httpd:2.4 security and bug fix update
エラータID: AXSA:2023-5145:01
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
* httpd: mod_dav: out-of-bounds read/write of zero byte (CVE-2006-20001)
* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-36760)
* httpd: mod_proxy: HTTP response splitting (CVE-2022-37436)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* httpd-init fails to create localhost.crt, localhost.key due to "sscg" default now creates a /dhparams.pem and is not idempotent if the file /dhparams.pem already exists.
CVE-2006-20001
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
CVE-2022-36760
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
CVE-2022-37436
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
Modularity name: httpd
Stream name: 2.4
Update packages.
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
N/A
SRPMS
- httpd-2.4.37-51.module+el8+1586+278f7828.1.ML.1.src.rpm
MD5: 48610303d44c6c12084b953037395c7c
SHA-256: 5919193ef247964c13f77541424b000e975f901f280ba23ca877adef6383729a
Size: 6.94 MB - mod_http2-1.15.7-5.module+el8+1586+278f7828.src.rpm
MD5: 1012d0a20966a9862b196d974dfaf5e0
SHA-256: d2471f97070046e39360e700a973e1afe8de9c3b5406318bf62c4288af57e213
Size: 1.01 MB - mod_md-2.0.8-8.module+el8+1586+278f7828.src.rpm
MD5: a9450df1060bb584e2cbdd81bd198aa9
SHA-256: 64f0847957bdedc579d7b0f27e2817fec3e828e05690f49554c68087051ebd3b
Size: 635.32 kB
Asianux Server 8 for x86_64
- httpd-2.4.37-51.module+el8+1586+278f7828.1.ML.1.x86_64.rpm
MD5: 09ae5847d076a7a5d7482e5bd88d2fe6
SHA-256: 9e7390d5624ab7387dff23feefa743e88613680c8e0b6528406dbab81758058c
Size: 1.41 MB - httpd-debugsource-2.4.37-51.module+el8+1586+278f7828.1.ML.1.x86_64.rpm
MD5: e303b7caeabfaa0c36889fde8f8fb9df
SHA-256: 53dc1ba66f5d41ab06dbfdeadecd2ba7bfe1a7e524018044c66ed61ac9eb3d7f
Size: 1.45 MB - httpd-devel-2.4.37-51.module+el8+1586+278f7828.1.ML.1.x86_64.rpm
MD5: 1c6f8c914f2413de0999f12e83225c90
SHA-256: 55fb5a0ea1c21b5f78f5b42952140ba2f8389d642f0ccb897b7b472d1d3390cd
Size: 224.63 kB - httpd-filesystem-2.4.37-51.module+el8+1586+278f7828.1.ML.1.noarch.rpm
MD5: c3fb2720f86e7fda4ef6de92cbb3a603
SHA-256: 5032ec3e5f2aa17bbfb8eb054a31f7408b9d3139f0c7ee41da62fe046c5ed3b3
Size: 41.45 kB - httpd-manual-2.4.37-51.module+el8+1586+278f7828.1.ML.1.noarch.rpm
MD5: d0422c7aeb5c696b2cfba06cf38dcaa9
SHA-256: ef8e1521e6bcdda5f885ac56c80319029eeb5a00450ec4a267886cf5aa656b40
Size: 2.38 MB - httpd-tools-2.4.37-51.module+el8+1586+278f7828.1.ML.1.x86_64.rpm
MD5: 47803b5ba8d25e2eb5e74318d8df18ff
SHA-256: 76992bd250a7d3d49e8f739812fae7d3c807447457795785274311036269ee6d
Size: 108.51 kB - mod_http2-1.15.7-5.module+el8+1586+278f7828.x86_64.rpm
MD5: 60402fd1712a59eb58f6ef5c9a92e2fd
SHA-256: 4d6e7b7163ea2f31ddf7b17d6a5069bc3578327875f49405ba7a22ef8d9913b6
Size: 153.29 kB - mod_http2-debugsource-1.15.7-5.module+el8+1586+278f7828.x86_64.rpm
MD5: d0150ef113be201ea09e59c0a279061c
SHA-256: 0852f22e05a6ea617d2b06542a01a646e6caacdd5f2945665d5fcbfe40ffdb76
Size: 146.76 kB - mod_ldap-2.4.37-51.module+el8+1586+278f7828.1.ML.1.x86_64.rpm
MD5: df58cf052341ef5fb8f39a96768f7187
SHA-256: 60640dbe1e8703e86b69ddb0f1966baff65bc66faa998131da8021af7cfa37b2
Size: 86.78 kB - mod_md-2.0.8-8.module+el8+1586+278f7828.x86_64.rpm
MD5: f802a20a2c529b90a371f04cd4609ead
SHA-256: 5f054f36a525f980029bb581ccf48c9ec1f7011adeffeb1cfbbc3890bf5c6191
Size: 183.64 kB - mod_md-debugsource-2.0.8-8.module+el8+1586+278f7828.x86_64.rpm
MD5: 4ca95fd5ee8f8dd7ad29cd0f1f28f603
SHA-256: 05ad8e7f65c4b5b9981894d624d4588db3b7976a9cc9ddddb5babf983d7a046f
Size: 126.24 kB - mod_proxy_html-2.4.37-51.module+el8+1586+278f7828.1.ML.1.x86_64.rpm
MD5: 9274eafa1b2b32fc6ea6fed5814a8d40
SHA-256: ec173390da171f981181fe4ff434c5310f5593e609b1cdebd79a067db57f1f0c
Size: 63.89 kB - mod_session-2.4.37-51.module+el8+1586+278f7828.1.ML.1.x86_64.rpm
MD5: ffb04519cf0dc32f40ea3aaf07f888e7
SHA-256: 1ca5e642a13718641086ae18d032fbc5ce555112da20bd9ed978994314c81f8d
Size: 75.54 kB - mod_ssl-2.4.37-51.module+el8+1586+278f7828.1.ML.1.x86_64.rpm
MD5: 71f4342a27142edfb08740f434fbd172
SHA-256: d175c6390e79b56eb14edc866813f3644cc561e55777b6996fbf3a6c078e26f5
Size: 138.12 kB
日本語