httpd24-nghttp2-1.7.1-7.AXS4, httpd24-curl-7.61.1-1.AXS4, httpd24-httpd-2.4.34-7.AXS4

エラータID: AXSA:2019-3745:01

Release date: 
Tuesday, March 26, 2019 - 08:32
Subject: 
httpd24-nghttp2-1.7.1-7.AXS4, httpd24-curl-7.61.1-1.AXS4, httpd24-httpd-2.4.34-7.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Severity: 
Moderate
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.

The following packages have been upgraded to a later upstream version: httpd24-httpd (2.4.34), httpd24-curl (7.61.1). (BZ#1590833, BZ#1648928)

Security Fix(es):

* httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications (CVE-2018-1283)

* httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause DoS (CVE-2018-1303)

* httpd: mod_http2: Too much time allocated to workers, possibly leading to DoS (CVE-2018-1333)

* httpd: DoS for HTTP/2 connections by continuous SETTINGS frames (CVE-2018-11763)

* httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)

* httpd: bypass with a trailing newline in the file name (CVE-2017-15715)

* httpd: Out of bounds access after failure in reading the HTTP request (CVE-2018-1301)

* httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)

* curl: Multiple security issues were fixed in httpd24-curl (CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254, CVE-2017-1000257, CVE-2017-7407, CVE-2017-8816, CVE-2017-8817, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122, CVE-2018-1000301, CVE-2018-14618)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Asianux would like to thank the Curl project for reporting CVE-2017-8816, CVE-2017-8817, CVE-2017-1000254, CVE-2017-1000257, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000122, CVE-2018-1000301, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2018-14618, and CVE-2018-1000121. Upstream acknowledges Alex Nichols as the original reporter of CVE-2017-8816; the OSS-Fuzz project as the original reporter of CVE-2017-8817 and CVE-2018-1000301; Max Dymond as the original reporter of CVE-2017-1000254 and CVE-2018-1000122; Brian Carpenter and the OSS-Fuzz project as the original reporters of CVE-2017-1000257; Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Even Rouault as the original reporter of CVE-2017-1000100; Brian Carpenter as the original reporter of CVE-2017-1000101; Zhaoyang Wu as the original reporter of CVE-2018-14618; and Dario Weisser as the original reporter of CVE-2018-1000121.

Bug Fix(es):

* Previously, the Apache HTTP Server from the httpd24 Software Collection was unable to handle situations when static content was repeatedly requested in a browser by refreshing the page. As a consequence, HTTP/2 connections timed out and httpd became unresponsive. This bug has been fixed, and HTTP/2 connections now work as expected in the described scenario. (BZ#1518737)

Enhancement(s):

* This update adds the mod_md module to the httpd24 Software Collection. This module enables managing domains across virtual hosts and certificate provisioning using the Automatic Certificate Management Environment (ACME) protocol. The mod_md module is available only for Asianux Server 7. (BZ#1640722)

CVE-2016-5419
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
CVE-2016-5420
curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
CVE-2016-5421
Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.
CVE-2016-7141
curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
CVE-2016-7167
Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.
CVE-2016-8615
A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.
CVE-2016-8616
A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.
CVE-2016-8617
The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.
CVE-2016-8618
The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.
CVE-2016-8619
The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.
CVE-2016-8620
The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.
CVE-2016-8621
The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.
CVE-2016-8622
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
CVE-2016-8623
A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.
CVE-2016-8624
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.
CVE-2016-8625
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
CVE-2016-9586
curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.
CVE-2017-7407
The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.
CVE-2017-8816
The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.
CVE-2017-8817
The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.
CVE-2017-15710
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.
CVE-2017-15715
In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
CVE-2017-1000100
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.
CVE-2017-1000101
curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.
CVE-2017-1000254
libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.
CVE-2017-1000257
An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.
CVE-2018-1283
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.
CVE-2018-1301
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.
CVE-2018-1303
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.
CVE-2018-1312
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
CVE-2018-1333
By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33).
CVE-2018-11763
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14618
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
CVE-2018-1000007
libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
CVE-2018-1000120
A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.
CVE-2018-1000121
A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service
CVE-2018-1000122
A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP RTP handling code that allows an attacker to cause a denial of service or information leakage
CVE-2018-1000301
curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. httpd24-curl-7.61.1-1.AXS4.src.rpm
    MD5: 8302273c560cea4f4e40847832d5fedf
    SHA-256: f2032c7777c34ad3866b36a64c59cefa4e103a19d27034c5901c8db6a7ac7668
    Size: 3.82 MB
  2. httpd24-httpd-2.4.34-7.AXS4.src.rpm
    MD5: 0f0bb6452f1e2fee50b9704499844845
    SHA-256: 76fe05a5b8789a02278e5397dc2c1e410195b36af130fe624691c4a66a66c9e9
    Size: 6.70 MB
  3. httpd24-nghttp2-1.7.1-7.AXS4.src.rpm
    MD5: 784b317a921a049a9445989be3a98452
    SHA-256: c5c2628158034b05febbdeb5026038809a3da04ddfa9359dff7eb3f0e69279d3
    Size: 1.35 MB

