httpd-2.4.53-7.el9.1

エラータID: AXSA:2023-5178:03

Release date: 
Wednesday, March 1, 2023 - 00:54
Subject: 
httpd-2.4.53-7.el9.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: mod_dav: out-of-bounds read/write of zero byte (CVE-2006-20001)
* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-36760)
* httpd: mod_proxy: HTTP response splitting (CVE-2022-37436)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* httpd-init fails to create localhost.crt, localhost.key due to "sscg" default now creates a /dhparams.pem and is not idempotent if the file /dhparams.pem already exists.

CVE-2006-20001
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
CVE-2022-36760
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
CVE-2022-37436
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

Solution: 

Update packages.

CVEs: 
CVE-2006-20001
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
CVE-2022-36760
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
CVE-2022-37436
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.53-7.el9.1.src.rpm
    MD5: 7112b506ce949a75022cda6bf1287bc0
    SHA-256: 23980e75f5d5c122e35c8047a1c1bae4edce5a103f4ff1b957d7d3e62eacdad4
    Size: 7.56 MB

Asianux Server 9 for x86_64
  1. httpd-2.4.53-7.el9.1.x86_64.rpm
    MD5: fbb5a38d54e1ee5d5eec5928194cd118
    SHA-256: 942ef11a3b8867339cfe02b778661d6dbfe7c42c5db476bfba168c6fbba6cb5a
    Size: 46.92 kB
  2. httpd-core-2.4.53-7.el9.1.x86_64.rpm
    MD5: 7b97762e89964e8ed90e6a7ea07cd3f8
    SHA-256: cd1187b40728dc5193ca4887b3edd7790c8448fb3cfb2fa875986ff1d3a9111e
    Size: 1.35 MB
  3. httpd-devel-2.4.53-7.el9.1.x86_64.rpm
    MD5: fc004e14316e4f10e52e795d903e89d5
    SHA-256: e77e8e6db69ebd76a1599082089a4fe384841b2eb5c98e200de0f573660895d1
    Size: 192.00 kB
  4. httpd-filesystem-2.4.53-7.el9.1.noarch.rpm
    MD5: cd16d833583d64b38e023419056bc55b
    SHA-256: 4b39fcd25f7b5baa5aa5350e1199b19d6ad23f75f5270148f7a024f0c6fce2fd
    Size: 13.78 kB
  5. httpd-manual-2.4.53-7.el9.1.noarch.rpm
    MD5: 5d027f59e6a3b15c94fb5f13bf9ca795
    SHA-256: 226f336f1ca258f074a1f880638ec4df0afd9a6e9b477a49bc2c8a694a794959
    Size: 2.23 MB
  6. httpd-tools-2.4.53-7.el9.1.x86_64.rpm
    MD5: c4a8e166f5364bb999ee8402dfd774ec
    SHA-256: fb412ea2325b50e15a9ca1102569618ab219483c68d6fdadfc67252c60216eb7
    Size: 81.24 kB
  7. mod_ldap-2.4.53-7.el9.1.x86_64.rpm
    MD5: e9fc856f27acbb954d8776114cac6a3f
    SHA-256: 56391d5a596c7b7b2c3c3538b586d140777a6d8b178dfaa7d50debef622fa746
    Size: 61.83 kB
  8. mod_lua-2.4.53-7.el9.1.x86_64.rpm
    MD5: 19750e0a5584b0942853f3e55cb24a42
    SHA-256: f77389c980287058e5df9bbf3b47f7fcab9f9b88c095d490d903c5b62bd66ed7
    Size: 61.13 kB
  9. mod_proxy_html-2.4.53-7.el9.1.x86_64.rpm
    MD5: 6b1fc2627c7845158e6364417b1b54eb
    SHA-256: 3913745eb55080bfa9b53016e0a72bde394db61c4f6e1c5fd9ab531030f3ee1f
    Size: 36.71 kB
  10. mod_session-2.4.53-7.el9.1.x86_64.rpm
    MD5: 88836d30929189c699a882c72ce5fe1d
    SHA-256: 7dce5592b78f0c0165b3295f1228d659f3cb389a827e2247970b8943b92fd88e
    Size: 48.58 kB
  11. mod_ssl-2.4.53-7.el9.1.x86_64.rpm
    MD5: cb718d38ad5f96598b7d0225e3ac9c09
    SHA-256: c88eae06d3c219f6bc7162fbe299e90b18ec267daa81b4d1c55d3681036263c0
    Size: 110.33 kB