httpd-2.4.6-45.4.0.1.el7.AXS7
エラータID: AXSA:2017-1628:01
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
Security issues fixed with this release:
CVE-2016-0736
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-2161
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-8743
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
Fixed bugs:
* When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs.
* Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs.
* In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails.
Update package.
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
N/A
SRPMS
- httpd-2.4.6-45.4.0.1.el7.AXS7.src.rpm
MD5: 05bf6bd4cc9d6ea061e0a8fc4ce13735
SHA-256: c4224cb399848fc27cffb8a14f53ba5470d37380f7e2f1fb3d96fee3f37ae999
Size: 4.90 MB
Asianux Server 7 for x86_64
- httpd-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
MD5: 93f90dcbb8388a8d1255c3c2c2213f30
SHA-256: 0e916325650ce4a301a076ad21ab396cd44e6eff29fad64429c6dc7e77eb900d
Size: 1.18 MB - httpd-devel-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
MD5: a9c44f624be1599198c745259bbda92c
SHA-256: 94cf82320ebe35383116ddbbf8990041e1352dcde3de4f849ebe63f6ec3594b0
Size: 188.85 kB - httpd-manual-2.4.6-45.4.0.1.el7.AXS7.noarch.rpm
MD5: 4fbe1074137b8c3ec27fe8cab611ccf1
SHA-256: 00eb7563cdb3ce35fd856f0a349932bddaf9af2dad1cb8f20b2e9daeae46fe1c
Size: 1.33 MB - httpd-tools-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
MD5: 925ddaed03f1cf640ddae437573ff3d6
SHA-256: b647e6663b240ef6091fd0e8fd63f233ce3053965e76efa0e5aebc3810b331b4
Size: 83.37 kB - mod_ssl-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
MD5: 0383dfd74e24a2c9793f17affbbdabd3
SHA-256: 99fa5d24f0310212802fff9ce277e878196e95ab6f294f68456d9d3989cc3dd2
Size: 104.33 kB