httpd-2.4.6-67.5.0.1.el7.AXS7

エラータID: AXSA:2017-2357:03

Release date: 
Wednesday, October 25, 2017 - 10:38
Subject: 
httpd-2.4.6-67.5.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and
extensible web server.

Security Fix(es):

* A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)

Asianux would like to thank Hanno Böck for reporting this issue.

CVE-2017-9798
Apache httpd allows remote attackers to read secret data from process
memory if the Limit directive can be set in a user's .htaccess file, or
if httpd.conf has certain misconfigurations, aka Optionsbleed. This
affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27.
The attacker sends an unauthenticated OPTIONS HTTP request when
attempting to read secret data. This is a use-after-free issue and thus
secret data is not always sent, and the specific data depends on many
factors including configuration. Exploitation with .htaccess can be
blocked with a patch to the ap_limit_section function in server/core.c.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.6-67.5.0.1.el7.AXS7.src.rpm
    MD5: e684021e680cab27a3e6ebbad7a5d7e9
    SHA-256: 9702c40b51978766d86e5a851fb5d798116414d8fed893498d37839b3038cb2f
    Size: 4.92 MB

Asianux Server 7 for x86_64
  1. httpd-2.4.6-67.5.0.1.el7.AXS7.x86_64.rpm
    MD5: 79ed27732e6d99539488443ce039e1d1
    SHA-256: 53e2a161fc71af7fe134f103bd89978354f75fa5c8727e5ad4e5c0a1041e819f
    Size: 1.18 MB
  2. httpd-devel-2.4.6-67.5.0.1.el7.AXS7.x86_64.rpm
    MD5: 652e4e620f1cc7260a12e8d5b062633a
    SHA-256: 4aefcdbb684426278c81aa33f26d2297348bfc2047a801f82a0911f24bb0cd52
    Size: 192.91 kB
  3. httpd-manual-2.4.6-67.5.0.1.el7.AXS7.noarch.rpm
    MD5: 4cc383d419292560ecf48a1a31312840
    SHA-256: 30cfee6b3cd8b806347147dbcf15ad9f3f7d0ca593e513aca465fac90fd7c8ff
    Size: 1.34 MB
  4. httpd-tools-2.4.6-67.5.0.1.el7.AXS7.x86_64.rpm
    MD5: a1452071496a5fd474b721cb42a34525
    SHA-256: 754b9eba6ff1f834e6bea5c44f2f699852a4bd130f279ffea08b263e995ea2fd
    Size: 86.84 kB
  5. mod_session-2.4.6-67.5.0.1.el7.AXS7.x86_64.rpm
    MD5: 6c1f1d1f6bcce91a932afeb028c5cc52
    SHA-256: dca788fb2a244989274518a19b55ad61d7531d5ff97d332e31e17f92bd3e8b10
    Size: 57.11 kB
  6. mod_ssl-2.4.6-67.5.0.1.el7.AXS7.x86_64.rpm
    MD5: be74f5f799ef7bb67b02e7045534c962
    SHA-256: bbe51261fb1832f4eb8c15cf889ba9dbe3e33f4d852add07c185de06883a2e1d
    Size: 108.16 kB