httpd-2.4.6-45.4.0.1.el7.AXS7
エラータID: AXSA:2017-1628:01
リリース日:
2017/04/21 Friday - 18:11
題名:
httpd-2.4.6-45.4.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- 現時点では CVE-2016-0736, CVE-2016-2161, CVE-2016-8743
の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2016-0736
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
CVE-2016-2161
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.
CVE-2016-8743
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
追加情報:
N/A
ダウンロード:
SRPMS
- httpd-2.4.6-45.4.0.1.el7.AXS7.src.rpm
MD5: 05bf6bd4cc9d6ea061e0a8fc4ce13735
SHA-256: c4224cb399848fc27cffb8a14f53ba5470d37380f7e2f1fb3d96fee3f37ae999
Size: 4.90 MB
Asianux Server 7 for x86_64
- httpd-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
MD5: 93f90dcbb8388a8d1255c3c2c2213f30
SHA-256: 0e916325650ce4a301a076ad21ab396cd44e6eff29fad64429c6dc7e77eb900d
Size: 1.18 MB - httpd-devel-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
MD5: a9c44f624be1599198c745259bbda92c
SHA-256: 94cf82320ebe35383116ddbbf8990041e1352dcde3de4f849ebe63f6ec3594b0
Size: 188.85 kB - httpd-manual-2.4.6-45.4.0.1.el7.AXS7.noarch.rpm
MD5: 4fbe1074137b8c3ec27fe8cab611ccf1
SHA-256: 00eb7563cdb3ce35fd856f0a349932bddaf9af2dad1cb8f20b2e9daeae46fe1c
Size: 1.33 MB - httpd-tools-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
MD5: 925ddaed03f1cf640ddae437573ff3d6
SHA-256: b647e6663b240ef6091fd0e8fd63f233ce3053965e76efa0e5aebc3810b331b4
Size: 83.37 kB - mod_ssl-2.4.6-45.4.0.1.el7.AXS7.x86_64.rpm
MD5: 0383dfd74e24a2c9793f17affbbdabd3
SHA-256: 99fa5d24f0310212802fff9ce277e878196e95ab6f294f68456d9d3989cc3dd2
Size: 104.33 kB