Asianux Server 4 for x86_64
  1. httpd24-curl-7.61.1-1.AXS4.x86_64.rpm
    MD5: 1761f6a94d36c55904db86808827c258
    SHA-256: 0a7aa7ad9e45dcb9911ceff87e60e85954224c10d9dfb8fded2938137702f2bd
    Size: 326.42 kB
  2. httpd24-libcurl-7.61.1-1.AXS4.x86_64.rpm
    MD5: 1f52229ab1411abd591a1b67bfb821ac
    SHA-256: c90d34a772538cae2b75009a93da1751fdf7a4103f092e6a55858e80cc71b81a
    Size: 255.61 kB
  3. httpd24-libcurl-devel-7.61.1-1.AXS4.x86_64.rpm
    MD5: bc157b5f3a74ecf2b3f713f3620df127
    SHA-256: 7f1342a10918210f50d1f1f49fc9d0fb726192b1483411fc93e716f37a8579a1
    Size: 808.36 kB
  4. httpd24-httpd-2.4.34-7.AXS4.x86_64.rpm
    MD5: 9bc9a3d21d46ef6f1d42afc34fad39b4
    SHA-256: 5212298c99981f6c66ccb2628e461060cd8ecc04be1e67b6e6391657f264f638
    Size: 1.28 MB
  5. httpd24-httpd-devel-2.4.34-7.AXS4.x86_64.rpm
    MD5: a42cd394847ca52abbf206cfa08f2877
    SHA-256: 875fd9591567ca3843c7de33b22c07854c6565f5723873af01bcb90a8f5043a9
    Size: 206.69 kB
  6. httpd24-httpd-manual-2.4.34-7.AXS4.noarch.rpm
    MD5: 581c2d2f85584a3f10603692a88fb4d4
    SHA-256: a6b0ce9c531873aa33587da01e4278b5859d54ac4b6507ee510a4a88e5fdf6c7
    Size: 2.40 MB
  7. httpd24-httpd-tools-2.4.34-7.AXS4.x86_64.rpm
    MD5: 38d023f0f4085b610ed3cd39bbd001c1
    SHA-256: 9deab59d234760022a34939da1b3b2fe8222ec3e30251080204b6c9f4414734b
    Size: 82.03 kB
  8. httpd24-mod_ldap-2.4.34-7.AXS4.x86_64.rpm
    MD5: a6b03082e5aaebe6d6e9910a936955bf
    SHA-256: 8a3f083ee01b575f20648fe237ef79986d398eaa79e5fd21e5595e9e1ef834eb
    Size: 65.15 kB
  9. httpd24-mod_proxy_html-2.4.34-7.AXS4.x86_64.rpm
    MD5: dbbf6e5082fd39f3e77784e51a4569ed
    SHA-256: eab0d9d34523385c122957dba7decbca3658989f2ad998a229045a50650d3362
    Size: 43.84 kB
  10. httpd24-mod_session-2.4.34-7.AXS4.x86_64.rpm
    MD5: f746c1a7e0fefb8103a3be4847a9baca
    SHA-256: db1b221e371fa2f3a07e127347e59d3a182bcd51d467f1515d73c5abedb95a7a
    Size: 51.04 kB
  11. httpd24-mod_ssl-2.4.34-7.AXS4.x86_64.rpm
    MD5: bfd801b0d80a7dd37823abf35a2f6da7
    SHA-256: 807df5b02d4039ed4bafad8f40a2439d72e0ff8852142a2ed78899cbfac575bc
    Size: 107.38 kB
  12. httpd24-libnghttp2-1.7.1-7.AXS4.x86_64.rpm
    MD5: 4694ace7134c2b953eb3b22ad36426fe
    SHA-256: 66d97b5ec7fd7a75fe27ea5807fc8a96958d792227468bdace1ddd1fc8cbfdcd
    Size: 56.12 kB
  13. httpd24-libnghttp2-devel-1.7.1-7.AXS4.x86_64.rpm
    MD5: ef81ac7c4f35f522f39090c1e475d26e
    SHA-256: c8bce4f166d1b6ba9c7735fa8795640ca6da0ade7a7eacee6656917d5da7ed90
    Size: 44.47 kB
  14. httpd24-nghttp2-1.7.1-7.AXS4.x86_64.rpm
    MD5: ebade3394621cc5ad30670827711b1e9
    SHA-256: 0d5988f14009d840637164ba88ea5dfa16e26cca2a0c6f5106721cab9f42207a
    Size: 3.39 kB