httpd-2.4.6-98.7.0.1.el7.AXS7
エラータID: AXSA:2023-5265:04
リリース日:
2023/04/05 Wednesday - 09:22
題名:
httpd-2.4.6-98.7.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Apache HTTP Server の mod_proxy モジュールには、リモートの
攻撃者により、RewriteRule もしくは ProxyPassMatch を用いた特定の
設定を介して、HTTP リクエストスマグリング攻撃を可能とする脆弱性
が存在します。(CVE-2023-25690)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-25690
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
追加情報:
N/A
ダウンロード:
SRPMS
- httpd-2.4.6-98.7.0.1.el7.AXS7.src.rpm
MD5: a5b12cb7d5dbffb0cc2f17a4edfa2ed5
SHA-256: bafc3eeb0c9836e45ffe4c50ce3928d63d78c43f4525ec16e5e37e8612cb342f
Size: 4.99 MB
Asianux Server 7 for x86_64
- httpd-2.4.6-98.7.0.1.el7.AXS7.x86_64.rpm
MD5: 23255855476988e4ab2a2a68d25e58af
SHA-256: 687262533028e439d897e148ef65e21b9b3985c07949c4c86f831ae1b8851d1e
Size: 1.19 MB - httpd-devel-2.4.6-98.7.0.1.el7.AXS7.x86_64.rpm
MD5: d35777fdf67fc574538e57dd97c3b8af
SHA-256: f781d1cf648591e1b96f77d00b07b7e47fb795411ef597ceadea572bd57a645e
Size: 200.24 kB - httpd-manual-2.4.6-98.7.0.1.el7.AXS7.noarch.rpm
MD5: ca0f523d13977066193e0972015e7817
SHA-256: c5abb06833f73627e1ca9d261acb65381cbe8a16a7e2ffd8babdbfa731fef99d
Size: 1.34 MB - httpd-tools-2.4.6-98.7.0.1.el7.AXS7.x86_64.rpm
MD5: 7be69b7ed00f3de7f5598060b5a01ef1
SHA-256: 7f3e1d4aa33130998b9eb084bf39a473845e4530e1b00b7b78dfbda53c132a06
Size: 93.58 kB - mod_session-2.4.6-98.7.0.1.el7.AXS7.x86_64.rpm
MD5: b9318fff77b8dd263e0a553a1726d685
SHA-256: de0b0223bd147570819603b862829b361f0fae3ec09f6b30dcaafd0e5d1c0123
Size: 63.64 kB - mod_ssl-2.4.6-98.7.0.1.el7.AXS7.x86_64.rpm
MD5: ffc33d4255af6bb069b162a845f1d99c
SHA-256: 7875495586a76a93e402527bed36c7e3fb1e9d48c9efcaf5a906db601f03a69e
Size: 114.74 kB
English