httpd-2.4.6-90.0.1.el7.AXS7

エラータID: AXSA:2019-4324:03

Release date: 
Wednesday, September 25, 2019 - 08:43
Subject: 
httpd-2.4.6-90.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)

* httpd: URL normalization inconsistency (CVE-2019-0220)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7.7 Release Notes linked from the References section.

CVE-2019-0217
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
CVE-2019-0220
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

Solution: 

Update packages.

CVEs: 
CVE-2019-0217
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
CVE-2019-0220
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.6-90.0.1.el7.AXS7.src.rpm
    MD5: 675aa64190136d1273a5d38b534c83e4
    SHA-256: 3a997b5bf39bdf568ec94912b9c63d460caa0ff37dbb80bbe1e0b99642393d96
    Size: 4.95 MB

Asianux Server 7 for x86_64
  1. httpd-2.4.6-90.0.1.el7.AXS7.x86_64.rpm
    MD5: 4f7538c22d86afd79b4b9a7653b6b127
    SHA-256: 095ad3b99202a8da83285cd6ab1039f5ccb9d8b0bfbc45d6cc3d12684e538e27
    Size: 1.19 MB
  2. httpd-devel-2.4.6-90.0.1.el7.AXS7.x86_64.rpm
    MD5: d9094b1b5e118725574e3fe861653716
    SHA-256: 1bf9c4bce3ea7912515559c197cc2162a3e6935557b61e3c2834923b0ec4bc4c
    Size: 195.97 kB
  3. httpd-manual-2.4.6-90.0.1.el7.AXS7.noarch.rpm
    MD5: 6d99258c1969998e7927c69ad01034d5
    SHA-256: d97db0e69e92ac4c417d9bad2ec4a992e2c52482c3117d33a6c167ca2e804984
    Size: 1.34 MB
  4. httpd-tools-2.4.6-90.0.1.el7.AXS7.x86_64.rpm
    MD5: d422cada23de50887843dcc2c53263a8
    SHA-256: 45d12eeef9870cf5312c0da67dc451d323747a0bcd78c76aefa77ea047cfdaa5
    Size: 89.79 kB
  5. mod_session-2.4.6-90.0.1.el7.AXS7.x86_64.rpm
    MD5: 84c3017916a068c391bee67fce65cafe
    SHA-256: c2c122968f2092881ca46e8970c6d0b7335ed7dccd4bce692c642dc20846a17b
    Size: 60.02 kB
  6. mod_ssl-2.4.6-90.0.1.el7.AXS7.x86_64.rpm
    MD5: 17ed4f41339b8cb49eec082a6ff1552f
    SHA-256: f5316ed8e12b03793d7bb62085a4806ede344a6bc59724042bf8b944b7d9e785
    Size: 111.40 kB