The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module. The following packages have been upgraded to a later upstream version: httpd24-httpd , httpd24-curl . Security Fix: * httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications * httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause DoS * httpd: mod_http2: Too much time allocated to workers, possibly leading to DoS * httpd: DoS for HTTP/2 connections by continuous SETTINGS frames * httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values * httpd: FilesMatch bypass with a trailing newline in the file name * httpd: Out of bounds access after failure in reading the HTTP request * httpd: Weak Digest auth nonce generation in mod_auth_digest * curl: Multiple security issues were fixed in httpd24-curl For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References section. Red Hat would like to thank the Curl project for reporting CVE-2017-8816, CVE-2017-8817, CVE-2017-1000254, CVE-2017-1000257, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000122, CVE-2018-1000301, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2018-14618, and CVE-2018-1000121. Upstream acknowledges Alex Nichols as the original reporter of CVE-2017-8816; the OSS-Fuzz project as the original reporter of CVE-2017-8817 and CVE-2018-1000301; Max Dymond as the original reporter of CVE-2017-1000254 and CVE-2018-1000122; Brian Carpenter and the OSS-Fuzz project as the original reporters of CVE-2017-1000257; Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Even Rouault as the original reporter of CVE-2017-1000100; Brian Carpenter as the original reporter of CVE-2017-1000101; Zhaoyang Wu as the original reporter of CVE-2018-14618; and Dario Weisser as the original reporter of CVE-2018-1000121. Bug Fix: * Previously, the Apache HTTP Server from the httpd24 Software Collection was unable to handle situations when static content was repeatedly requested in a browser by refreshing the page. As a consequence, HTTP/2 connections timed out and httpd became unresponsive. This bug has been fixed, and HTTP/2 connections now work as expected in the described scenario. Enhancement: * This update adds the mod_md module to the httpd24 Software Collection. This module enables managing domains across virtual hosts and certificate provisioning using the Automatic Certificate Management Environment protocol. The mod_md module is available only for Red Hat Enterprise Linux 7. Additional Changes: For detailed information on changes in this release, see the Red Hat Software Collections 3.2 Release Notes linked from the References section.