httpd:2.4 security update

エラータID: AXSA:2020-846:01

Release date: 
Monday, November 2, 2020 - 10:13
Subject: 
httpd:2.4 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: Push diary crash on specifically crafted HTTP/2 header (CVE-2020-9490)

Modularity name: httpd
Stream name: 2.4

CVE-2020-9490
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

Solution: 

Update packages.

CVEs: 
CVE-2020-9490
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.37-21.0.1.module+el8+137+0663b471.src.rpm
    MD5: 54070f0caf1a6fc569abd258ab2f027f
    SHA-256: 2705935070816599914e4f30df0ce850adf4ba57398dd3391999336294e8b172
    Size: 6.84 MB
  2. mod_http2-1.11.3-3.module+el8+137+0663b471.1.src.rpm
    MD5: b00869dc760a7699fdaeed8cf83a0ced
    SHA-256: 107a2bd030a10599668c2b23b271a5f2e1897569d493a9b3dc2cdf9b061ff5bd
    Size: 1.00 MB
  3. mod_md-2.0.8-7.module+el8+137+0663b471.src.rpm
    MD5: 67b8cb04d6901b88994b794a29cbefa1
    SHA-256: 5276145f9305563a74df451fb3bfc25deddd19eed83f520639fd03cc839b055d
    Size: 634.31 kB

Asianux Server 8 for x86_64
  1. httpd-2.4.37-21.0.1.module+el8+137+0663b471.x86_64.rpm
    MD5: aed09be90bc7b2269b2e967ffdcec9a6
    SHA-256: 317575206e087d15cea9d11638f5914afae62ef525c1e1c9fdb7bfd361ffa0e3
    Size: 1.40 MB
  2. httpd-devel-2.4.37-21.0.1.module+el8+137+0663b471.x86_64.rpm
    MD5: 1e74ecce2b5d27fa73f0c9fc73ce8d15
    SHA-256: 7f3c573294ee4fc24925e14c076c26e04193a1ee888918440229d4da4fb19085
    Size: 217.05 kB
  3. httpd-filesystem-2.4.37-21.0.1.module+el8+137+0663b471.noarch.rpm
    MD5: 618bded152ac74056d418a41234239c0
    SHA-256: 1068bc5b84697184f22b53aa9ce40dbbe3bf992ddf9f352a85037278198b0acb
    Size: 34.68 kB
  4. httpd-manual-2.4.37-21.0.1.module+el8+137+0663b471.noarch.rpm
    MD5: 7308d0733f89d3cbe28e1c50867c54e4
    SHA-256: e0084be6b97945b402b580eecef8c00800fe348aef64c0c1aa0d4c0318bca586
    Size: 2.37 MB
  5. httpd-tools-2.4.37-21.0.1.module+el8+137+0663b471.x86_64.rpm
    MD5: 367d3477855f17854994e6d8060f4f69
    SHA-256: d9c27a123d39ab9c3371b652fc7ee39feffa7a9aff85dce59a8b6d906205391a
    Size: 101.92 kB
  6. mod_ldap-2.4.37-21.0.1.module+el8+137+0663b471.x86_64.rpm
    MD5: 41feb3da5acd402396ab95be2e2c1019
    SHA-256: 080c376d23d6ec49f1966bd49d51b7807c7229814df5d3475dba56b8a3d7cb0d
    Size: 80.12 kB
  7. mod_proxy_html-2.4.37-21.0.1.module+el8+137+0663b471.x86_64.rpm
    MD5: add37cfc0f82b73a1a1494a2f21207cf
    SHA-256: da7e357234b6053b38b6f2f1e7c67c334de57e14723222fdb56ec22d813cc22f
    Size: 57.03 kB
  8. mod_session-2.4.37-21.0.1.module+el8+137+0663b471.x86_64.rpm
    MD5: eaa8da9a8a8b368ecb07f76b1da4e373
    SHA-256: 07341982316b482d2f3448048191dce75562eb625b6d6b334bd8f9d60f19e4ae
    Size: 68.54 kB
  9. mod_ssl-2.4.37-21.0.1.module+el8+137+0663b471.x86_64.rpm
    MD5: c22f3b2658934ed75b3cbd47a0b0698d
    SHA-256: a0af5c943ce5010a87ef589ddf70a8e4b583e419489d097e351a673e2d9bfedc
    Size: 130.55 kB
  10. mod_http2-1.11.3-3.module+el8+137+0663b471.1.x86_64.rpm
    MD5: 976544dffebb4cf34d83c2eed57f0331
    SHA-256: 79a7bb455b74e4780fbf5d8f67abf6ae808e36f5a2fedf676a532065d7e52b55
    Size: 155.14 kB
  11. mod_md-2.0.8-7.module+el8+137+0663b471.x86_64.rpm
    MD5: b0bc89df9cedc90b54b98299088b799a
    SHA-256: 01075acdded89eae5dac3b892aec8cb6d0615dca5d21f8c06b5a0c337d50c098
    Size: 183.53 kB