httpd-2.4.6-98.7.0.1.el7.AXS7

エラータID: AXSA:2023-5265:04

Release date: 
Wednesday, April 5, 2023 - 09:22
Subject: 
httpd-2.4.6-98.7.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: HTTP request splitting with mod_rewrite and mod_proxy (CVE-2023-25690)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-25690
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.

Solution: 

Update packages.

CVEs: 
CVE-2023-25690
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.6-98.7.0.1.el7.AXS7.src.rpm
    MD5: a5b12cb7d5dbffb0cc2f17a4edfa2ed5
    SHA-256: bafc3eeb0c9836e45ffe4c50ce3928d63d78c43f4525ec16e5e37e8612cb342f
    Size: 4.99 MB

Asianux Server 7 for x86_64
  1. httpd-2.4.6-98.7.0.1.el7.AXS7.x86_64.rpm
    MD5: 23255855476988e4ab2a2a68d25e58af
    SHA-256: 687262533028e439d897e148ef65e21b9b3985c07949c4c86f831ae1b8851d1e
    Size: 1.19 MB
  2. httpd-devel-2.4.6-98.7.0.1.el7.AXS7.x86_64.rpm
    MD5: d35777fdf67fc574538e57dd97c3b8af
    SHA-256: f781d1cf648591e1b96f77d00b07b7e47fb795411ef597ceadea572bd57a645e
    Size: 200.24 kB
  3. httpd-manual-2.4.6-98.7.0.1.el7.AXS7.noarch.rpm
    MD5: ca0f523d13977066193e0972015e7817
    SHA-256: c5abb06833f73627e1ca9d261acb65381cbe8a16a7e2ffd8babdbfa731fef99d
    Size: 1.34 MB
  4. httpd-tools-2.4.6-98.7.0.1.el7.AXS7.x86_64.rpm
    MD5: 7be69b7ed00f3de7f5598060b5a01ef1
    SHA-256: 7f3e1d4aa33130998b9eb084bf39a473845e4530e1b00b7b78dfbda53c132a06
    Size: 93.58 kB
  5. mod_session-2.4.6-98.7.0.1.el7.AXS7.x86_64.rpm
    MD5: b9318fff77b8dd263e0a553a1726d685
    SHA-256: de0b0223bd147570819603b862829b361f0fae3ec09f6b30dcaafd0e5d1c0123
    Size: 63.64 kB
  6. mod_ssl-2.4.6-98.7.0.1.el7.AXS7.x86_64.rpm
    MD5: ffc33d4255af6bb069b162a845f1d99c
    SHA-256: 7875495586a76a93e402527bed36c7e3fb1e9d48c9efcaf5a906db601f03a69e
    Size: 114.74 kB