Описание
ELSA-2019-2893: httpd:2.4 security update (IMPORTANT)
httpd [2.4.37-12.0.1]
- Set vstring per ORACLE_SUPPORT_PRODUCT [Orabug: 29892262]
- Replace index.html with Oracle's index page oracle_index.html
[2.4.37-12]
- Resolves: #1744997 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount of data request leads to denial of service
- Resolves: #1745084 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length headers leads to denial of service
- Resolves: #1745152 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request for large response leads to denial of service
mod_http2 [1.11.3-3]
- Resolves: #1744997 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount of data request leads to denial of service
- Resolves: #1745084 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length headers leads to denial of service
- Resolves: #1745152 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request for large response leads to denial of service
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module httpd:2.4 is enabled
httpd
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
httpd-devel
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
httpd-filesystem
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
httpd-manual
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
httpd-tools
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
mod_http2
1.11.3-3.module+el8.0.0+5348+de75177e
mod_ldap
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
mod_md
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
mod_proxy_html
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
mod_session
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
mod_ssl
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
Oracle Linux x86_64
Module httpd:2.4 is enabled
httpd
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
httpd-devel
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
httpd-filesystem
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
httpd-manual
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
httpd-tools
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
mod_http2
1.11.3-3.module+el8.0.0+5348+de75177e
mod_ldap
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
mod_md
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
mod_proxy_html
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
mod_session
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
mod_ssl
2.4.37-12.0.1.module+el8.0.0+5348+de75177e
Связанные CVE
Связанные уязвимости
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
Some HTTP/2 implementations are vulnerable to unconstrained interal da ...
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.