httpd-2.4.57-11.el9_4

エラータID: AXSA:2024-8602:02

Release date: 
Friday, July 26, 2024 - 18:35
Subject: 
httpd-2.4.57-11.el9_4
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: Improper escaping of output in mod_rewrite (CVE-2024-38475)
* httpd: Substitution encoding issue in mod_rewrite (CVE-2024-38474)
* httpd: null pointer dereference in mod_proxy (CVE-2024-38477)
* httpd: Potential SSRF in mod_rewrite (CVE-2024-39573)
* httpd: Encoding problem in mod_proxy (CVE-2024-38473)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-38473
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CVE-2024-38474
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
CVE-2024-38475
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
CVE-2024-38477
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CVE-2024-39573
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Solution: 

Update packages.

CVEs: 
CVE-2024-38473
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CVE-2024-38474
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
CVE-2024-38475
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
CVE-2024-38477
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CVE-2024-39573
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.57-11.el9_4.src.rpm
    MD5: 28f83b86de7c00d2ce3c3252ae8e8505
    SHA-256: 107c65f372223c6c2177368cd66bfd016e570101dbf45c8d139cd8b163eb9749
    Size: 7.60 MB

Asianux Server 9 for x86_64
  1. httpd-2.4.57-11.el9_4.x86_64.rpm
    MD5: 0ad0b83a0d22e3e21209f074b8300844
    SHA-256: d18b34b746af1b468d16374fe5b9b6fae13566c6f479304e954c76d235301a3d
    Size: 50.17 kB
  2. httpd-core-2.4.57-11.el9_4.x86_64.rpm
    MD5: 1496ec1e5604a5d457f926c7b89452ab
    SHA-256: e7c93035a7e36e295e5fea35b7980d88d6b5d7029d389f5440aa770cb7e2ab66
    Size: 1.47 MB
  3. httpd-devel-2.4.57-11.el9_4.x86_64.rpm
    MD5: b44aae1ef2ebcad482396fe2388d1769
    SHA-256: 6aae0b1dc04252d9241056633af271d0851920a53246548194562dfc01ecc903
    Size: 208.81 kB
  4. httpd-filesystem-2.4.57-11.el9_4.noarch.rpm
    MD5: a409ce7c05326bc89925737b8819829a
    SHA-256: 0d6ac12a64f1ccdadbe45c7b08b7960684a2800b2da6f1432f03c495627de181
    Size: 11.01 kB
  5. httpd-manual-2.4.57-11.el9_4.noarch.rpm
    MD5: db33963c22f812ccf0d5be98d9519fb9
    SHA-256: 97e888c74383bc7062c5d623738dbd9cb53a8f7753efafe2bda63196a9264049
    Size: 2.29 MB
  6. httpd-tools-2.4.57-11.el9_4.x86_64.rpm
    MD5: f096bcee106f3330f72ae47190a6f8ff
    SHA-256: 9a15fffe29ee4f50e9819c443063f01246863609a17f38b083302a2c5547d8ab
    Size: 83.88 kB
  7. mod_ldap-2.4.57-11.el9_4.x86_64.rpm
    MD5: 994edf287e5ce8d4818ca55af1692e66
    SHA-256: 31ca99160210a325526d397148767f9dbd0301704fbc8c8ef5d85ba28bcb5e2c
    Size: 59.47 kB
  8. mod_lua-2.4.57-11.el9_4.x86_64.rpm
    MD5: 9865502e1e2eee1ef64f2a3f0f2c3882
    SHA-256: 5d3dda625f3fbce8cc84fc38bf129618bf36a41122f271398ea9d1fec06734ca
    Size: 58.50 kB
  9. mod_proxy_html-2.4.57-11.el9_4.x86_64.rpm
    MD5: 244f81fd1f6cb67eaaaee899241f210a
    SHA-256: eee1fafe84d6f2c0a0134f05698f67f7a553d46c194c0449a11372f5372eb062
    Size: 34.21 kB
  10. mod_session-2.4.57-11.el9_4.x86_64.rpm
    MD5: 03b8850fe9e45fb818cfd0d2c5d35ae7
    SHA-256: 0d95fb13b8329b6acebab7f62fa0d3edb5a9354d210e67ad262fced9c0af6426
    Size: 46.36 kB
  11. mod_ssl-2.4.57-11.el9_4.x86_64.rpm
    MD5: 6f03ff8b826aeda66d9a8c06071992ef
    SHA-256: 765d98204bcb72e3396b9101f35011facec3626528c946e90d66ec18a1af26bb
    Size: 108.22 kB