httpd24-httpd-2.4.25-9.el7

エラータID: AXSA:2017-1638:01

リリース日: 
2017/04/27 Thursday - 11:33
題名: 
httpd24-httpd-2.4.25-9.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible
web server.

Security issues fixed with this release:

CVE-2016-0736
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-1546
The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled,
does not limit the number of simultaneous stream workers for a single
HTTP/2 connection, which allows remote attackers to cause a denial of
service (stream-processing outage) via modified flow-control windows.
CVE-2016-2161
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-8740
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23,
when the Protocols configuration includes h2 or h2c, does not restrict
request-header length, which allows remote attackers to cause a denial
of service (memory consumption) via crafted CONTINUATION frames in an
HTTP/2 request.
CVE-2016-8743
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

解決策: 

Update package.

CVE: 
CVE-2016-0736
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
CVE-2016-1546
The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows.
CVE-2016-2161
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.
CVE-2016-8740
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.
CVE-2016-8743
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. httpd24-httpd-2.4.25-9.el7.src.rpm
    MD5: a7e3d73aba677236a39ce4979588ee85
    SHA-256: 40956b0084c37fe1401b45875b497786421586c87c8008c714e51fc29f8a91d8
    Size: 6.19 MB

Asianux Server 7 for x86_64
  1. httpd24-httpd-2.4.25-9.el7.x86_64.rpm
    MD5: fc924b896b13719cdd15846dcbdc5ca2
    SHA-256: 70e18dc87af8494a57e96e88d6291db2154405f67ca89694c28c54cc069e6ef8
    Size: 1.34 MB
  2. httpd24-httpd-devel-2.4.25-9.el7.x86_64.rpm
    MD5: 901d5192b6d1d4d52fd3bd8e1aacb006
    SHA-256: 4c34c0396d0211ddaa26d2d1bb0a412528563ad343f0cbb579ebade0012c8c6b
    Size: 199.77 kB
  3. httpd24-httpd-manual-2.4.25-9.el7.noarch.rpm
    MD5: 80f26570a2e3146019cf043d9b21efdf
    SHA-256: 361bd1d007ae8dc0970dcb4c5c95c6727ae67c2f564ea498326a76e09f1e65b9
    Size: 2.31 MB
  4. httpd24-httpd-tools-2.4.25-9.el7.x86_64.rpm
    MD5: 9b92707d73f8fb9072cc8031f1e0e01b
    SHA-256: 6ff87988f20c1c915d22e9b2ac2a80bec0e5a68042e0be7db7476dedc3536d44
    Size: 83.70 kB
  5. httpd24-mod_ldap-2.4.25-9.el7.x86_64.rpm
    MD5: 1bafbe9f834c7e32d00a9a3ea94c1a83
    SHA-256: 23edd3304eb279701a5ad45dbba633a97ecf3728884857402c6f4fd855815de5
    Size: 64.54 kB
  6. httpd24-mod_proxy_html-2.4.25-9.el7.x86_64.rpm
    MD5: e1dd331ba07dd01dd7972f09b543fd37
    SHA-256: 8e58f3e89f1f04021879dc9895b0cc6026d4757eed9d0b2ced7111cc98f6db77
    Size: 42.25 kB
  7. httpd24-mod_session-2.4.25-9.el7.x86_64.rpm
    MD5: 3d298d44b1dccef78ed93918ca37b68e
    SHA-256: 98e53b5acb15b3130a04bed952dca398a61110c6366b4bafad88ca12e091cc4d
    Size: 53.35 kB
  8. httpd24-mod_ssl-2.4.25-9.el7.x86_64.rpm
    MD5: ba3bd43d565778fe6676b9beeb220e12
    SHA-256: 9c94bb5ac6b7e61754f99f43b7770fd83daa0d8818696a0fef8f5d090e3e614c
    Size: 105.66 kB