httpd24-httpd-2.4.34-7.AXS4.1

エラータID: AXSA:2019-3830:01

Release date: 
Thursday, April 11, 2019 - 21:02
Subject: 
httpd24-httpd-2.4.34-7.AXS4.1
Affected Channels: 
Asianux Server 4 for x86_64
Severity: 
High
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.

Security Fix(es):

* httpd: privilege escalation from modules scripts (CVE-2019-0211)

* mod_auth_mellon: authentication bypass in ECP flow (CVE-2019-3878)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-0211
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
CVE-2019-3878
A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.

Solution: 

Update packages.

CVEs: 
CVE-2019-0211
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
CVE-2019-3878
A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd24-httpd-2.4.34-7.AXS4.1.src.rpm
    MD5: 4b80a90a1728fd9100e27be6a7da0685
    SHA-256: 6f3a6e00e2c066f3b4ec4d6b593e28d9280646457a1d742a2b9709311cc2e41f
    Size: 6.71 MB

Asianux Server 4 for x86_64
  1. httpd24-httpd-2.4.34-7.AXS4.1.x86_64.rpm
    MD5: b84db1392fa140f9a983a5f10bde20f6
    SHA-256: cfa04c73cd130d4e0867fc0c6522309e2d20cdb8e91d56bd2968b3f1af89110d
    Size: 1.28 MB
  2. httpd24-httpd-devel-2.4.34-7.AXS4.1.x86_64.rpm
    MD5: f7f94b7b3fa7d0c90e8be697754e6ece
    SHA-256: 91e9fe49b07755399c70ed39c0440610bab600f268bda52316c64f46272a6053
    Size: 206.89 kB
  3. httpd24-httpd-manual-2.4.34-7.AXS4.1.noarch.rpm
    MD5: debbac2f2c188e3d66a4d70b45baed0d
    SHA-256: 9d2adec50b4083fedd35d323bcb9280b26ec0f2c055e040eb86a98b0f7e653f7
    Size: 2.40 MB
  4. httpd24-httpd-tools-2.4.34-7.AXS4.1.x86_64.rpm
    MD5: 95e02142bd506706ca0842a903db2cfa
    SHA-256: c0a61f5b5c256f57e1488f4e38c4d13aa6a61499de512b2c00f49529726050a8
    Size: 82.19 kB
  5. httpd24-mod_ldap-2.4.34-7.AXS4.1.x86_64.rpm
    MD5: a9d26679099b5617956f4731994e78a7
    SHA-256: f76f90df7eb12a37ef100fa60032c3c9e6456d9ba036c785df5695b3ca34f2f6
    Size: 65.32 kB
  6. httpd24-mod_proxy_html-2.4.34-7.AXS4.1.x86_64.rpm
    MD5: 682a956cacd370133dd6c53b42c30cc1
    SHA-256: 890d623ebf5a4043424637014949480a66599d9a7fc53491f762351a5d74d22e
    Size: 44.00 kB
  7. httpd24-mod_session-2.4.34-7.AXS4.1.x86_64.rpm
    MD5: 511963636006449db7721906602206f1
    SHA-256: aa4cdb92e8c1b309416fd82ba05100535c4d376002b200b86345107e4ed7d098
    Size: 51.20 kB
  8. httpd24-mod_ssl-2.4.34-7.AXS4.1.x86_64.rpm
    MD5: 995a689f9981bdf2e17a5001e259d66a
    SHA-256: 19fc64a9001736355f27b1548128c0b74fc2e26c5f47e7453c6fea3472d9b3db
    Size: 107.55 kB