(RHSA-2020:2644) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP3 security update

This release adds the new Apache HTTP Server 2.4.37 Service Pack 3 packages that are part of the JBoss Core Services offering.

This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 2 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.

Security fix(es):

• httpd: mod_http2: read-after-free on a string compare (CVE-2019-0196)
• httpd: mod_http2: possible crash on late upgrade (CVE-2019-0197)
• httpd: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)
• nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)
• libxml2: There’s a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c that could result in a crash (CVE-2019-19956)
• libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c (CVE-2019-20388)
• libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations (CVE-2020-7595)
• expat: large number of colons in input makes parser consume high amount of resources, leading to DoS (CVE-2018-20843)
• expat: heap-based buffer over-read via crafted XML input (CVE-2019-15903)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.