httpd-2.4.6-97.4.0.1.el7.AXS7

エラータID: AXSA:2022-2982:01

Release date: 
Tuesday, January 18, 2022 - 16:52
Subject: 
httpd-2.4.6-97.4.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: mod_lua: Possible buffer overflow when parsing multipart content (CVE-2021-44790)
* httpd: mod_session: Heap overflow via a crafted SessionHeader value (CVE-2021-26691)
* httpd: NULL pointer dereference via malformed requests (CVE-2021-34798)
* httpd: Out-of-bounds write in ap_escape_quotes() via malicious input (CVE-2021-39275)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-26691
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2021-34798
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVE-2021-39275
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVE-2021-44790
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Solution: 

Update packages.

CVEs: 
CVE-2021-26691
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2021-34798
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVE-2021-39275
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVE-2021-44790
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.6-97.4.0.1.el7.AXS7.src.rpm
    MD5: 99a1abd03d2b97c71bae626b083a45c1
    SHA-256: 23ec86ece08202bbd8aa24c0e9710b7044b04ef29f629f916f68d19c8fb7bc54
    Size: 4.98 MB

Asianux Server 7 for x86_64
  1. httpd-2.4.6-97.4.0.1.el7.AXS7.x86_64.rpm
    MD5: e1f9c3cfcfee15d7e39fdcd5e9536670
    SHA-256: e36daeef6eb18630859468fc1eadf2db8b5ea86a73255909853acf361a81dadd
    Size: 1.19 MB
  2. httpd-devel-2.4.6-97.4.0.1.el7.AXS7.x86_64.rpm
    MD5: d233807458b051f98ab0f271aaa7e5df
    SHA-256: f7200fef87a961fcf18bb586afd028413ed740998e622d1de3c83a18ca1383e1
    Size: 199.21 kB
  3. httpd-manual-2.4.6-97.4.0.1.el7.AXS7.noarch.rpm
    MD5: 605bcd7f9fa829218c88282a9619b5df
    SHA-256: 9348bcc2d11ab4dbafb12832efebb0e93cb7e27d3eed4409ff89b87e7ff170ab
    Size: 1.34 MB
  4. httpd-tools-2.4.6-97.4.0.1.el7.AXS7.x86_64.rpm
    MD5: b7f36a1426ca72e14a27fb831833ce63
    SHA-256: fc0a67f341462a888ea909f15da6579fe1edc3687ef5720a7c7fb822e6fffd48
    Size: 93.07 kB
  5. mod_session-2.4.6-97.4.0.1.el7.AXS7.x86_64.rpm
    MD5: 0a834d091ec5b4af1259bfcc875f0bc4
    SHA-256: 82df897abf5ef66c7c2dcd98a419e5fde7499ff2e88ddabd2e686077c997ea9e
    Size: 63.12 kB
  6. mod_ssl-2.4.6-97.4.0.1.el7.AXS7.x86_64.rpm
    MD5: c974bbe2c98bd194d6f45a3ca928d09c
    SHA-256: e45298cf6d584b3a57f7413f659c47ad989569fdfd05ee127995a2f72661a8dd
    Size: 114.23 kB