Описание
ELSA-2019-0980: httpd:2.4 security update (IMPORTANT)
httpd [2.4.37-11.0.1]
- Set vstring per ORACLE_SUPPORT_PRODUCT [Orabug: 29892262]
- Replace index.html with Oracle's index page oracle_index.html
[2.4.37-11]
- Resolves: #1695431 - CVE-2019-0211 httpd: privilege escalation from modules scripts
- Resolves: #1696090 - CVE-2019-0215 httpd:2.4/httpd: mod_ssl: access control bypass when using per-location client certification authentication
mod_http2 [1.11.3-2]
- update release (#1695587)
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module httpd:2.4 is enabled
httpd
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
httpd-devel
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
httpd-filesystem
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
httpd-manual
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
httpd-tools
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
mod_http2
1.11.3-2.module+el8.0.0+5209+a98d70d6
mod_ldap
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
mod_md
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
mod_proxy_html
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
mod_session
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
mod_ssl
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
Oracle Linux x86_64
Module httpd:2.4 is enabled
httpd
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
httpd-devel
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
httpd-filesystem
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
httpd-manual
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
httpd-tools
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
mod_http2
1.11.3-2.module+el8.0.0+5209+a98d70d6
mod_ldap
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
mod_md
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
mod_proxy_html
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
mod_session
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
mod_ssl
2.4.37-11.0.1.module+el8.0.0+5209+a98d70d6
Связанные CVE
Связанные уязвимости
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl ...
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.