httpd-2.4.6-45.4.0.1.el7.AXS7

エラータID: AXSA:2017-1628:01

Release date: 
Friday, April 21, 2017 - 18:11
Subject: 
httpd-2.4.6-45.4.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible
web server.

Security issues fixed with this release:

CVE-2016-0736
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-2161
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-8743
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Fixed bugs:

* When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs.
* Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs.
* In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails.

Solution: 

Update package.

CVEs: 
CVE-2016-0736
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
CVE-2016-2161
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.
CVE-2016-8743
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.6-45.4.0.1.el7.AXS7.src.rpm
    MD5: 05bf6bd4cc9d6ea061e0a8fc4ce13735
    SHA-256: c4224cb399848fc27cffb8a14f53ba5470d37380f7e2f1fb3d96fee3f37ae999
    Size: 4.90 MB

Asianux Server 7 for x86_64
  1. httpd-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
    MD5: 93f90dcbb8388a8d1255c3c2c2213f30
    SHA-256: 0e916325650ce4a301a076ad21ab396cd44e6eff29fad64429c6dc7e77eb900d
    Size: 1.18 MB
  2. httpd-devel-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
    MD5: a9c44f624be1599198c745259bbda92c
    SHA-256: 94cf82320ebe35383116ddbbf8990041e1352dcde3de4f849ebe63f6ec3594b0
    Size: 188.85 kB
  3. httpd-manual-2.4.6-45.4.0.1.el7.AXS7.noarch.rpm
    MD5: 4fbe1074137b8c3ec27fe8cab611ccf1
    SHA-256: 00eb7563cdb3ce35fd856f0a349932bddaf9af2dad1cb8f20b2e9daeae46fe1c
    Size: 1.33 MB
  4. httpd-tools-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
    MD5: 925ddaed03f1cf640ddae437573ff3d6
    SHA-256: b647e6663b240ef6091fd0e8fd63f233ce3053965e76efa0e5aebc3810b331b4
    Size: 83.37 kB
  5. mod_ssl-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
    MD5: 0383dfd74e24a2c9793f17affbbdabd3
    SHA-256: 99fa5d24f0310212802fff9ce277e878196e95ab6f294f68456d9d3989cc3dd2
    Size: 104.33 kB