AXSA:2019-4336:01

リリース日: 
2019/10/01 Tuesday - 12:03
題名: 
httpd24-httpd-2.4.34-8.AXS4.1, httpd24-nghttp2-1.7.1-7.AXS4.1
影響のあるチャネル: 
Asianux Server 4 for x86
Asianux Server 4 for x86_64
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)

* HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513)

* HTTP/2: request for large response leads to denial of service (CVE-2019-9517)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-9511
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9513
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
CVE-2019-9517
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
1. httpd24-httpd-2.4.34-8.AXS4.1.src.rpm
md5sum: 5c3fd14dc8b4bd9688f76ef926797d96
sha256sum: 335ff43a228202e7d91c2d6f73da7dada1e988bc0dfa9b55d4547c26981f3037
Size: 6,875 Kb
2. httpd24-nghttp2-1.7.1-7.AXS4.1.src.rpm
md5sum: c348e274bf0fb004dc80dd4175a24b22
sha256sum: 7d21802747bf91bf1962fdda3ccb1fcfbcc47136a3cc17a112efda3882b2cb9c
Size: 1,381 Kb

Asianux Server 4.0 for x86_64
1. httpd24-httpd-2.4.34-8.AXS4.1.x86_64.rpm
md5sum: bbc07c34ef4b06c7980dc153d9cd3c7a
sha256sum: e39dfb4349224bc87fae098d03633a2ea33dcbd493c6d6c55251273d0b4cffc4
Size: 1,310 Kb
2. httpd24-httpd-devel-2.4.34-8.AXS4.1.x86_64.rpm
md5sum: 419dcf61822c6ae28255fe1d4c0f5e01
sha256sum: c4e786a2dfcd142151224a7103968e42b05aa9a01c39dfdfe2fd2e25f3660e38
Size: 207 Kb
3. httpd24-httpd-manual-2.4.34-8.AXS4.1.noarch.rpm
md5sum: 767679bedb090cdc08b1da160472667b
sha256sum: 573852b7f2ab8ad94408d525f90af4ef994f3bf9277bb7c263bd5fe55ca39752
Size: 2,458 Kb
4. httpd24-httpd-tools-2.4.34-8.AXS4.1.x86_64.rpm
md5sum: d5f9e4909006860eb8794702fd83092b
sha256sum: 1ff94c48d122cfccfbec4401c026736fac41ff3327c18f4111d2b47e3d987530
Size: 83 Kb
5. httpd24-mod_ldap-2.4.34-8.AXS4.1.x86_64.rpm
md5sum: ce7bdc0c125b245fb93b25c9ef55910b
sha256sum: 466d0a9b17125158e39a67d3928e7131aa2a3177c948b0206d3e3bd7a9c4554e
Size: 66 Kb
6. httpd24-mod_proxy_html-2.4.34-8.AXS4.1.x86_64.rpm
md5sum: d6cb9f198ef61eb40990310afef2e71e
sha256sum: d987030fc484213a47de6414125cd7d70561b27206ad07d4a8960da0f0d79886
Size: 44 Kb
7. httpd24-mod_session-2.4.34-8.AXS4.1.x86_64.rpm
md5sum: 3994fa273508e6cde1bb0c656f4e02fa
sha256sum: 18a745deaeb3c9f824384be606b57bf9e3f3a2964bb67fa729c26bee472164c3
Size: 52 Kb
8. httpd24-mod_ssl-2.4.34-8.AXS4.1.x86_64.rpm
md5sum: 0d7eadd0793ebfb8212925d5c7ef4751
sha256sum: 7f477488e174373df02e4919d53df44423228625600b781d50e15ac15811dadd
Size: 108 Kb
9. httpd24-libnghttp2-1.7.1-7.AXS4.1.x86_64.rpm
md5sum: 7b2d55af405968fbb6a5e7aaa611048d
sha256sum: b5d56d48db5b7e606a17ed06787576ce3da38970ca92398df4c6334c515e7fe8
Size: 56 Kb
10. httpd24-libnghttp2-devel-1.7.1-7.AXS4.1.x86_64.rpm
md5sum: eee5c490d86ece00a3e6d57bce895d90
sha256sum: c2335706e287d426ba1a371336a07df01f419d7ac45e741416324e33574596b2
Size: 45 Kb
11. httpd24-nghttp2-1.7.1-7.AXS4.1.x86_64.rpm
md5sum: 0faf66b4774b966ff068f7c4de2a6e0d
sha256sum: f15c9ebb67ae7cd3a9144b598835b89c72f51d92193935d64c7c0b50cc3fc14b
Size: 4 Kb
Copyright© 2007-2015 Asianux. All rights reserved.