httpd-2.2.3-87.0.1.AXS3
エラータID: AXSA:2014-466:02
リリース日:
2014/07/24 Thursday - 14:52
題名:
httpd-2.2.3-87.0.1.AXS3
影響のあるチャネル:
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Apache HTTP サーバの mod_deflate.c の deflate_in_filter 関数には,リクエストボディの伸張が有効な場合,より大きいサイズへ伸張する巧妙に細工されたリクエストデータによって,リモートの攻撃者がサービス拒否 (リソース消費) を引き起こす脆弱性があります。(CVE-2014-0118)
- Apache HTTP サーバの mod_status モジュールには競合条件が存在し,modules/generators/mod_status.c の status_handler 関数と modules/lua/lua_request.c の lua_ap_scoreboard_worker 関数内の不適切な scoreboard 処理を引き起こす巧妙に細工されたリクエストによって,リモートの攻撃者がサービス拒否 (ヒープベースのバッファーオーバーフロー) を引き起こす,あるいは機密の証明書情報を取得する,あるいは任意のコードを実行する脆弱性があります。(CVE-2014-0226)
- Apache HTTP サーバーには,タイムアウトメカニズムがなく,標準入力ファイルディスクリプタから読み込まない CGI スクリプトへのリクエストによって,リモートの攻撃者がサービス拒否 (プロセスのハング) を引き起こす脆弱性があります。(CVE-2014-0231)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2014-0118
The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.
The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.
CVE-2014-0226
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
CVE-2014-0231
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.
追加情報:
N/A
ダウンロード:
SRPMS
- httpd-2.2.3-87.0.1.AXS3.src.rpm
MD5: 0068ad4c4652040644706b44057b027d
SHA-256: 428c573817978ccaf106239819f54217e80e0c5929519e57440027d60c367505
Size: 6.29 MB
Asianux Server 3 for x86
- httpd-2.2.3-87.0.1.AXS3.i386.rpm
MD5: 3dbb17ee0ef723f5200000f13864e3e8
SHA-256: b82bff76cc94c6ca37d980ef227ff766e06484c83f696b503fe102081271127b
Size: 1.12 MB - httpd-devel-2.2.3-87.0.1.AXS3.i386.rpm
MD5: c7d5f6ef27e77cd0c750ba4bd806d4ea
SHA-256: be5ae0001edd6b5af90db41493fc36fe4e242c0f49d3d1180df7ca1e49df65aa
Size: 155.86 kB - httpd-manual-2.2.3-87.0.1.AXS3.i386.rpm
MD5: 0c2b7da763dcb1026f53e73a9b42146f
SHA-256: 84306ec9ca28bd6e338447eb8d4f3c8286345fa4dce908b5728b81964bd57c43
Size: 819.30 kB - mod_ssl-2.2.3-87.0.1.AXS3.i386.rpm
MD5: f13e0b515810e908070e5042b9b24dff
SHA-256: 5a6afb7d2897dca09b95c3988e1b9a39ad8810155063ace435fb64c742019836
Size: 97.52 kB
Asianux Server 3 for x86_64
- httpd-2.2.3-87.0.1.AXS3.x86_64.rpm
MD5: e2022079487109811d28fb2dca18f8b4
SHA-256: def4ce7f79be732ee8c8e49d3b289e3f425f247f9654b1fbe61864f61d07ff08
Size: 1.13 MB - httpd-devel-2.2.3-87.0.1.AXS3.x86_64.rpm
MD5: 6259c98206858ec19396d4c748a013ee
SHA-256: ae1396e744921e87c878de0ca4559c52845932208535b59d36b67d1e1e2c425b
Size: 155.80 kB - httpd-manual-2.2.3-87.0.1.AXS3.x86_64.rpm
MD5: 2dad23e2a94ccc2043601ee9574d7837
SHA-256: 3fd3b4824b6dec22ab3a39b012a87b091f000acdf0b011a16aec174a67c3b405
Size: 819.29 kB - mod_ssl-2.2.3-87.0.1.AXS3.x86_64.rpm
MD5: 8bd4411cb761d677c4335ce4632831e9
SHA-256: a9580111d2cba85b5b8ff91ddbf56cf9864d613d2450673afd29f3783ee32a05
Size: 98.37 kB