httpd24-1.1-19.el7, httpd24-httpd-2.4.34-15.el7, httpd24-nghttp2-1.7.1-8.el7
エラータID: AXSA:2019-4418:01
The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.
Security Fix(es):
* httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)
* httpd: mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)
* httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)
* httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)
* httpd: URL normalization inconsistency (CVE-2019-0220)
* httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang (BZ#1669213)
* httpd can not be started with mod_md enabled (BZ#1673019)
* Rebuild metapackage with latest scl-utils (BZ#1696527)
* fix a regression introduced in r1740928 (BZ#1707636)
* duplicated cookie in Apache httpd with mod_session (BZ#1725922)
* Unexpected OCSP in proxy SSL connection (BZ#1744120)
Enhancement(s):
* RFE: updated collection for httpd 2.4 (BZ#1726706)
Additional Changes:
For detailed information on changes in this release, see the Asianux Software Collections 3.4 Release Notes linked from the References section.
CVE-2018-17189
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
CVE-2018-17199
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVE-2019-0217
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
CVE-2019-0220
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
CVE-2019-10092
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
CVE-2019-10097
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.
Update packages.
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.
N/A
SRPMS
- httpd24-1.1-19.el7.src.rpm
MD5: 260f033cc07e1f05c957c7b6bef2b76b
SHA-256: 5430425ab8475d8cfeb9c5eff1a6e7637c45a2f3afbf4424d674d7fe7bab4877
Size: 14.31 kB - httpd24-httpd-2.4.34-15.el7.src.rpm
MD5: 24c6da4befe0e8f92c5c945baea9a5ea
SHA-256: c52d31e6976da927ba284e04f1635d05bec309a6058f7cd1db2861ebdcef0f16
Size: 6.73 MB - httpd24-nghttp2-1.7.1-8.el7.src.rpm
MD5: e51f2ae1f21786e3a532410b230bbe1a
SHA-256: 7df5c6551becbac92d638da77f4d29144e1b9ed4340cb6006c8a7c5d5db586b8
Size: 1.35 MB
Asianux Server 7 for x86_64
- httpd24-1.1-19.el7.x86_64.rpm
MD5: b5c15f9ebbb53f6a5d6f5f6ff291a4fb
SHA-256: 14249962b56fe3d9ca0a1b40254f6501647cc66a4eb58d49e3b4d2f9a557d28a
Size: 4.11 kB - httpd24-runtime-1.1-19.el7.x86_64.rpm
MD5: f2b234ef95bea61215f1b5668a50e5d7
SHA-256: 5cec76b9e97884fa8b2f0ff70d099e96f8cd8ad4bde9301ee442cd51e28d6348
Size: 27.56 kB - httpd24-httpd-2.4.34-15.el7.x86_64.rpm
MD5: b74c9fd7819452da2a01191de9672dce
SHA-256: 3cb520f19671f2329cf68ae1d3d5fdefb93a4a53044ac4c1266492f04e5c2b57
Size: 1.46 MB - httpd24-httpd-devel-2.4.34-15.el7.x86_64.rpm
MD5: 5f579306271bf6f325651e6f73eddcc8
SHA-256: 2f1a2fa131bdf6e6a930e33bd0f704e9f9c437ceb5ca55d11af1bb81735f3704
Size: 206.20 kB - httpd24-httpd-manual-2.4.34-15.el7.noarch.rpm
MD5: 3161d1a832ae2e12bb010a9eabe78309
SHA-256: 187cc92031533faac4b954e4b0033f37f1a2277f7aa52027c9cf047f4292b089
Size: 2.36 MB - httpd24-httpd-tools-2.4.34-15.el7.x86_64.rpm
MD5: ba8dc5387ca826a8209419c9f6e8a8ea
SHA-256: 040086a8cdc3c8cdcd96824834922a98cf924a03fc184fee991c0273ce22058d
Size: 89.02 kB - httpd24-mod_ldap-2.4.34-15.el7.x86_64.rpm
MD5: 6afe76bb4f2441ebe1148367abd8da83
SHA-256: 5e2637c650987b481766c51bfcdda87b291676f86d5e28054b18aa97338ba590
Size: 69.41 kB - httpd24-mod_md-2.4.34-15.el7.x86_64.rpm
MD5: 8ccbdb441c5145357e1fee0893a99d92
SHA-256: 2873cc98e685e9091afb334defd06bff9a63867570c1a4da79cf5b532af108b8
Size: 108.46 kB - httpd24-mod_proxy_html-2.4.34-15.el7.x86_64.rpm
MD5: 20d8560c533896da18774c517c884473
SHA-256: 1c7de2c5b1d673ac31ad892176492f1863d472d5a2dfca333de608537d7f5886
Size: 47.59 kB - httpd24-mod_session-2.4.34-15.el7.x86_64.rpm
MD5: 42f5c7abeb0266740b92e361ac2a65a0
SHA-256: 8f17372655f81db4b311ed7a1ee012e8c28ba8443c3b608586ac0145eb9a4b6a
Size: 58.24 kB - httpd24-mod_ssl-2.4.34-15.el7.x86_64.rpm
MD5: 28415c36508c32f5b849cad080737143
SHA-256: fa98eed76bc744cb81d75adc72a23a504168df3dccea9a762715938fbd081135
Size: 113.67 kB - httpd24-libnghttp2-1.7.1-8.el7.x86_64.rpm
MD5: 3e69e2b00ffd04e07aaba4d95dc267f9
SHA-256: 005aa5c56b5f342297d18bc1bcda8ee60410802ca49eb9272031381a6111dd4a
Size: 61.16 kB - httpd24-libnghttp2-devel-1.7.1-8.el7.x86_64.rpm
MD5: 00d87e25ca6272410853406644fe8092
SHA-256: 556cf40663cb9ed1e3e8bd455f0fdb5ec9cd91ef77f2a9e89b2584495b5fc94a
Size: 44.38 kB - httpd24-nghttp2-1.7.1-8.el7.x86_64.rpm
MD5: b32dfb03288bfa44d001da975998a626
SHA-256: ea1ac0611d93db3d9433f2c20a907fab1eb1c360d080273065f5b350410538b4
Size: 3.73 kB