Описание
ELSA-2020-3714: httpd:2.4 security update (IMPORTANT)
mod_http2 [1.11.3-3.1]
- Resolves: #1869072 - CVE-2020-9490 httpd:2.4/mod_http2: httpd: Push diary crash on specifically crafted HTTP/2 header
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module httpd:2.4 is enabled
httpd
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
httpd-devel
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
httpd-filesystem
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
httpd-manual
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
httpd-tools
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
mod_http2
1.11.3-3.module+el8.2.0+7789+dac765eb.1
mod_ldap
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
mod_md
2.0.8-7.module+el8.2.0+5576+c083ffcb
mod_proxy_html
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
mod_session
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
mod_ssl
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
Oracle Linux x86_64
Module httpd:2.4 is enabled
httpd
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
httpd-devel
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
httpd-filesystem
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
httpd-manual
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
httpd-tools
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
mod_http2
1.11.3-3.module+el8.2.0+7789+dac765eb.1
mod_ldap
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
mod_md
2.0.8-7.module+el8.2.0+5576+c083ffcb
mod_proxy_html
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
mod_session
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
mod_ssl
2.4.37-21.0.1.module+el8.2.0+5576+c083ffcb
Связанные CVE
Связанные уязвимости
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted valu ...