httpd:2.4 security, bug fix, and enhancement update

エラータID: AXSA:2021-2273:01

Release date: 
Monday, August 2, 2021 - 07:34
Subject: 
httpd:2.4 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)
* httpd: mod_proxy_uwsgi buffer overflow (CVE-2020-11984)
* httpd: mod_http2 concurrent pool usage (CVE-2020-11993)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-17199
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVE-2020-11984
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
CVE-2020-11993
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

Modularity name: httpd
Stream name: 2.4

Solution: 

Update packages.

CVEs: 
CVE-2018-17199
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVE-2020-11984
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
CVE-2020-11993
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.37-39.module+el8+1274+737e445a.ML.2.src.rpm
    MD5: f6d67985a0982d419f4aa917f26d26b3
    SHA-256: 7c970ac7b3c15017ae78457dbc76ee8b9d96f719e8be42b5da76232d0b77cb4c
    Size: 6.89 MB
  2. mod_http2-1.15.7-3.module+el8+1274+737e445a.src.rpm
    MD5: 2c4cc08dcf111147f4dc89c3d0359326
    SHA-256: 225f6fd9ac4e4065f9590319964d62e831519e64c104019e32c304fca1128912
    Size: 1.01 MB
  3. mod_md-2.0.8-8.module+el8+1274+737e445a.src.rpm
    MD5: 3d4f21c22165493db1ccd1590df079f2
    SHA-256: 5152c605cc8f7b84a0e1a523e597ca706450a170104524533cfbdf748510a346
    Size: 635.34 kB

Asianux Server 8 for x86_64
  1. httpd-2.4.37-39.module+el8+1274+737e445a.ML.2.x86_64.rpm
    MD5: d515800821e6823a4269d5bdbec3f74e
    SHA-256: d2650b0b4312e19b7e602a18d2ac6743ffdc0a8798b82c92510e3461c1347575
    Size: 1.40 MB
  2. httpd-debugsource-2.4.37-39.module+el8+1274+737e445a.ML.2.x86_64.rpm
    MD5: 53ddb2bcdd744f29cf0308b4649ed8de
    SHA-256: 3128b96f81bb1843cf16bb064aa728494c9750cdbfd681cea35ae44d4d941571
    Size: 1.44 MB
  3. httpd-devel-2.4.37-39.module+el8+1274+737e445a.ML.2.x86_64.rpm
    MD5: 9361d4ffcd53b540c1e81603b8337a84
    SHA-256: 0ec746714132245e58dbad404e5ea9ad202d85055ddf2e740d0314340bcce5cd
    Size: 220.12 kB
  4. httpd-filesystem-2.4.37-39.module+el8+1274+737e445a.ML.2.noarch.rpm
    MD5: bdd77a1526c94acd7c533c3b3ad5a64e
    SHA-256: b4e9122bc6b9e28450bad489ccd94fc20d23eb5f02a9f11fe6643db408aa0754
    Size: 37.48 kB
  5. httpd-manual-2.4.37-39.module+el8+1274+737e445a.ML.2.noarch.rpm
    MD5: 2b207bdac029a658050e601e1e41119a
    SHA-256: 2e910b93d3231188d546e7dc9a108b2ffca1f1fa3719ab4ea0f948da43429eb4
    Size: 2.37 MB
  6. httpd-tools-2.4.37-39.module+el8+1274+737e445a.ML.2.x86_64.rpm
    MD5: 714b066fe80311ed187840fa374845b9
    SHA-256: 87950155c4f817e25b627ed560f7ae73e1f64c1302d717e979948e553955263c
    Size: 104.75 kB
  7. mod_ldap-2.4.37-39.module+el8+1274+737e445a.ML.2.x86_64.rpm
    MD5: 1f4eb3979cce8d53187881188ad88545
    SHA-256: a558c854026157c2372b0d84378bae6e11de6356927c5d4886d62e96b31fd012
    Size: 82.76 kB
  8. mod_proxy_html-2.4.37-39.module+el8+1274+737e445a.ML.2.x86_64.rpm
    MD5: 357b668ea2a5d106f50d111a48855cbd
    SHA-256: 19fc67eee6d917f8e701b7788df9efbd291833ce5b0d8ce9ec86087406d68f28
    Size: 59.87 kB
  9. mod_session-2.4.37-39.module+el8+1274+737e445a.ML.2.x86_64.rpm
    MD5: b65c369ea6760a10077788f082909808
    SHA-256: e56aad6830e08783ddf8b74ab56868a6d93d8dd3aeb9066d2d371315a7166c31
    Size: 71.53 kB
  10. mod_ssl-2.4.37-39.module+el8+1274+737e445a.ML.2.x86_64.rpm
    MD5: 4bb5d557b7d38a217693a2b9e5e341a3
    SHA-256: f6f74a36c599530178ebb1e664b8d5c0e95a3e89dea8668737aeb82b1e2f9144
    Size: 133.44 kB
  11. mod_http2-1.15.7-3.module+el8+1274+737e445a.x86_64.rpm
    MD5: 40614f4a3733bd1c8063261ef90b2a60
    SHA-256: be792caed5952a45ff15d9d0944a06a2fde37d53c08611cb2259e5d220e029c7
    Size: 153.12 kB
  12. mod_http2-debugsource-1.15.7-3.module+el8+1274+737e445a.x86_64.rpm
    MD5: b8b252d6fc1a6690c661686e2ed8fdcc
    SHA-256: a93f9e4541113229e1dd78ed551293bc2e5899e6c163eecda0b583ddaa17e54e
    Size: 146.92 kB
  13. mod_md-2.0.8-8.module+el8+1274+737e445a.x86_64.rpm
    MD5: e15d49b8daddc05bd8c4d31beca82c23
    SHA-256: f16db440d4b38f366d6648e31618d7d186bae473e84954e87bbe6ec4da3da3ad
    Size: 183.57 kB
  14. mod_md-debugsource-2.0.8-8.module+el8+1274+737e445a.x86_64.rpm
    MD5: 3e6397947362f8b5a0b7612b8cdf3ddb
    SHA-256: e68b4de37f08267a5d00ea55de08a8e0923466f021b70564c4bf048cbdd9a69b
    Size: 126.25 kB