httpd:2.4 security fix update

エラータID: AXSA:2024-8401:01

リリース日: 
2024/06/19 Wednesday - 16:33
題名: 
httpd:2.4 security fix update
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- Apache HTTP Server の mod_macro モジュールには、
メモリ領域の範囲外読み取りの問題があるため、リモート
の攻撃者により、非常に大きなサイズのマクロの実行を
介して、サービス拒否攻撃 (クラッシュの発生) を可能と
する脆弱性が存在します。(CVE-2023-31122)

- Apache HTTP Server の mod_http2 モジュールには、
RST フレームによって HTTP/2 ストリームがリセット
された際に、その接続自体が閉じられるまでメモリ領域
が解放されない問題があるため、リモートの攻撃者により、
HTTP/2 の新規のリクエストと RST フレームを繰り返し
送信することを介して、サービス拒否攻撃 (メモリ枯渇)
を可能とする脆弱性が存在します。(CVE-2023-45802)

Modularity name: httpd
Stream name: 2.4

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2023-31122
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.
CVE-2023-45802
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. httpd-2.4.37-64.module+el8+1760+bef32e04.ML.1.src.rpm
    MD5: ce78613c453ea187321392a8db1f4aab
    SHA-256: 4e90e1c1a628b7466c8b60e95f1524924980d998bfcc49ed17ab5281c9aeba68
    Size: 6.96 MB
  2. mod_http2-1.15.7-10.module+el8+1760+bef32e04.src.rpm
    MD5: 43020175274f1a081049eaf975e77ead
    SHA-256: caabedcd5046fc2dae52a6543cd3deb3b135e80ec9a93f381252e28a9492dff9
    Size: 1.02 MB
  3. mod_md-2.0.8-8.module+el8+1760+bef32e04.src.rpm
    MD5: 47b5ab6390a4e71ff94f5d535f7c3b37
    SHA-256: 32e403cd1146a4cbe83c286c8fbc7b41d6b723c8e5252566c7efa51a9f96532c
    Size: 635.32 kB

Asianux Server 8 for x86_64
  1. httpd-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
    MD5: 39629c1ecd973e7df72fe2a6305e19a4
    SHA-256: 9d666536d417b6fed4e528512a55816fe9dc7bfeb2efd257b1db77ece4f1798c
    Size: 1.41 MB
  2. httpd-debugsource-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
    MD5: 412bdf5d7c4cfe39cdbf09da78999fe9
    SHA-256: bb16ea5ce0cf7d538966a8de19309d9649c5752c6185b69d8a70bd2289055e71
    Size: 1.45 MB
  3. httpd-devel-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
    MD5: 1c693c603ad586be73b99699b1181060
    SHA-256: 1819e71481df24ed92741b5a312977e62612c7a39d72b0c16b505623d5adc8c2
    Size: 226.79 kB
  4. httpd-filesystem-2.4.37-64.module+el8+1760+bef32e04.ML.1.noarch.rpm
    MD5: 7c4fd6687d940f96a2975f5ef604b090
    SHA-256: 209cb64127663c6ed768885d5b38990842fb28e6abac625ec2b0db568771e15c
    Size: 43.28 kB
  5. httpd-manual-2.4.37-64.module+el8+1760+bef32e04.ML.1.noarch.rpm
    MD5: a5f8fe9e5ec3bc7cf69276f494a92fa1
    SHA-256: 32117ed6fa167a31c7590603df72a44a685f21d9e8faa4dd70e0c1301d46c1d2
    Size: 2.38 MB
  6. httpd-tools-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
    MD5: 36de53f1cf0e998b35e894335531ee35
    SHA-256: 8c16923f82b7b16f4f3bdddb1f0e68163ea0e3239b53122beb3ad102a971eba5
    Size: 110.16 kB
  7. mod_http2-1.15.7-10.module+el8+1760+bef32e04.x86_64.rpm
    MD5: fcca926e5d93addffc4309f21a75bbdb
    SHA-256: 5e7217692e83a043a0702d9e7b905de5d6805025457d630e9d1da49fc6513b65
    Size: 154.61 kB
  8. mod_http2-debugsource-1.15.7-10.module+el8+1760+bef32e04.x86_64.rpm
    MD5: d420d97687704a5658a047cb61ff08ba
    SHA-256: 561ce0ed35fdff249c9680d1b6aed605d9cea79e0b53c87734df711dca9fbced
    Size: 148.12 kB
  9. mod_ldap-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
    MD5: ba3eb5c63a1fa31c09b64e521ed48d4a
    SHA-256: 737bd8e2a17dc002f3ce0805db15bf7c1a534ed4012e88e6f6ca1c71f38872bc
    Size: 88.60 kB
  10. mod_md-2.0.8-8.module+el8+1760+bef32e04.x86_64.rpm
    MD5: 8186c6e3c24c26c9093d540d40ec116d
    SHA-256: 82cde8ea77110ad2bd308a9ce587608e43a7e263edcb872e1ccd395694efc6d6
    Size: 183.67 kB
  11. mod_md-debugsource-2.0.8-8.module+el8+1760+bef32e04.x86_64.rpm
    MD5: bceb31bf34858be22453b907a4553b30
    SHA-256: 8add6ad896bd273f09f55cdb995cdf07dd16f020ee9a1086913ed875ebc96be7
    Size: 126.24 kB
  12. mod_proxy_html-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
    MD5: b7b51b35e2e8993650644ce056841ea1
    SHA-256: 6232775321a2ff224c059186cb9a23c80f5e426c33355ef08de854d9daa6de87
    Size: 65.73 kB
  13. mod_session-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
    MD5: c1a45758db2774c4be3bae16a427b799
    SHA-256: a7e4110b4d4786aa9b79345e58a0c5ae62ef75f05cdf31d93b21994809fbe6c8
    Size: 77.37 kB
  14. mod_ssl-2.4.37-64.module+el8+1760+bef32e04.ML.1.x86_64.rpm
    MD5: c8a7812df6d7cde614b65aab23121a45
    SHA-256: b22d9c7bb8c61a26c7de0908311b5528876b4fef6dd25edd7a2b419f0f6d3a75
    Size: 140.00 kB