AXSA:2019-4423:01

リリース日: 
2019/12/25 Wednesday - 17:19
題名: 
httpd24-1.1-19.AXS4, httpd24-httpd-2.4.25-9.AXS4.1, httpd24-nghttp2-1.7.1-8.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.

Security Fix(es):

* httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)

* httpd: mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)

* httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)

* httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)

* httpd: URL normalization inconsistency (CVE-2019-0220)

* httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang (BZ#1669213)

* httpd can not be started with mod_md enabled (BZ#1673019)

* Rebuild metapackage with latest scl-utils (BZ#1696527)

* fix a regression introduced in r1740928 (BZ#1707636)

* duplicated cookie in Apache httpd with mod_session (BZ#1725922)

* Unexpected OCSP in proxy SSL connection (BZ#1744120)

Enhancement(s):

* RFE: updated collection for httpd 2.4 (BZ#1726706)

Additional Changes:

For detailed information on changes in this release, see the Asianux Software Collections 3.4 Release Notes linked from the References section.

CVE-2018-17189
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
CVE-2018-17199
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVE-2019-0217
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
CVE-2019-0220
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
CVE-2019-10092
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
CVE-2019-10097
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. httpd24-1.1-19.AXS4.src.rpm
    MD5: 982c159ebcfbced4921ee5e7bfadf040
    SHA-256: 45af0bc7baed99de04b3ef87e9ac8bacc7d5f20fa36135afb6640c4f5d96dec7
    Size: 14.33 kB
  2. httpd24-httpd-2.4.34-15.AXS4.src.rpm
    MD5: d46604d5464aace2b1558eb90482d709
    SHA-256: e9fe78fe7e432282ac42fc2c120776cc317266931da1fb028928faeff2653b29
    Size: 6.73 MB
  3. httpd24-nghttp2-1.7.1-8.AXS4.src.rpm
    MD5: 9be2185106a541b504e982d64312265c
    SHA-256: 2e6b4867f41cc89165305a35bb0c0c98783f4733091638f6f932c008c647694e
    Size: 1.35 MB

Asianux Server 4 for x86_64
  1. httpd24-1.1-19.AXS4.x86_64.rpm
    MD5: 3d9016514ea42a9e8688f168c75c51d8
    SHA-256: 6238b509b9f23d3a830ed57c29abd75745cdeb7ded5ffccbc91ce52e24eb42ee
    Size: 3.79 kB
  2. httpd24-runtime-1.1-19.AXS4.x86_64.rpm
    MD5: 224546a35ea51fd046ccb673df385a68
    SHA-256: 3097da0d394010c0907384669a1f196c6ce7125d417957f3d1b682640c960ce9
    Size: 1.03 MB
  3. httpd24-httpd-2.4.34-15.AXS4.x86_64.rpm
    MD5: ae33b08c45ff85ac7fdbf80e1b060886
    SHA-256: d6a3b0d2fc9ccba064245c4fba2f445cbe219dbab88b199e458032dd98aa2822
    Size: 1.28 MB
  4. httpd24-httpd-devel-2.4.34-15.AXS4.x86_64.rpm
    MD5: be9611140d54e89f41b451f4b927026c
    SHA-256: e22ddc34a8a80d239eb2bab8e5a5600b903c43fbb1a67e37387f1a86286ccbf2
    Size: 208.83 kB
  5. httpd24-httpd-manual-2.4.34-15.AXS4.noarch.rpm
    MD5: ade4c1e00bb29817ce13f487f15ade2b
    SHA-256: 8fa75ac944a4b4c3e9fe61c99caefd16793ee9eafcb30bb5ca48609f1251768b
    Size: 2.40 MB
  6. httpd24-httpd-tools-2.4.34-15.AXS4.x86_64.rpm
    MD5: e1897e65d4216e3dd4eddce7101cd34f
    SHA-256: ca64d435f73bac3cc1db754254b087092fec18a7cf3089394dd00078bd9dd6be
    Size: 83.96 kB
  7. httpd24-mod_ldap-2.4.34-15.AXS4.x86_64.rpm
    MD5: deace0f9f02bc922a1739a611d7aab0d
    SHA-256: a6992a506c285b6cb4cdcfee104812085d3c0378fb2c16fc654afaadf2bd299d
    Size: 67.07 kB
  8. httpd24-mod_proxy_html-2.4.34-15.AXS4.x86_64.rpm
    MD5: 53a7766a7ff718975ec8b21c5bb6ea8e
    SHA-256: 8ebc873756eb2b6d00eb94678a70612586ab6c8773b0091f10f32df51ba71112
    Size: 45.75 kB
  9. httpd24-mod_session-2.4.34-15.AXS4.x86_64.rpm
    MD5: e152c799915a223dceb968763d8f6d9d
    SHA-256: d078c7540ea489c009be4c5d6a22cdd9eb1b4fff4f68beb0b333d6dfd38d03c0
    Size: 52.91 kB
  10. httpd24-mod_ssl-2.4.34-15.AXS4.x86_64.rpm
    MD5: 9ff254fcd5c6034f83b3300d8c0055f7
    SHA-256: 2132c30aea0ef44dc19e7ada2cddca071cae42047be7d138c495e2e5410b6c70
    Size: 109.21 kB
  11. httpd24-libnghttp2-1.7.1-8.AXS4.x86_64.rpm
    MD5: b28cd65e634daf25431c34df8976d314
    SHA-256: 673e192fcc839e20d28f493b83cab54a0cba695f10166540ca62c082c3caa49d
    Size: 56.43 kB
  12. httpd24-libnghttp2-devel-1.7.1-8.AXS4.x86_64.rpm
    MD5: 0031e669f9d350d0c7d0d0d7e10162ea
    SHA-256: 5e05c3da0d3244a15a454a2d390d5de95bd8b06383ae186c5d9fa7458b144443
    Size: 44.77 kB
  13. httpd24-nghttp2-1.7.1-8.AXS4.x86_64.rpm
    MD5: cfa7482a65508ee6b9d5d7b97813bb97
    SHA-256: 8b4dc1463effa7835d0e8b3a2f52cb9ee1f7762f9124e7878a5ee849b3795127
    Size: 3.70 kB
Copyright© 2007-2015 Asianux. All rights reserved.