httpd-2.4.53-7.el9.5, mod_http2-1.15.19-3.el9.5

エラータID: AXSA:2023-5276:01

Release date: 
Friday, April 7, 2023 - 07:30
Subject: 
httpd-2.4.53-7.el9.5, mod_http2-1.15.19-3.el9.5
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: HTTP request splitting with mod_rewrite and mod_proxy (CVE-2023-25690)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-25690
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.

Solution: 

Update packages.

CVEs: 
CVE-2023-25690
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.53-7.el9.5.src.rpm
    MD5: 80232919b9ba71ebcf0f365a28f6cb02
    SHA-256: d42a1ef23452019ca487bfda2694baa9229d45a84406472078e6ba92a4e0022d
    Size: 7.56 MB
  2. mod_http2-1.15.19-3.el9.5.src.rpm
    MD5: a0e86fc4408001b5a9b980d4c4be6d37
    SHA-256: e2b92afdf820d6f5b705e2a78eb180870113480e1f7c3460dd508751b22dd243
    Size: 1.02 MB

Asianux Server 9 for x86_64
  1. httpd-2.4.53-7.el9.5.x86_64.rpm
    MD5: d98b140a4767fa7a94b556c24dacba71
    SHA-256: 1b84e50a39fdc3b762219a49b2ba6d11e05a30682be6600290ac4c1d24bb2053
    Size: 46.95 kB
  2. httpd-core-2.4.53-7.el9.5.x86_64.rpm
    MD5: 8d0d22f17df6038f92cb02f6438e9fb7
    SHA-256: 6c31d2d21ba76541da858bab48ef886044bfae5aeb2a628199747349bce48944
    Size: 1.35 MB
  3. httpd-devel-2.4.53-7.el9.5.x86_64.rpm
    MD5: 95c20b93e397974d9e5ddcda98e991f4
    SHA-256: b4ee51a85ef4777d14e2d4cad1657e23d4db16d1311b201d13d884d7c052b426
    Size: 192.01 kB
  4. httpd-filesystem-2.4.53-7.el9.5.noarch.rpm
    MD5: 29e76fca9d5950f63d8ae9d692971af5
    SHA-256: 9d30eec5147c54957ea50c592136da19fa9bb0dc06eea3dc9573979e38558db5
    Size: 13.81 kB
  5. httpd-manual-2.4.53-7.el9.5.noarch.rpm
    MD5: b067ce104b7407ea8989572a9b81e54d
    SHA-256: 3b1083efb4af24033c09e990db38e06752b642f1311b5308baad31fc7b6ce8c5
    Size: 2.23 MB
  6. httpd-tools-2.4.53-7.el9.5.x86_64.rpm
    MD5: d8c7b7ea7b2e36bd4933d23d66eda7e0
    SHA-256: ced9172d58bbb059818c20fa57686befa85689cc2fc0ff54397bb2d91b26c105
    Size: 81.15 kB
  7. mod_http2-1.15.19-3.el9.5.x86_64.rpm
    MD5: 6642e956f1ab2e557dd59c8b244a240e
    SHA-256: 78cf7387188d5216ca00f43f4b9a432032196c32c304fe65ba891849b4565f88
    Size: 148.36 kB
  8. mod_ldap-2.4.53-7.el9.5.x86_64.rpm
    MD5: 7a9da4e44d0eb0260ef35d53f1439f4f
    SHA-256: 75aaade04df7ffe073b24ee10b6b78792bb2411832d4f8cec8f9415c22cb7dad
    Size: 61.87 kB
  9. mod_lua-2.4.53-7.el9.5.x86_64.rpm
    MD5: 068bbd166499f10c15eec74415d555c2
    SHA-256: 7be4040aea347c6f76abd0fab6fe77527a5e6665c5d4af9d75e5d6ab61a19ae2
    Size: 61.17 kB
  10. mod_proxy_html-2.4.53-7.el9.5.x86_64.rpm
    MD5: 9f46438d4648d8c43386fac5f7040cf0
    SHA-256: e9dc2a20c9d575bc96390310abe73a2d01b576f5eae2ee668db66fcf845e6aa0
    Size: 36.73 kB
  11. mod_session-2.4.53-7.el9.5.x86_64.rpm
    MD5: 5d42e82ffcb114b986018e8aaef51b9c
    SHA-256: d3f2962ab3329207137dcc2e6d30bf73b4e3c857860112a5a5543dcc9aaf593c
    Size: 48.61 kB
  12. mod_ssl-2.4.53-7.el9.5.x86_64.rpm
    MD5: 4b5bf3eabd8a1675e31a3ad320b03987
    SHA-256: 3421050cc001ff487ec5db0135466ea5535bba693385008a60844d1b47c539fa
    Size: 110.23 kB