AXSA:2019-4336:01

リリース日: 
2019/10/01 Tuesday - 12:03
題名: 
httpd24-httpd-2.4.34-8.AXS4.1, httpd24-nghttp2-1.7.1-7.AXS4.1
影響のあるチャネル: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)

* HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513)

* HTTP/2: request for large response leads to denial of service (CVE-2019-9517)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-9511
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9513
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
CVE-2019-9517
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. httpd24-httpd-2.4.34-8.AXS4.1.src.rpm
    MD5: 5c3fd14dc8b4bd9688f76ef926797d96
    SHA-256: 335ff43a228202e7d91c2d6f73da7dada1e988bc0dfa9b55d4547c26981f3037
    Size: 6.71 MB
  2. httpd24-nghttp2-1.7.1-7.AXS4.1.src.rpm
    MD5: c348e274bf0fb004dc80dd4175a24b22
    SHA-256: 7d21802747bf91bf1962fdda3ccb1fcfbcc47136a3cc17a112efda3882b2cb9c
    Size: 1.35 MB

Asianux Server 4 for x86_64
  1. httpd24-httpd-2.4.34-8.AXS4.1.x86_64.rpm
    MD5: bbc07c34ef4b06c7980dc153d9cd3c7a
    SHA-256: e39dfb4349224bc87fae098d03633a2ea33dcbd493c6d6c55251273d0b4cffc4
    Size: 1.28 MB
  2. httpd24-httpd-devel-2.4.34-8.AXS4.1.x86_64.rpm
    MD5: 419dcf61822c6ae28255fe1d4c0f5e01
    SHA-256: c4e786a2dfcd142151224a7103968e42b05aa9a01c39dfdfe2fd2e25f3660e38
    Size: 207.29 kB
  3. httpd24-httpd-manual-2.4.34-8.AXS4.1.noarch.rpm
    MD5: 767679bedb090cdc08b1da160472667b
    SHA-256: 573852b7f2ab8ad94408d525f90af4ef994f3bf9277bb7c263bd5fe55ca39752
    Size: 2.40 MB
  4. httpd24-httpd-tools-2.4.34-8.AXS4.1.x86_64.rpm
    MD5: d5f9e4909006860eb8794702fd83092b
    SHA-256: 1ff94c48d122cfccfbec4401c026736fac41ff3327c18f4111d2b47e3d987530
    Size: 82.58 kB
  5. httpd24-mod_ldap-2.4.34-8.AXS4.1.x86_64.rpm
    MD5: ce7bdc0c125b245fb93b25c9ef55910b
    SHA-256: 466d0a9b17125158e39a67d3928e7131aa2a3177c948b0206d3e3bd7a9c4554e
    Size: 65.70 kB
  6. httpd24-mod_proxy_html-2.4.34-8.AXS4.1.x86_64.rpm
    MD5: d6cb9f198ef61eb40990310afef2e71e
    SHA-256: d987030fc484213a47de6414125cd7d70561b27206ad07d4a8960da0f0d79886
    Size: 44.38 kB
  7. httpd24-mod_session-2.4.34-8.AXS4.1.x86_64.rpm
    MD5: 3994fa273508e6cde1bb0c656f4e02fa
    SHA-256: 18a745deaeb3c9f824384be606b57bf9e3f3a2964bb67fa729c26bee472164c3
    Size: 51.58 kB
  8. httpd24-mod_ssl-2.4.34-8.AXS4.1.x86_64.rpm
    MD5: 0d7eadd0793ebfb8212925d5c7ef4751
    SHA-256: 7f477488e174373df02e4919d53df44423228625600b781d50e15ac15811dadd
    Size: 107.94 kB
  9. httpd24-libnghttp2-1.7.1-7.AXS4.1.x86_64.rpm
    MD5: 7b2d55af405968fbb6a5e7aaa611048d
    SHA-256: b5d56d48db5b7e606a17ed06787576ce3da38970ca92398df4c6334c515e7fe8
    Size: 56.43 kB
  10. httpd24-libnghttp2-devel-1.7.1-7.AXS4.1.x86_64.rpm
    MD5: eee5c490d86ece00a3e6d57bce895d90
    SHA-256: c2335706e287d426ba1a371336a07df01f419d7ac45e741416324e33574596b2
    Size: 44.78 kB
  11. httpd24-nghttp2-1.7.1-7.AXS4.1.x86_64.rpm
    MD5: 0faf66b4774b966ff068f7c4de2a6e0d
    SHA-256: f15c9ebb67ae7cd3a9144b598835b89c72f51d92193935d64c7c0b50cc3fc14b
    Size: 3.70 kB
Copyright© 2007-2015 Asianux. All rights reserved.