Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1463197 - (CVE-2017-3169) CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170620,repor...
: Security
Depends On: 1463208 1464874 1464875 1465916 1473691 1473692 1473693 1473696 1473697 1510060 1510061 1510062
Blocks: 1463212 1464082 1524240
  Show dependency treegraph
 
Reported: 2017-06-20 07:20 EDT by Andrej Nemec
Modified: 2018-10-19 17:41 EDT (History)
48 users (show)

See Also:
Fixed In Version: httpd 2.2.34, httpd 2.4.26
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2478 normal SHIPPED_LIVE Important: httpd security update 2017-08-15 18:11:45 EDT
Red Hat Product Errata RHSA-2017:2479 normal SHIPPED_LIVE Important: httpd security update 2017-08-15 18:23:44 EDT
Red Hat Product Errata RHSA-2017:2483 normal SHIPPED_LIVE Important: httpd24-httpd security update 2017-08-16 23:04:17 EDT
Red Hat Product Errata RHSA-2017:3193 normal SHIPPED_LIVE Important: httpd security update 2017-11-13 17:35:40 EST
Red Hat Product Errata RHSA-2017:3194 normal SHIPPED_LIVE Important: httpd security update 2017-11-13 17:36:28 EST
Red Hat Product Errata RHSA-2017:3195 normal SHIPPED_LIVE Important: httpd security update 2017-11-13 17:35:58 EST
Red Hat Product Errata RHSA-2017:3475 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 security update 2017-12-15 22:23:06 EST
Red Hat Product Errata RHSA-2017:3476 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 security update 2017-12-15 22:34:21 EST
Red Hat Product Errata RHSA-2017:3477 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 security update 2017-12-15 22:34:40 EST

  None (edit)
Description Andrej Nemec 2017-06-20 07:20:23 EDT 
It was found in httpd that mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.
 
References:

https://lists.apache.org/thread.html/84bf7fcc5cad35d355f11839cbdd13cbc5ffc1d34675090bff0f96ae@%3Cdev.httpd.apache.org%3E

External References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/security/vulnerabilities_22.html
Comment 1 Andrej Nemec 2017-06-20 07:37:24 EDT 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1463208]
Comment 12 errata-xmlrpc 2017-08-15 14:13:40 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:2478 https://access.redhat.com/errata/RHSA-2017:2478
Comment 13 errata-xmlrpc 2017-08-15 14:26:02 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2479 https://access.redhat.com/errata/RHSA-2017:2479
Comment 14 errata-xmlrpc 2017-08-16 19:06:35 EDT 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2483
Comment 17 errata-xmlrpc 2017-11-13 12:36:51 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:3193 https://access.redhat.com/errata/RHSA-2017:3193
Comment 18 errata-xmlrpc 2017-11-13 12:39:02 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:3195 https://access.redhat.com/errata/RHSA-2017:3195
Comment 19 errata-xmlrpc 2017-11-13 12:40:48 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:3194 https://access.redhat.com/errata/RHSA-2017:3194
Comment 20 errata-xmlrpc 2017-12-15 17:23:43 EST 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2017:3475 https://access.redhat.com/errata/RHSA-2017:3475
Comment 21 errata-xmlrpc 2017-12-15 17:35:25 EST 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:3476 https://access.redhat.com/errata/RHSA-2017:3476
Comment 22 errata-xmlrpc 2017-12-15 17:37:01 EST 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:3477 https://access.redhat.com/errata/RHSA-2017:3477
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.