AXSA:2019-4337:01

リリース日: 
2019/10/01 Tuesday - 12:04
題名: 
httpd24-httpd-2.4.34-8.el7.1, httpd24-nghttp2-1.7.1-7.el7.1
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)

* HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513)

* HTTP/2: request for large response leads to denial of service (CVE-2019-9517)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-9511
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9513
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
CVE-2019-9517
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. httpd24-httpd-2.4.34-8.el7.1.src.rpm
    MD5: 87c4413110a723877ccaa729c558ec9f
    SHA-256: 27df15d59fe64a023b03ccd5aac287b709f7a9bd341f9e1400d1e7253baafcea
    Size: 6.71 MB
  2. httpd24-nghttp2-1.7.1-7.el7.1.src.rpm
    MD5: efabdb85d6d9998ad9f7d92d9b1a25b5
    SHA-256: ab494cce82721195b65ae00ccafa604e05dff2b4e4547dc05f187771f2ade58e
    Size: 1.35 MB

Asianux Server 7 for x86_64
  1. httpd24-httpd-2.4.34-8.el7.1.x86_64.rpm
    MD5: dc65b0de2ed5db787035be0b440dd1a2
    SHA-256: 2da41025fbae5372b1f9e505782120e94920c5eabf141d8dcab9c56d10d3b634
    Size: 1.46 MB
  2. httpd24-httpd-devel-2.4.34-8.el7.1.x86_64.rpm
    MD5: 7029e496c5616a5f1bc54aa6c9c19b61
    SHA-256: 6788251b925fe1b72b8d45a84c66dc20ebb41abe444aa154c7ca9c8cb735fe39
    Size: 204.64 kB
  3. httpd24-httpd-manual-2.4.34-8.el7.1.noarch.rpm
    MD5: 90943a0e4406504f99cb032ec210185f
    SHA-256: 259f4e5ea83924d26d2a775b13321fe114348c1936cb37f1ea6fee51733e0b60
    Size: 2.35 MB
  4. httpd24-httpd-tools-2.4.34-8.el7.1.x86_64.rpm
    MD5: be57d7eb1c25508b74941c6b1fe02a08
    SHA-256: 68362fd2f149bc4bce76210789b0cb1e1d1f86bccf130bde55e19ad276716397
    Size: 87.66 kB
  5. httpd24-mod_ldap-2.4.34-8.el7.1.x86_64.rpm
    MD5: cc45bed244830a6ccdf6de4b51a9dfa8
    SHA-256: 364fad0f8dc83b807a9320d49af4b543333ececb31fb7216d53d8f0bbede3775
    Size: 68.05 kB
  6. httpd24-mod_md-2.4.34-8.el7.1.x86_64.rpm
    MD5: a7410df62dc57cab560dba06188e45d7
    SHA-256: 9c89211c22dc4406e48f298d2f9485d126a5baf89354c3a18ac846d0fb8ee2af
    Size: 107.05 kB
  7. httpd24-mod_proxy_html-2.4.34-8.el7.1.x86_64.rpm
    MD5: a1308fb24de19d1a7de88d56a410e2f1
    SHA-256: 43ecd1af2336dedd189542f69544611323c7792241df9776b6a14c27aa23168f
    Size: 46.21 kB
  8. httpd24-mod_session-2.4.34-8.el7.1.x86_64.rpm
    MD5: 177d75e580be67e56036417f861c5e6a
    SHA-256: 163e1112c39d0de283286b07eaac734db265a672b306850323576a9558ced2c7
    Size: 56.86 kB
  9. httpd24-mod_ssl-2.4.34-8.el7.1.x86_64.rpm
    MD5: 0af4985c76d448ab165474f8ee5461a4
    SHA-256: ce63a9d4ee1cf90d5fa20be0f8982b8a2ba7ce1b8ce2e9bc8ef5c419ed4ae9d0
    Size: 112.33 kB
  10. httpd24-libnghttp2-1.7.1-7.el7.1.x86_64.rpm
    MD5: 5b0a6ca3851b055684d177e588dad246
    SHA-256: 7384a10154ade5e54d7ce8e2fb54a21d6773326c9a6e5cfbf63ce6bac1cb272b
    Size: 61.17 kB
  11. httpd24-libnghttp2-devel-1.7.1-7.el7.1.x86_64.rpm
    MD5: 487d1d02b21ca1f21288315c7c74637a
    SHA-256: dd2546621934b00fb5cc957fd7a88fa6f0e3c05205a8c3fbfc344581307eb533
    Size: 44.39 kB
  12. httpd24-nghttp2-1.7.1-7.el7.1.x86_64.rpm
    MD5: c3a9e0e82cca9ad7981807a8a4aed913
    SHA-256: e2d4cd336786bd99a4839b098d26521482ff406d7ff2fdddfe1e3ba23b8b7c08
    Size: 3.73 kB
Copyright© 2007-2015 Asianux. All rights reserved.