httpd-2.4.6-99.1.0.2.el7.AXS7

エラータID: AXSA:2024-8700:04

リリース日: 
2024/08/26 Monday - 10:07
題名: 
httpd-2.4.6-99.1.0.2.el7.AXS7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible web server.

Security Fix(es):

* CVE-2024-38474: mod_rewrite: server weakness with encoded question marks in
backreferences
* CVE-2024-38475: mod_rewrite: server weakness in mod_rewrite when first segment
of substitution matches filesystem path
* CVE-2024-38477: mod_proxy: crash resulting in Denial of Service in mod_proxy
via a malicious request
* CVE-2024-38476: http: server use exploitable/malicious backend application
output to run local handlers via internal redirect
* CVE-2024-39573: mod_rewrite: proxy handler substitution

CVE(s):
CVE-2024-38474
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
CVE-2024-38475
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
CVE-2024-38476
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CVE-2024-38477
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CVE-2024-39573
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

Asianux Server 7 for x86_64
  1. httpd-2.4.6-99.1.0.2.el7.AXS7.x86_64.rpm
    MD5: d79797f3ef472dd4e61bdeba5fc3466d
    SHA-256: d5870fffc344132e3cc5f8b0eb44d444244b77fb3d563d9ab2339bae302067c3
    Size: 1.20 MB
  2. httpd-devel-2.4.6-99.1.0.2.el7.AXS7.x86_64.rpm
    MD5: ce60e49851c663094d287028073e3871
    SHA-256: cb58a57e8945d97fe0e7b50edadae722f3caecf9a832f96fd9a6fa6261db4c9b
    Size: 201.29 kB
  3. httpd-manual-2.4.6-99.1.0.2.el7.AXS7.noarch.rpm
    MD5: 0fea4f0001febd5b205c2e1dce3a4d72
    SHA-256: 3a066d756521e15292ab41200e26b21e5e7fd7d9baaed94e450149dd2caa4852
    Size: 1.35 MB
  4. httpd-tools-2.4.6-99.1.0.2.el7.AXS7.x86_64.rpm
    MD5: cb6beda901614f5b61cf711d885c796e
    SHA-256: c5f668e31148cd01cd9484d7015deeef1e8a5f3785f752d7e906b8fb9ddfb4f5
    Size: 94.35 kB
  5. mod_session-2.4.6-99.1.0.2.el7.AXS7.x86_64.rpm
    MD5: af92cb4f0c0f72321677dcc3dded5f28
    SHA-256: df2426350137ae61d2e7e3ec7199b6df7de85105a0716c72c37dc3bdbfd66786
    Size: 64.42 kB
  6. mod_ssl-2.4.6-99.1.0.2.el7.AXS7.x86_64.rpm
    MD5: da0a578e90a14a61dd4ff830a39fd9da
    SHA-256: 67d384ed282ac8e609475dc663282e90ad2eea4a9b21a7ff6fd99ee0e403ef92
    Size: 115.51 kB