httpd24-1.1-18.AXS4, httpd24-httpd-2.4.27-8.AXS4

The Apache HTTP Server is a powerful, efficient, and extensible web server. The
httpd24 packages provide a recent stable release of version 2.4 of the Apache
HTTP Server, along with the mod_auth_kerb module.

The following packages have been upgraded to a later upstream version:
httpd24-httpd (2.4.27). (BZ#1461819)

Security Fix(es):

* A use-after-free flaw was found in the way httpd handled invalid and
previously unregistered HTTP methods specified in the Limit directive used in an
.htaccess file. A remote attacker could possibly use this flaw to disclose
portions of the server memory, or cause httpd child process to crash.
(CVE-2017-9798)

Asianux would like to thank Hanno Böck for reporting this issue.

Bug Fix(es):

* The httpd package installation script tried to create both the "apache" user
and group in a single "useradd" command. Consequently, when the "apache" group
had already been created on the system, the command failed, and the "apache"
user was not created. To fix this bug, the "apache" group is now created by a
separate command, and the "apache" user is correctly created during httpd
installation even when the "apache" group exists. (BZ#1486843)

* When installing the httpd24 Software Collection using the "yum" command, if
the "apache" group already existed on the system with GID other than 48, the
"apache" user was not created. This update fixes the bug. (BZ#1487164)

* With this update, it is possible to run the mod_rewrite external mapping
program as a non-root user. (BZ#1486832)

* On a Asianux Server 4 system, when the httpd service was stopped twice in a
row by running the "service httpd stop" command, a misleading message was
returned: "Stopping httpd: [FAILED]". This bug has been fixed. (BZ#1418395)

* When the "service httpd24-httpd graceful" command was used on Asianux Server
7 while the httpd24-httpd service was not running, the daemon was started
without being tracked by systemd. As a consequence, the daemon ran in an
incorrect SELinux domain. This bug has been fixed, and the httpd daemon runs in
the correct SELinux domain in the described scenario. (BZ#1440858)

Enhancement(s):

* With this update, the mod_ssl module supports the ALPN protocol on Asianux
Server 7.4 and later versions. (BZ#1327548)

For further details, see the Asianux Software Collections 3.0 Release Notes
linked from the References section.

CVE-2017-9798
Apache httpd allows remote attackers to read secret data from process
memory if the Limit directive can be set in a user's .htaccess file, or
if httpd.conf has certain misconfigurations, aka Optionsbleed. This
affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27.
The attacker sends an unauthenticated OPTIONS HTTP request when
attempting to read secret data. This is a use-after-free issue and thus
secret data is not always sent, and the specific data depends on many
factors including configuration. Exploitation with .htaccess can be
blocked with a patch to the ap_limit_section function in server/core.c.