
(In reply to Michal Karm Babacek from comment #12) > Hi Dan, what exactly would you like to learn? > > If you seek support, use the Customer Portal, please. > > If you are coming from the community, you could find all pertinent > information here [1] > and a small clarification here [2]. > > Cheers > -K- > > [1] https://httpd.apache.org/security/vulnerabilities_24.html > [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=60783 I would like to learn if and when RedHat will release an updated httpd package to address this CVE for RHEL6 and 7.
There's a comment from a month ago that says the backporting is already completed. How long should it take to get from there to a package released to customers? See comment 7: Luboš Uhliarik 2017-01-31 08:40:58 EST: Dear Brian, please check bugs for RHEL-7, RHEL-7 Z-stream and RHEL-6. They are all in modified state. I've finished backporting and QE should now take care of it. This is just tracking bug. This is a high-scoring security problem on everyone's PCI scanners -- it's scoring 4.4, so your customers have to address it within 30 days of detection, and neither of your current RHEL platforms have a fix yet. This is a pretty bad situation to leave customers in.
I had found several weeks ago in one of the related bugs (that I can no longer access) that the patched package Lubos mentioned had caused issues with yum and/or satellite server, so there is probably still work going on to fix this, but no status update here is bad.
Hello Dan, Trever, Tracking bugs for the specific products, i.e. RHEL-6 and RHEL-7 in this case, are almost always kept private. As you've already found out, there were some problems with the patch which caused the delay, but we're working on fixing this issue. If you have some questions, please email secalert. Thank you!
Hello, Adam: This bug has many customer cases connected. Is there an ETA we can share with our clients? Thank you!
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0906 https://access.redhat.com/errata/RHSA-2017:0906
(In reply to errata-xmlrpc from comment #18) > This issue has been addressed in the following products: > > Red Hat Enterprise Linux 7 > > Via RHSA-2017:0906 https://access.redhat.com/errata/RHSA-2017:0906 Is it still going to be addressed in RHEL 6?
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:1161 https://access.redhat.com/errata/RHSA-2017:1161
(In reply to errata-xmlrpc from comment #20) > This issue has been addressed in the following products: > > Red Hat Software Collections for Red Hat Enterprise Linux 6 > Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS > Red Hat Software Collections for Red Hat Enterprise Linux 7 > Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS > > Via RHSA-2017:1161 https://access.redhat.com/errata/RHSA-2017:1161 Does that mean that it won't also be addressed in the main (non-SCL)channel for RHEL6?
This httpd fix uncovered a bug in the yum-rhn-plugin, which prevents yum from being able to install updates from Red Hat Satellite 5, Red Hat Satellite Proxy 5, or Red Hat Network if httpd fix is applied on the server side. The following knowledge base article provides further information about this problem and provides instructions on how to avoid it. https://access.redhat.com/articles/3013361
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2017:1415 https://access.redhat.com/errata/RHSA-2017:1415
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:1414 https://access.redhat.com/errata/RHSA-2017:1414
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:1413 https://access.redhat.com/errata/RHSA-2017:1413
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:1721 https://access.redhat.com/errata/RHSA-2017:1721