httpd-2.4.6-40.4.0.1.el7.AXS7

エラータID: AXSA:2016-568:02

リリース日: 
2016/07/20 Wednesday - 17:53
題名: 
httpd-2.4.6-40.4.0.1.el7.AXS7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

[修正内容]
以下項目について対処しました。

[Security Fix]
- Apache HTTP Server には、RFC 3875 section 4.1.18 に従い、HTTP_PROXY 環境変数内の信頼されないクライアントデータからのアプリケーションの保護を行っていないため、リモートの攻撃者が、HTTP リクエストの細工されたプロキシヘッダによって、アプリケーションのアウトバウンド HTTP トラフィックから任意のプロキシサーバーにリダイレクトする可能性のある脆弱性があります。(CVE-2016-5387)

一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/

Fixed bugs:

* In a caching proxy configuration, the mod_cache module would treat content as stale if the Expires header changed when refreshing a cached response. As a consequence, an origin server returning content without a fixed Expires header would not be treated as cacheable. The mod_cache module has been fixed to ignore changes in the Expires header when refreshing content. As a result, such content is now cacheable, improving performance and reducing load at the origin server.
* The HTTP status code 451 "Unavailable For Legal Reasons" was not usable in the httpd configuration. As a consequence, modules such as mod_rewrite could not be configured to return a 451 error if required for legal purposes. The 451 status code has been added to the list of available error codes, and modules can now be configured to return a 451 error if required.

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2016-5387
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. httpd-2.4.6-40.4.0.1.el7.AXS7.src.rpm
    MD5: f661de5b4072b37f5173ba8301183068
    SHA-256: 27f0f0882fc3ede1e06328eac691730a3fa595e3abbf8ddfb89cac18bcccbdeb
    Size: 4.87 MB

Asianux Server 7 for x86_64
  1. httpd-2.4.6-40.4.0.1.el7.AXS7.x86_64.rpm
    MD5: 4bbc4bde1777f9c89ea0fb7d336a2c60
    SHA-256: 7622f1dade3f7f7e303761858fabe5a58409b08b1f713a0120da3278adc32b7c
    Size: 1.17 MB
  2. httpd-devel-2.4.6-40.4.0.1.el7.AXS7.x86_64.rpm
    MD5: 28586bd3ba05270129a662779cc3b7a3
    SHA-256: ed96f65a9d3dc315c0ef6790bdc31126c29ebd0ac68a703ab3a24bb30c1bc258
    Size: 186.69 kB
  3. httpd-manual-2.4.6-40.4.0.1.el7.AXS7.noarch.rpm
    MD5: ead8294b8deecc3610b9fd0097cbf434
    SHA-256: 4374497da60cf94ca9b58a47ff846436c8dea975ef1b4651b7cffd5ee7f2adfe
    Size: 1.33 MB
  4. httpd-tools-2.4.6-40.4.0.1.el7.AXS7.x86_64.rpm
    MD5: 1cf1763a97e29eb4c95b19266f4249fe
    SHA-256: 53adb4af7292fad8812b3c5e79c8d43f8c7b2e0f2da12c3903dd5591ef4e4373
    Size: 81.55 kB
  5. mod_ssl-2.4.6-40.4.0.1.el7.AXS7.x86_64.rpm
    MD5: b5537cfe6fff4e353fc7d7a5a9af7735
    SHA-256: bf2edb168d3fec64ebcc618fcf132c56318c4775bf7a5720b39666e093df8c55
    Size: 102.71 kB