httpd24-httpd-2.4.25-9.AXS4

エラータID: AXSA:2017-1637:01

リリース日: 
2017/04/27 Thursday - 10:43
題名: 
httpd24-httpd-2.4.25-9.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86_64
Severity: 
Moderate
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible
web server.

Security issues fixed with this release:

CVE-2016-0736
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-1546
The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled,
does not limit the number of simultaneous stream workers for a single
HTTP/2 connection, which allows remote attackers to cause a denial of
service (stream-processing outage) via modified flow-control windows.
CVE-2016-2161
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-8740
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23,
when the Protocols configuration includes h2 or h2c, does not restrict
request-header length, which allows remote attackers to cause a denial
of service (memory consumption) via crafted CONTINUATION frames in an
HTTP/2 request.
CVE-2016-8743
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

解決策: 

Update package.

CVE: 
CVE-2016-0736
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
CVE-2016-1546
The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows.
CVE-2016-2161
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.
CVE-2016-8740
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.
CVE-2016-8743
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. httpd24-httpd-2.4.25-9.AXS4.src.rpm
    MD5: 242e6cda878a1975772ecae3cff8ddc9
    SHA-256: 1e372ca079866f18f8402202db0915ab072762b5965573dc0440a51614b651ec
    Size: 6.19 MB

Asianux Server 4 for x86_64
  1. httpd24-httpd-2.4.25-9.AXS4.x86_64.rpm
    MD5: 74dba98ae7a0084700350fd2114fc645
    SHA-256: eab4f02c21726aa0774c048e0ff466099aa6d4a3ef31d0f841b8541ad4d04ed2
    Size: 1.24 MB
  2. httpd24-httpd-devel-2.4.25-9.AXS4.x86_64.rpm
    MD5: 4cb2b6684800d0a6b0bb25b4da768bec
    SHA-256: c36450c93bbec45de4a6814dfc5e8e5827ab54ddc7a0ed6121dfa5928b80bc1f
    Size: 202.36 kB
  3. httpd24-httpd-manual-2.4.25-9.AXS4.noarch.rpm
    MD5: 8cb02b4fc266e234f95d48a2de74342e
    SHA-256: 9eb2e8c39ecdf5d4d4cd409c53a24528773f2d5977aa32fed2489792c4fb7e68
    Size: 2.35 MB
  4. httpd24-httpd-tools-2.4.25-9.AXS4.x86_64.rpm
    MD5: 3f5f9c92637afd9980e0e9b4bfcbcd93
    SHA-256: c26be8ace2a98a0f719f2330d5758a748ade1e7e54a1c5601751166d7d4bc5d5
    Size: 78.75 kB
  5. httpd24-mod_ldap-2.4.25-9.AXS4.x86_64.rpm
    MD5: 78e2a9c051edfa772174614367ca923f
    SHA-256: e669904745520c04c6dee1f45c620df2bf7337bdb2fff409ad7903d06bf41f05
    Size: 62.20 kB
  6. httpd24-mod_proxy_html-2.4.25-9.AXS4.x86_64.rpm
    MD5: 517b46effbc9cf881265f15b03e33a13
    SHA-256: d46dd61717ae5b1968a491a3581e562ced5ef94a575dc12e657d3743849d18c0
    Size: 40.42 kB
  7. httpd24-mod_session-2.4.25-9.AXS4.x86_64.rpm
    MD5: d6d4737badd8977e221b83e2d1fb3566
    SHA-256: 8ae3391361b09fee1b37cf21ef1de3064edb1d94ad20231d5fa70b698d02aba0
    Size: 48.18 kB
  8. httpd24-mod_ssl-2.4.25-9.AXS4.x86_64.rpm
    MD5: 5edac1ac5832cd93cf39000c2f08ff39
    SHA-256: e23ae3a96a21f4fea21f9e8ddf68cdd16bcdfc3cf3d300f2879b445684942e7c
    Size: 103.10 kB