httpd24-1.1-19.el7, httpd24-httpd-2.4.34-15.el7, httpd24-nghttp2-1.7.1-8.el7

エラータID: AXSA:2019-4418:01

Release date: 
Sunday, December 22, 2019 - 18:54
Subject: 
httpd24-1.1-19.el7, httpd24-httpd-2.4.34-15.el7, httpd24-nghttp2-1.7.1-8.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.

Security Fix(es):

* httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)

* httpd: mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)

* httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)

* httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)

* httpd: URL normalization inconsistency (CVE-2019-0220)

* httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang (BZ#1669213)

* httpd can not be started with mod_md enabled (BZ#1673019)

* Rebuild metapackage with latest scl-utils (BZ#1696527)

* fix a regression introduced in r1740928 (BZ#1707636)

* duplicated cookie in Apache httpd with mod_session (BZ#1725922)

* Unexpected OCSP in proxy SSL connection (BZ#1744120)

Enhancement(s):

* RFE: updated collection for httpd 2.4 (BZ#1726706)

Additional Changes:

For detailed information on changes in this release, see the Asianux Software Collections 3.4 Release Notes linked from the References section.

CVE-2018-17189
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
CVE-2018-17199
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVE-2019-0217
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
CVE-2019-0220
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
CVE-2019-10092
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
CVE-2019-10097
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. httpd24-1.1-19.el7.src.rpm
    MD5: 260f033cc07e1f05c957c7b6bef2b76b
    SHA-256: 5430425ab8475d8cfeb9c5eff1a6e7637c45a2f3afbf4424d674d7fe7bab4877
    Size: 14.31 kB
  2. httpd24-httpd-2.4.34-15.el7.src.rpm
    MD5: 24c6da4befe0e8f92c5c945baea9a5ea
    SHA-256: c52d31e6976da927ba284e04f1635d05bec309a6058f7cd1db2861ebdcef0f16
    Size: 6.73 MB
  3. httpd24-nghttp2-1.7.1-8.el7.src.rpm
    MD5: e51f2ae1f21786e3a532410b230bbe1a
    SHA-256: 7df5c6551becbac92d638da77f4d29144e1b9ed4340cb6006c8a7c5d5db586b8
    Size: 1.35 MB

Asianux Server 7 for x86_64
  1. httpd24-1.1-19.el7.x86_64.rpm
    MD5: b5c15f9ebbb53f6a5d6f5f6ff291a4fb
    SHA-256: 14249962b56fe3d9ca0a1b40254f6501647cc66a4eb58d49e3b4d2f9a557d28a
    Size: 4.11 kB
  2. httpd24-runtime-1.1-19.el7.x86_64.rpm
    MD5: f2b234ef95bea61215f1b5668a50e5d7
    SHA-256: 5cec76b9e97884fa8b2f0ff70d099e96f8cd8ad4bde9301ee442cd51e28d6348
    Size: 27.56 kB
  3. httpd24-httpd-2.4.34-15.el7.x86_64.rpm
    MD5: b74c9fd7819452da2a01191de9672dce
    SHA-256: 3cb520f19671f2329cf68ae1d3d5fdefb93a4a53044ac4c1266492f04e5c2b57
    Size: 1.46 MB
  4. httpd24-httpd-devel-2.4.34-15.el7.x86_64.rpm
    MD5: 5f579306271bf6f325651e6f73eddcc8
    SHA-256: 2f1a2fa131bdf6e6a930e33bd0f704e9f9c437ceb5ca55d11af1bb81735f3704
    Size: 206.20 kB
  5. httpd24-httpd-manual-2.4.34-15.el7.noarch.rpm
    MD5: 3161d1a832ae2e12bb010a9eabe78309
    SHA-256: 187cc92031533faac4b954e4b0033f37f1a2277f7aa52027c9cf047f4292b089
    Size: 2.36 MB
  6. httpd24-httpd-tools-2.4.34-15.el7.x86_64.rpm
    MD5: ba8dc5387ca826a8209419c9f6e8a8ea
    SHA-256: 040086a8cdc3c8cdcd96824834922a98cf924a03fc184fee991c0273ce22058d
    Size: 89.02 kB
  7. httpd24-mod_ldap-2.4.34-15.el7.x86_64.rpm
    MD5: 6afe76bb4f2441ebe1148367abd8da83
    SHA-256: 5e2637c650987b481766c51bfcdda87b291676f86d5e28054b18aa97338ba590
    Size: 69.41 kB
  8. httpd24-mod_md-2.4.34-15.el7.x86_64.rpm
    MD5: 8ccbdb441c5145357e1fee0893a99d92
    SHA-256: 2873cc98e685e9091afb334defd06bff9a63867570c1a4da79cf5b532af108b8
    Size: 108.46 kB
  9. httpd24-mod_proxy_html-2.4.34-15.el7.x86_64.rpm
    MD5: 20d8560c533896da18774c517c884473
    SHA-256: 1c7de2c5b1d673ac31ad892176492f1863d472d5a2dfca333de608537d7f5886
    Size: 47.59 kB
  10. httpd24-mod_session-2.4.34-15.el7.x86_64.rpm
    MD5: 42f5c7abeb0266740b92e361ac2a65a0
    SHA-256: 8f17372655f81db4b311ed7a1ee012e8c28ba8443c3b608586ac0145eb9a4b6a
    Size: 58.24 kB
  11. httpd24-mod_ssl-2.4.34-15.el7.x86_64.rpm
    MD5: 28415c36508c32f5b849cad080737143
    SHA-256: fa98eed76bc744cb81d75adc72a23a504168df3dccea9a762715938fbd081135
    Size: 113.67 kB
  12. httpd24-libnghttp2-1.7.1-8.el7.x86_64.rpm
    MD5: 3e69e2b00ffd04e07aaba4d95dc267f9
    SHA-256: 005aa5c56b5f342297d18bc1bcda8ee60410802ca49eb9272031381a6111dd4a
    Size: 61.16 kB
  13. httpd24-libnghttp2-devel-1.7.1-8.el7.x86_64.rpm
    MD5: 00d87e25ca6272410853406644fe8092
    SHA-256: 556cf40663cb9ed1e3e8bd455f0fdb5ec9cd91ef77f2a9e89b2584495b5fc94a
    Size: 44.38 kB
  14. httpd24-nghttp2-1.7.1-8.el7.x86_64.rpm
    MD5: b32dfb03288bfa44d001da975998a626
    SHA-256: ea1ac0611d93db3d9433f2c20a907fab1eb1c360d080273065f5b350410538b4
    Size: 3.73 kB