httpd-2.4.6-67.5.0.1.el7.AXS7
エラータID: AXSA:2017-2357:03
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and
extensible web server.
Security Fix(es):
* A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)
Asianux would like to thank Hanno Böck for reporting this issue.
CVE-2017-9798
Apache httpd allows remote attackers to read secret data from process
memory if the Limit directive can be set in a user's .htaccess file, or
if httpd.conf has certain misconfigurations, aka Optionsbleed. This
affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27.
The attacker sends an unauthenticated OPTIONS HTTP request when
attempting to read secret data. This is a use-after-free issue and thus
secret data is not always sent, and the specific data depends on many
factors including configuration. Exploitation with .htaccess can be
blocked with a patch to the ap_limit_section function in server/core.c.
Update packages.
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
N/A
SRPMS
- httpd-2.4.6-67.5.0.1.el7.AXS7.src.rpm
MD5: e684021e680cab27a3e6ebbad7a5d7e9
SHA-256: 9702c40b51978766d86e5a851fb5d798116414d8fed893498d37839b3038cb2f
Size: 4.92 MB
Asianux Server 7 for x86_64
- httpd-2.4.6-67.5.0.1.el7.AXS7.x86_64.rpm
MD5: 79ed27732e6d99539488443ce039e1d1
SHA-256: 53e2a161fc71af7fe134f103bd89978354f75fa5c8727e5ad4e5c0a1041e819f
Size: 1.18 MB - httpd-devel-2.4.6-67.5.0.1.el7.AXS7.x86_64.rpm
MD5: 652e4e620f1cc7260a12e8d5b062633a
SHA-256: 4aefcdbb684426278c81aa33f26d2297348bfc2047a801f82a0911f24bb0cd52
Size: 192.91 kB - httpd-manual-2.4.6-67.5.0.1.el7.AXS7.noarch.rpm
MD5: 4cc383d419292560ecf48a1a31312840
SHA-256: 30cfee6b3cd8b806347147dbcf15ad9f3f7d0ca593e513aca465fac90fd7c8ff
Size: 1.34 MB - httpd-tools-2.4.6-67.5.0.1.el7.AXS7.x86_64.rpm
MD5: a1452071496a5fd474b721cb42a34525
SHA-256: 754b9eba6ff1f834e6bea5c44f2f699852a4bd130f279ffea08b263e995ea2fd
Size: 86.84 kB - mod_session-2.4.6-67.5.0.1.el7.AXS7.x86_64.rpm
MD5: 6c1f1d1f6bcce91a932afeb028c5cc52
SHA-256: dca788fb2a244989274518a19b55ad61d7531d5ff97d332e31e17f92bd3e8b10
Size: 57.11 kB - mod_ssl-2.4.6-67.5.0.1.el7.AXS7.x86_64.rpm
MD5: be74f5f799ef7bb67b02e7045534c962
SHA-256: bbe51261fb1832f4eb8c15cf889ba9dbe3e33f4d852add07c185de06883a2e1d
Size: 108.16 kB