2019/12/25 Wednesday - 17:19
httpd24-1.1-19.AXS4, httpd24-httpd-2.4.25-9.AXS4.1, httpd24-nghttp2-1.7.1-8.AXS4
Asianux Server 4 for x86_64
Asianux Server 4 for x86

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.

Security Fix(es):

* httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)

* httpd: mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)

* httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)

* httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)

* httpd: URL normalization inconsistency (CVE-2019-0220)

* httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang (BZ#1669213)

* httpd can not be started with mod_md enabled (BZ#1673019)

* Rebuild metapackage with latest scl-utils (BZ#1696527)

* fix a regression introduced in r1740928 (BZ#1707636)

* duplicated cookie in Apache httpd with mod_session (BZ#1725922)

* Unexpected OCSP in proxy SSL connection (BZ#1744120)


* RFE: updated collection for httpd 2.4 (BZ#1726706)

Additional Changes:

For detailed information on changes in this release, see the Asianux Software Collections 3.4 Release Notes linked from the References section.

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.


Update packages.




  1. httpd24-1.1-19.AXS4.src.rpm
    MD5: 982c159ebcfbced4921ee5e7bfadf040
    SHA-256: 45af0bc7baed99de04b3ef87e9ac8bacc7d5f20fa36135afb6640c4f5d96dec7
    Size: 14.33 kB
  2. httpd24-httpd-2.4.34-15.AXS4.src.rpm
    MD5: d46604d5464aace2b1558eb90482d709
    SHA-256: e9fe78fe7e432282ac42fc2c120776cc317266931da1fb028928faeff2653b29
    Size: 6.73 MB
  3. httpd24-nghttp2-1.7.1-8.AXS4.src.rpm
    MD5: 9be2185106a541b504e982d64312265c
    SHA-256: 2e6b4867f41cc89165305a35bb0c0c98783f4733091638f6f932c008c647694e
    Size: 1.35 MB

Asianux Server 4 for x86_64
  1. httpd24-1.1-19.AXS4.x86_64.rpm
    MD5: 3d9016514ea42a9e8688f168c75c51d8
    SHA-256: 6238b509b9f23d3a830ed57c29abd75745cdeb7ded5ffccbc91ce52e24eb42ee
    Size: 3.79 kB
  2. httpd24-runtime-1.1-19.AXS4.x86_64.rpm
    MD5: 224546a35ea51fd046ccb673df385a68
    SHA-256: 3097da0d394010c0907384669a1f196c6ce7125d417957f3d1b682640c960ce9
    Size: 1.03 MB
  3. httpd24-httpd-2.4.34-15.AXS4.x86_64.rpm
    MD5: ae33b08c45ff85ac7fdbf80e1b060886
    SHA-256: d6a3b0d2fc9ccba064245c4fba2f445cbe219dbab88b199e458032dd98aa2822
    Size: 1.28 MB
  4. httpd24-httpd-devel-2.4.34-15.AXS4.x86_64.rpm
    MD5: be9611140d54e89f41b451f4b927026c
    SHA-256: e22ddc34a8a80d239eb2bab8e5a5600b903c43fbb1a67e37387f1a86286ccbf2
    Size: 208.83 kB
  5. httpd24-httpd-manual-2.4.34-15.AXS4.noarch.rpm
    MD5: ade4c1e00bb29817ce13f487f15ade2b
    SHA-256: 8fa75ac944a4b4c3e9fe61c99caefd16793ee9eafcb30bb5ca48609f1251768b
    Size: 2.40 MB
  6. httpd24-httpd-tools-2.4.34-15.AXS4.x86_64.rpm
    MD5: e1897e65d4216e3dd4eddce7101cd34f
    SHA-256: ca64d435f73bac3cc1db754254b087092fec18a7cf3089394dd00078bd9dd6be
    Size: 83.96 kB
  7. httpd24-mod_ldap-2.4.34-15.AXS4.x86_64.rpm
    MD5: deace0f9f02bc922a1739a611d7aab0d
    SHA-256: a6992a506c285b6cb4cdcfee104812085d3c0378fb2c16fc654afaadf2bd299d
    Size: 67.07 kB
  8. httpd24-mod_proxy_html-2.4.34-15.AXS4.x86_64.rpm
    MD5: 53a7766a7ff718975ec8b21c5bb6ea8e
    SHA-256: 8ebc873756eb2b6d00eb94678a70612586ab6c8773b0091f10f32df51ba71112
    Size: 45.75 kB
  9. httpd24-mod_session-2.4.34-15.AXS4.x86_64.rpm
    MD5: e152c799915a223dceb968763d8f6d9d
    SHA-256: d078c7540ea489c009be4c5d6a22cdd9eb1b4fff4f68beb0b333d6dfd38d03c0
    Size: 52.91 kB
  10. httpd24-mod_ssl-2.4.34-15.AXS4.x86_64.rpm
    MD5: 9ff254fcd5c6034f83b3300d8c0055f7
    SHA-256: 2132c30aea0ef44dc19e7ada2cddca071cae42047be7d138c495e2e5410b6c70
    Size: 109.21 kB
  11. httpd24-libnghttp2-1.7.1-8.AXS4.x86_64.rpm
    MD5: b28cd65e634daf25431c34df8976d314
    SHA-256: 673e192fcc839e20d28f493b83cab54a0cba695f10166540ca62c082c3caa49d
    Size: 56.43 kB
  12. httpd24-libnghttp2-devel-1.7.1-8.AXS4.x86_64.rpm
    MD5: 0031e669f9d350d0c7d0d0d7e10162ea
    SHA-256: 5e05c3da0d3244a15a454a2d390d5de95bd8b06383ae186c5d9fa7458b144443
    Size: 44.77 kB
  13. httpd24-nghttp2-1.7.1-8.AXS4.x86_64.rpm
    MD5: cfa7482a65508ee6b9d5d7b97813bb97
    SHA-256: 8b4dc1463effa7835d0e8b3a2f52cb9ee1f7762f9124e7878a5ee849b3795127
    Size: 3.70 kB
Copyright© 2007-2015 Asianux. All rights reserved.