httpd-2.4.62-4.el9_6.4
エラータID: AXSA:2025-10819:07
リリース日:
2025/09/03 Wednesday - 14:07
題名:
httpd-2.4.62-4.el9_6.4
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Apache HTTP Server の mod_ssl には、リモートの攻撃者により、
データ破壊を可能とする脆弱性が存在します。(CVE-2024-47252)
- Apache HTTP Server の mod_ssl には、リモートの攻撃者により、
アクセス制御のバイパスを可能とする脆弱性が存在します。
(CVE-2025-23048)
- Apache HTTP Server の mod_ssl には、リモートの攻撃者により、
不正な認証を可能とする脆弱性が存在します。(CVE-2025-49812)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-47252
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
CVE-2025-23048
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
CVE-2025-49812
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
追加情報:
N/A
ダウンロード:
SRPMS
- httpd-2.4.62-4.el9_6.4.src.rpm
MD5: 9ab4acb6e3a9f0cbb545d5ebe7baa5c0
SHA-256: e4c698cf96031dfb187ad436d6ebb500dd16c17d10e0d8bd47b8bea7de11d763
Size: 7.63 MB
Asianux Server 9 for x86_64
- httpd-2.4.62-4.el9_6.4.x86_64.rpm
MD5: edb7352e70a77fd8486dbf045f6607db
SHA-256: b4b0c4cb6469afe53c73c7cfcec0eedb98d7466086edf471062f86c78c3aed1d
Size: 49.89 kB - httpd-core-2.4.62-4.el9_6.4.x86_64.rpm
MD5: c378372cbf59b7432deb8878a6c1b82a
SHA-256: c72aabbe7a10fe93f4c6af1501cc419a1046c8bac12b930301d9f0ebdc641d82
Size: 1.48 MB - httpd-devel-2.4.62-4.el9_6.4.x86_64.rpm
MD5: b1c69d779071f3048700501a2ac84abf
SHA-256: 3518dd7431bcd09f8e9ecd5a5571a9afd1032a1e8caac2195b66749448c13f1d
Size: 210.25 kB - httpd-filesystem-2.4.62-4.el9_6.4.noarch.rpm
MD5: f2bb90930930d941e39c629d77d38521
SHA-256: d0a12dfb6c1aa67e37111fa405ea08fff3ea714e9bc83050c601e73d95f03446
Size: 11.42 kB - httpd-manual-2.4.62-4.el9_6.4.noarch.rpm
MD5: e50fe0661991e623eec6ce699d4be1e0
SHA-256: 26f0d862f5d22b043bd0f0a7c5ecec77f224d8693375fd001a422afe7159622f
Size: 2.30 MB - httpd-tools-2.4.62-4.el9_6.4.x86_64.rpm
MD5: 177b11657becfc77dce6f8a5063b2366
SHA-256: 4a7a3a7c757bb07e024c3a7794b076db6ce20b050aa13475694deeb04b743646
Size: 83.50 kB - mod_ldap-2.4.62-4.el9_6.4.x86_64.rpm
MD5: 55123a94d3fd88e08a4cde3cc6867640
SHA-256: c0262442d4ed7b4e61998f9ee055996de2e8dd0674458a0396a774242addd2f9
Size: 59.14 kB - mod_lua-2.4.62-4.el9_6.4.x86_64.rpm
MD5: 48987bdf89f06c94e496c20c5a7f1592
SHA-256: 34ba5e3071550ecdff635c79e72ada98ea2a3a0593d0810459fb95627cca46ea
Size: 58.21 kB - mod_proxy_html-2.4.62-4.el9_6.4.x86_64.rpm
MD5: d48be9215bc2161980798b17b3cd487d
SHA-256: 0777576a7ecb531cd506d969c9c4f87cd3e3e4ba02c7decb1f6206bd5d7c4dff
Size: 34.03 kB - mod_session-2.4.62-4.el9_6.4.x86_64.rpm
MD5: 12b5f82f3a59b3f46bc893862d20e33c
SHA-256: 6f1edeb180d2282554d60eede66270dedc3cca8469d62843ed2de5c3f9138bca
Size: 46.05 kB - mod_ssl-2.4.62-4.el9_6.4.x86_64.rpm
MD5: 66b0637ba5e88d103755de7759b35789
SHA-256: 3db8d1a221fb37a30122fccb6f1bbde9582a8e3c5cd089d802eaf8cd47b6a3d1
Size: 107.98 kB
English