httpd24-httpd-2.4.25-9.el7
エラータID: AXSA:2017-1638:01
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
Security issues fixed with this release:
CVE-2016-0736
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-1546
The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled,
does not limit the number of simultaneous stream workers for a single
HTTP/2 connection, which allows remote attackers to cause a denial of
service (stream-processing outage) via modified flow-control windows.
CVE-2016-2161
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-8740
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23,
when the Protocols configuration includes h2 or h2c, does not restrict
request-header length, which allows remote attackers to cause a denial
of service (memory consumption) via crafted CONTINUATION frames in an
HTTP/2 request.
CVE-2016-8743
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
Update package.
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows.
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
N/A
SRPMS
- httpd24-httpd-2.4.25-9.el7.src.rpm
MD5: a7e3d73aba677236a39ce4979588ee85
SHA-256: 40956b0084c37fe1401b45875b497786421586c87c8008c714e51fc29f8a91d8
Size: 6.19 MB
Asianux Server 7 for x86_64
- httpd24-httpd-2.4.25-9.el7.x86_64.rpm
MD5: fc924b896b13719cdd15846dcbdc5ca2
SHA-256: 70e18dc87af8494a57e96e88d6291db2154405f67ca89694c28c54cc069e6ef8
Size: 1.34 MB - httpd24-httpd-devel-2.4.25-9.el7.x86_64.rpm
MD5: 901d5192b6d1d4d52fd3bd8e1aacb006
SHA-256: 4c34c0396d0211ddaa26d2d1bb0a412528563ad343f0cbb579ebade0012c8c6b
Size: 199.77 kB - httpd24-httpd-manual-2.4.25-9.el7.noarch.rpm
MD5: 80f26570a2e3146019cf043d9b21efdf
SHA-256: 361bd1d007ae8dc0970dcb4c5c95c6727ae67c2f564ea498326a76e09f1e65b9
Size: 2.31 MB - httpd24-httpd-tools-2.4.25-9.el7.x86_64.rpm
MD5: 9b92707d73f8fb9072cc8031f1e0e01b
SHA-256: 6ff87988f20c1c915d22e9b2ac2a80bec0e5a68042e0be7db7476dedc3536d44
Size: 83.70 kB - httpd24-mod_ldap-2.4.25-9.el7.x86_64.rpm
MD5: 1bafbe9f834c7e32d00a9a3ea94c1a83
SHA-256: 23edd3304eb279701a5ad45dbba633a97ecf3728884857402c6f4fd855815de5
Size: 64.54 kB - httpd24-mod_proxy_html-2.4.25-9.el7.x86_64.rpm
MD5: e1dd331ba07dd01dd7972f09b543fd37
SHA-256: 8e58f3e89f1f04021879dc9895b0cc6026d4757eed9d0b2ced7111cc98f6db77
Size: 42.25 kB - httpd24-mod_session-2.4.25-9.el7.x86_64.rpm
MD5: 3d298d44b1dccef78ed93918ca37b68e
SHA-256: 98e53b5acb15b3130a04bed952dca398a61110c6366b4bafad88ca12e091cc4d
Size: 53.35 kB - httpd24-mod_ssl-2.4.25-9.el7.x86_64.rpm
MD5: ba3bd43d565778fe6676b9beeb220e12
SHA-256: 9c94bb5ac6b7e61754f99f43b7770fd83daa0d8818696a0fef8f5d090e3e614c
Size: 105.66 kB