2019/12/22 Sunday - 17:54
httpd24-1.1-19.el7, httpd24-httpd-2.4.34-15.el7, httpd24-nghttp2-1.7.1-8.el7
Asianux Server 7 for x86_64

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.

Security Fix(es):

* httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)

* httpd: mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)

* httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)

* httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)

* httpd: URL normalization inconsistency (CVE-2019-0220)

* httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang (BZ#1669213)

* httpd can not be started with mod_md enabled (BZ#1673019)

* Rebuild metapackage with latest scl-utils (BZ#1696527)

* fix a regression introduced in r1740928 (BZ#1707636)

* duplicated cookie in Apache httpd with mod_session (BZ#1725922)

* Unexpected OCSP in proxy SSL connection (BZ#1744120)


* RFE: updated collection for httpd 2.4 (BZ#1726706)

Additional Changes:

For detailed information on changes in this release, see the Asianux Software Collections 3.4 Release Notes linked from the References section.

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.


Update packages.




  1. httpd24-1.1-19.el7.src.rpm
    MD5: 260f033cc07e1f05c957c7b6bef2b76b
    SHA-256: 5430425ab8475d8cfeb9c5eff1a6e7637c45a2f3afbf4424d674d7fe7bab4877
    Size: 14.31 kB
  2. httpd24-httpd-2.4.34-15.el7.src.rpm
    MD5: 24c6da4befe0e8f92c5c945baea9a5ea
    SHA-256: c52d31e6976da927ba284e04f1635d05bec309a6058f7cd1db2861ebdcef0f16
    Size: 6.73 MB
  3. httpd24-nghttp2-1.7.1-8.el7.src.rpm
    MD5: e51f2ae1f21786e3a532410b230bbe1a
    SHA-256: 7df5c6551becbac92d638da77f4d29144e1b9ed4340cb6006c8a7c5d5db586b8
    Size: 1.35 MB

Asianux Server 7 for x86_64
  1. httpd24-1.1-19.el7.x86_64.rpm
    MD5: b5c15f9ebbb53f6a5d6f5f6ff291a4fb
    SHA-256: 14249962b56fe3d9ca0a1b40254f6501647cc66a4eb58d49e3b4d2f9a557d28a
    Size: 4.11 kB
  2. httpd24-runtime-1.1-19.el7.x86_64.rpm
    MD5: f2b234ef95bea61215f1b5668a50e5d7
    SHA-256: 5cec76b9e97884fa8b2f0ff70d099e96f8cd8ad4bde9301ee442cd51e28d6348
    Size: 27.56 kB
  3. httpd24-httpd-2.4.34-15.el7.x86_64.rpm
    MD5: b74c9fd7819452da2a01191de9672dce
    SHA-256: 3cb520f19671f2329cf68ae1d3d5fdefb93a4a53044ac4c1266492f04e5c2b57
    Size: 1.46 MB
  4. httpd24-httpd-devel-2.4.34-15.el7.x86_64.rpm
    MD5: 5f579306271bf6f325651e6f73eddcc8
    SHA-256: 2f1a2fa131bdf6e6a930e33bd0f704e9f9c437ceb5ca55d11af1bb81735f3704
    Size: 206.20 kB
  5. httpd24-httpd-manual-2.4.34-15.el7.noarch.rpm
    MD5: 3161d1a832ae2e12bb010a9eabe78309
    SHA-256: 187cc92031533faac4b954e4b0033f37f1a2277f7aa52027c9cf047f4292b089
    Size: 2.36 MB
  6. httpd24-httpd-tools-2.4.34-15.el7.x86_64.rpm
    MD5: ba8dc5387ca826a8209419c9f6e8a8ea
    SHA-256: 040086a8cdc3c8cdcd96824834922a98cf924a03fc184fee991c0273ce22058d
    Size: 89.02 kB
  7. httpd24-mod_ldap-2.4.34-15.el7.x86_64.rpm
    MD5: 6afe76bb4f2441ebe1148367abd8da83
    SHA-256: 5e2637c650987b481766c51bfcdda87b291676f86d5e28054b18aa97338ba590
    Size: 69.41 kB
  8. httpd24-mod_md-2.4.34-15.el7.x86_64.rpm
    MD5: 8ccbdb441c5145357e1fee0893a99d92
    SHA-256: 2873cc98e685e9091afb334defd06bff9a63867570c1a4da79cf5b532af108b8
    Size: 108.46 kB
  9. httpd24-mod_proxy_html-2.4.34-15.el7.x86_64.rpm
    MD5: 20d8560c533896da18774c517c884473
    SHA-256: 1c7de2c5b1d673ac31ad892176492f1863d472d5a2dfca333de608537d7f5886
    Size: 47.59 kB
  10. httpd24-mod_session-2.4.34-15.el7.x86_64.rpm
    MD5: 42f5c7abeb0266740b92e361ac2a65a0
    SHA-256: 8f17372655f81db4b311ed7a1ee012e8c28ba8443c3b608586ac0145eb9a4b6a
    Size: 58.24 kB
  11. httpd24-mod_ssl-2.4.34-15.el7.x86_64.rpm
    MD5: 28415c36508c32f5b849cad080737143
    SHA-256: fa98eed76bc744cb81d75adc72a23a504168df3dccea9a762715938fbd081135
    Size: 113.67 kB
  12. httpd24-libnghttp2-1.7.1-8.el7.x86_64.rpm
    MD5: 3e69e2b00ffd04e07aaba4d95dc267f9
    SHA-256: 005aa5c56b5f342297d18bc1bcda8ee60410802ca49eb9272031381a6111dd4a
    Size: 61.16 kB
  13. httpd24-libnghttp2-devel-1.7.1-8.el7.x86_64.rpm
    MD5: 00d87e25ca6272410853406644fe8092
    SHA-256: 556cf40663cb9ed1e3e8bd455f0fdb5ec9cd91ef77f2a9e89b2584495b5fc94a
    Size: 44.38 kB
  14. httpd24-nghttp2-1.7.1-8.el7.x86_64.rpm
    MD5: b32dfb03288bfa44d001da975998a626
    SHA-256: ea1ac0611d93db3d9433f2c20a907fab1eb1c360d080273065f5b350410538b4
    Size: 3.73 kB
Copyright© 2007-2015 Asianux. All rights reserved.