httpd-2.2.15-60.6.0.1.AXS4

エラータID: AXSA:2017-2391:05

リリース日: 
2017/11/02 Thursday - 17:53
題名: 
httpd-2.2.15-60.6.0.1.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- Apache httpd には,Limit ディレクティブがユーザの .htaccess ファイル
で設定されうる,あるいは httpd.conf で設定が誤っている場合,攻撃者が
機密データを読み込む脆弱性、別名 Optionsbleed があります。(CVE-2017-9798)

- httpd にはリグレッションバグが存在し,"Allow" と "Deny" 設定の行の
コメントが誤ってパースする問題があります。Web アドミニス
トレータが意図せず制限された HTTP リソースにアクセスしてしまう
脆弱性があります。(CVE-2017-12171)

一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2017-12171
A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd 2.2.15-60, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP resource.
CVE-2017-9798
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. httpd-2.2.15-60.6.0.1.AXS4.src.rpm
    MD5: 88fd6decf2f7d59394fbc96f15e31409
    SHA-256: 59b3caa36511b08ae14e8a3e3d45df696369b2811e6ae0271ecb584171f28b34
    Size: 6.49 MB

Asianux Server 4 for x86
  1. httpd-2.2.15-60.6.0.1.AXS4.i686.rpm
    MD5: 930a9be4e98d359e28753c3e8a6ce1c6
    SHA-256: c39e180984809f03e31397d076fb51c51954ccb4aeb2bc19c93450a368033e0d
    Size: 845.20 kB
  2. httpd-devel-2.2.15-60.6.0.1.AXS4.i686.rpm
    MD5: b5dce4ba8cdbe020bee90a8c160d5314
    SHA-256: ce497555b84cb299095909503c2f7d2f287c2a33beb7e3b92abb50e3f7051837
    Size: 158.09 kB
  3. httpd-manual-2.2.15-60.6.0.1.AXS4.noarch.rpm
    MD5: f447f4963bd80b83ce26cd8afa510d3f
    SHA-256: 78070182f41d1d93cdf0e66b4c6dfc3a8caf1780303227c074632ce1e3c7530f
    Size: 791.93 kB
  4. httpd-tools-2.2.15-60.6.0.1.AXS4.i686.rpm
    MD5: ed8ef9b34e752d657e6c1a97a1540fe0
    SHA-256: 1a88cc7bc864a0e567957a1731f2b6f55686248fbb101d054229fc89d9131573
    Size: 80.52 kB
  5. mod_ssl-2.2.15-60.6.0.1.AXS4.i686.rpm
    MD5: b5eada10b399e55599c3e7a9f914898e
    SHA-256: 2e5c97a7261406f31c7932bb9107c1217373d7cbdbccaae0d38230e900677d49
    Size: 99.08 kB

Asianux Server 4 for x86_64
  1. httpd-2.2.15-60.6.0.1.AXS4.x86_64.rpm
    MD5: 1a8b6b0b702260379e961b115673e86e
    SHA-256: fb83e38fd3b35a5e13efae6c2f1585d188e878f1cc44753a37e41e935d419399
    Size: 837.84 kB
  2. httpd-devel-2.2.15-60.6.0.1.AXS4.x86_64.rpm
    MD5: c2395b646f019a88238f07a4de034f32
    SHA-256: 4dbcad3d04503cb5d544a8afcfdd8af1bbe3984544ba0f441d4e5c5e452f23ab
    Size: 157.64 kB
  3. httpd-manual-2.2.15-60.6.0.1.AXS4.noarch.rpm
    MD5: 35e1d8ec6e366c0d29b20f8e051b2f91
    SHA-256: 7889ba545d36701c26617a8ab41a6a25b26a20ea649aafe54b611926be295e1d
    Size: 791.46 kB
  4. httpd-tools-2.2.15-60.6.0.1.AXS4.x86_64.rpm
    MD5: 02dd59f8527528a3b9a80133f563477a
    SHA-256: e3b9b26aad2b7bf28f660d16db3bfc547d6c1fe8adc6ba77d2efd4c742bc9c97
    Size: 79.51 kB
  5. mod_ssl-2.2.15-60.6.0.1.AXS4.x86_64.rpm
    MD5: d9581ccb67d630a2f59cf7ed0d34fa0a
    SHA-256: e2ebed6c9887970dd59520ab9c946e05c16350e85ec8abf73d18639b8a1fd03d
    Size: 97.70 kB
  6. httpd-devel-2.2.15-60.6.0.1.AXS4.i686.rpm
    MD5: b5dce4ba8cdbe020bee90a8c160d5314
    SHA-256: ce497555b84cb299095909503c2f7d2f287c2a33beb7e3b92abb50e3f7051837
    Size: 158.09 kB