httpd-2.4.6-93.0.1.el7.AXS7

エラータID: AXSA:2020-006:01

Release date: 
Wednesday, April 22, 2020 - 02:22
Subject: 
httpd-2.4.6-93.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)

* httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)

* httpd: Out of bounds access after failure in reading the HTTP request (CVE-2018-1301)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7 Release Notes linked from the References section.

CVE-2017-15710
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.
CVE-2018-1301
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.
CVE-2018-17199
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

Solution: 

Update packages.

CVEs: 
CVE-2017-15710
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.
CVE-2018-1301
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.
CVE-2018-17199
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.6-93.0.1.el7.AXS7.src.rpm
    MD5: 42bc897b66d4ac679ca386600fde1003
    SHA-256: 2b708514f9a6f8006afdd0f1be83efff54eb6fa37fd834eb7e56811e6518c3f7
    Size: 4.96 MB

Asianux Server 7 for x86_64
  1. httpd-2.4.6-93.0.1.el7.AXS7.x86_64.rpm
    MD5: b61204f33eb30ead723a4e5c07d006ae
    SHA-256: 63776870e9589bfd170a9c8a0d1016112b7eae21a683ada6f67d96304a2b572b
    Size: 1.19 MB
  2. httpd-devel-2.4.6-93.0.1.el7.AXS7.x86_64.rpm
    MD5: 6a251de2fa18b4457daaa4034abeb94e
    SHA-256: 45131ac830a0cc1ca96ba92959cb71c4fa4389e98ff30db814b61582786e5f66
    Size: 196.89 kB
  3. httpd-manual-2.4.6-93.0.1.el7.AXS7.noarch.rpm
    MD5: 26cb0e3539a91ddfbecca8e45e38c9e2
    SHA-256: adfa6870492c9f01c8c2d102ea7e1ffdd3bc36b6e3b33bee8e86c712a8fc3569
    Size: 1.34 MB
  4. httpd-tools-2.4.6-93.0.1.el7.AXS7.x86_64.rpm
    MD5: 0c56ec5aeb41a058357f89dc15de591a
    SHA-256: 150e48e750e9629df3fb644121b2a74f2f256ae4f65136b03c16dc53dd722776
    Size: 91.15 kB
  5. mod_session-2.4.6-93.0.1.el7.AXS7.x86_64.rpm
    MD5: d80bfcb08a231c3e121145df798bf418
    SHA-256: 8d050a9f067cb9ab7d10df2962c33200fb8000a78800d1ce3c131865519a4f53
    Size: 60.96 kB
  6. mod_ssl-2.4.6-93.0.1.el7.AXS7.x86_64.rpm
    MD5: 7494f8f3894cd80768af59d1496ae7b7
    SHA-256: 69d937336693b7013ccde251681b13728046fa40086b0836c7b0354233bfd96e
    Size: 112.32 kB