AXSA:2019-4337:01

リリース日: 
2019/10/01 Tuesday - 12:04
題名: 
httpd24-httpd-2.4.34-8.el7.1, httpd24-nghttp2-1.7.1-7.el7.1
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)

* HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513)

* HTTP/2: request for large response leads to denial of service (CVE-2019-9517)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-9511
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9513
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
CVE-2019-9517
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
1. httpd24-httpd-2.4.34-8.el7.1.src.rpm
md5sum: 87c4413110a723877ccaa729c558ec9f
sha256sum: 27df15d59fe64a023b03ccd5aac287b709f7a9bd341f9e1400d1e7253baafcea
Size: 6,875 Kb
2. httpd24-nghttp2-1.7.1-7.el7.1.src.rpm
md5sum: efabdb85d6d9998ad9f7d92d9b1a25b5
sha256sum: ab494cce82721195b65ae00ccafa604e05dff2b4e4547dc05f187771f2ade58e
Size: 1,381 Kb

Asianux Server 7.0 for x86_64
1. httpd24-httpd-2.4.34-8.el7.1.x86_64.rpm
md5sum: dc65b0de2ed5db787035be0b440dd1a2
sha256sum: 2da41025fbae5372b1f9e505782120e94920c5eabf141d8dcab9c56d10d3b634
Size: 1,495 Kb
2. httpd24-httpd-devel-2.4.34-8.el7.1.x86_64.rpm
md5sum: 7029e496c5616a5f1bc54aa6c9c19b61
sha256sum: 6788251b925fe1b72b8d45a84c66dc20ebb41abe444aa154c7ca9c8cb735fe39
Size: 205 Kb
3. httpd24-httpd-manual-2.4.34-8.el7.1.noarch.rpm
md5sum: 90943a0e4406504f99cb032ec210185f
sha256sum: 259f4e5ea83924d26d2a775b13321fe114348c1936cb37f1ea6fee51733e0b60
Size: 2,411 Kb
4. httpd24-httpd-tools-2.4.34-8.el7.1.x86_64.rpm
md5sum: be57d7eb1c25508b74941c6b1fe02a08
sha256sum: 68362fd2f149bc4bce76210789b0cb1e1d1f86bccf130bde55e19ad276716397
Size: 88 Kb
5. httpd24-mod_ldap-2.4.34-8.el7.1.x86_64.rpm
md5sum: cc45bed244830a6ccdf6de4b51a9dfa8
sha256sum: 364fad0f8dc83b807a9320d49af4b543333ececb31fb7216d53d8f0bbede3775
Size: 68 Kb
6. httpd24-mod_md-2.4.34-8.el7.1.x86_64.rpm
md5sum: a7410df62dc57cab560dba06188e45d7
sha256sum: 9c89211c22dc4406e48f298d2f9485d126a5baf89354c3a18ac846d0fb8ee2af
Size: 107 Kb
7. httpd24-mod_proxy_html-2.4.34-8.el7.1.x86_64.rpm
md5sum: a1308fb24de19d1a7de88d56a410e2f1
sha256sum: 43ecd1af2336dedd189542f69544611323c7792241df9776b6a14c27aa23168f
Size: 46 Kb
8. httpd24-mod_session-2.4.34-8.el7.1.x86_64.rpm
md5sum: 177d75e580be67e56036417f861c5e6a
sha256sum: 163e1112c39d0de283286b07eaac734db265a672b306850323576a9558ced2c7
Size: 57 Kb
9. httpd24-mod_ssl-2.4.34-8.el7.1.x86_64.rpm
md5sum: 0af4985c76d448ab165474f8ee5461a4
sha256sum: ce63a9d4ee1cf90d5fa20be0f8982b8a2ba7ce1b8ce2e9bc8ef5c419ed4ae9d0
Size: 112 Kb
10. httpd24-libnghttp2-1.7.1-7.el7.1.x86_64.rpm
md5sum: 5b0a6ca3851b055684d177e588dad246
sha256sum: 7384a10154ade5e54d7ce8e2fb54a21d6773326c9a6e5cfbf63ce6bac1cb272b
Size: 61 Kb
11. httpd24-libnghttp2-devel-1.7.1-7.el7.1.x86_64.rpm
md5sum: 487d1d02b21ca1f21288315c7c74637a
sha256sum: dd2546621934b00fb5cc957fd7a88fa6f0e3c05205a8c3fbfc344581307eb533
Size: 44 Kb
12. httpd24-nghttp2-1.7.1-7.el7.1.x86_64.rpm
md5sum: c3a9e0e82cca9ad7981807a8a4aed913
sha256sum: e2d4cd336786bd99a4839b098d26521482ff406d7ff2fdddfe1e3ba23b8b7c08
Size: 4 Kb
Copyright© 2007-2015 Asianux. All rights reserved.