httpd:2.4 security fix update
エラータID: AXSA:2024-8401:01
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
* httpd: mod_macro: out-of-bounds read vulnerability (CVE-2023-31122)
* mod_http2: reset requests exhaust memory (incomplete fix of CVE-2023-44487) (CVE-2023-45802)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2023-31122
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.
CVE-2023-45802
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
Modularity name: "httpd"
Stream name: "2.4"
Update packages.
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
N/A
SRPMS
- httpd-2.4.37-64.module+el8+1760+bef32e04.ML.1.src.rpm
MD5: ce78613c453ea187321392a8db1f4aab
SHA-256: 4e90e1c1a628b7466c8b60e95f1524924980d998bfcc49ed17ab5281c9aeba68
Size: 6.96 MB - mod_http2-1.15.7-10.module+el8+1760+bef32e04.src.rpm
MD5: 43020175274f1a081049eaf975e77ead
SHA-256: caabedcd5046fc2dae52a6543cd3deb3b135e80ec9a93f381252e28a9492dff9
Size: 1.02 MB - mod_md-2.0.8-8.module+el8+1760+bef32e04.src.rpm
MD5: 47b5ab6390a4e71ff94f5d535f7c3b37
SHA-256: 32e403cd1146a4cbe83c286c8fbc7b41d6b723c8e5252566c7efa51a9f96532c
Size: 635.32 kB
Asianux Server 8 for x86_64
- httpd-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
MD5: 39629c1ecd973e7df72fe2a6305e19a4
SHA-256: 9d666536d417b6fed4e528512a55816fe9dc7bfeb2efd257b1db77ece4f1798c
Size: 1.41 MB - httpd-debugsource-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
MD5: 412bdf5d7c4cfe39cdbf09da78999fe9
SHA-256: bb16ea5ce0cf7d538966a8de19309d9649c5752c6185b69d8a70bd2289055e71
Size: 1.45 MB - httpd-devel-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
MD5: 1c693c603ad586be73b99699b1181060
SHA-256: 1819e71481df24ed92741b5a312977e62612c7a39d72b0c16b505623d5adc8c2
Size: 226.79 kB - httpd-filesystem-2.4.37-64.module+el8+1760+bef32e04.ML.1.noarch.rpm
MD5: 7c4fd6687d940f96a2975f5ef604b090
SHA-256: 209cb64127663c6ed768885d5b38990842fb28e6abac625ec2b0db568771e15c
Size: 43.28 kB - httpd-manual-2.4.37-64.module+el8+1760+bef32e04.ML.1.noarch.rpm
MD5: a5f8fe9e5ec3bc7cf69276f494a92fa1
SHA-256: 32117ed6fa167a31c7590603df72a44a685f21d9e8faa4dd70e0c1301d46c1d2
Size: 2.38 MB - httpd-tools-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
MD5: 36de53f1cf0e998b35e894335531ee35
SHA-256: 8c16923f82b7b16f4f3bdddb1f0e68163ea0e3239b53122beb3ad102a971eba5
Size: 110.16 kB - mod_http2-1.15.7-10.module+el8+1760+bef32e04.x86_64.rpm
MD5: fcca926e5d93addffc4309f21a75bbdb
SHA-256: 5e7217692e83a043a0702d9e7b905de5d6805025457d630e9d1da49fc6513b65
Size: 154.61 kB - mod_http2-debugsource-1.15.7-10.module+el8+1760+bef32e04.x86_64.rpm
MD5: d420d97687704a5658a047cb61ff08ba
SHA-256: 561ce0ed35fdff249c9680d1b6aed605d9cea79e0b53c87734df711dca9fbced
Size: 148.12 kB - mod_ldap-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
MD5: ba3eb5c63a1fa31c09b64e521ed48d4a
SHA-256: 737bd8e2a17dc002f3ce0805db15bf7c1a534ed4012e88e6f6ca1c71f38872bc
Size: 88.60 kB - mod_md-2.0.8-8.module+el8+1760+bef32e04.x86_64.rpm
MD5: 8186c6e3c24c26c9093d540d40ec116d
SHA-256: 82cde8ea77110ad2bd308a9ce587608e43a7e263edcb872e1ccd395694efc6d6
Size: 183.67 kB - mod_md-debugsource-2.0.8-8.module+el8+1760+bef32e04.x86_64.rpm
MD5: bceb31bf34858be22453b907a4553b30
SHA-256: 8add6ad896bd273f09f55cdb995cdf07dd16f020ee9a1086913ed875ebc96be7
Size: 126.24 kB - mod_proxy_html-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
MD5: b7b51b35e2e8993650644ce056841ea1
SHA-256: 6232775321a2ff224c059186cb9a23c80f5e426c33355ef08de854d9daa6de87
Size: 65.73 kB - mod_session-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
MD5: c1a45758db2774c4be3bae16a427b799
SHA-256: a7e4110b4d4786aa9b79345e58a0c5ae62ef75f05cdf31d93b21994809fbe6c8
Size: 77.37 kB - mod_ssl-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
MD5: c8a7812df6d7cde614b65aab23121a45
SHA-256: b22d9c7bb8c61a26c7de0908311b5528876b4fef6dd25edd7a2b419f0f6d3a75
Size: 140.00 kB
日本語