Описание
ELSA-2024-3121: httpd:2.4 security update (MODERATE)
httpd [2.4.37-64.0.1]
- Replace index.html with Oracle's index page oracle_index.html
[2.4.37-64]
- Resolves: RHEL-14448 - httpd: mod_macro: out-of-bounds read vulnerability (CVE-2023-31122)
[2.4.37-63]
- mod_xml2enc: fix media type handling Resolves: RHEL-14321
mod_http2 [1.15.7-10]
- Resolves: RHEL-29817 - httpd:2.4/mod_http2: httpd: CONTINUATION frames DoS (CVE-2024-27316)
[1.15.7-9.3]
- Resolves: RHEL-13367 - httpd:2.4/mod_http2: reset requests exhaust memory (incomplete fix of CVE-2023-44487)(CVE-2023-45802)
[1.15.7-8.3]
- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting with mod_rewrite and mod_proxy
[1.15.7-7]
- Resolves: #2095650 - Dependency from mod_http2 on httpd broken
[1.15.7-6]
- Backport SNI feature refactor
- Resolves: rhbz#2137257
[1.15.7-5]
- Resolves: #2035030 - CVE-2021-44224 httpd:2.4/httpd: possible NULL dereference or SSRF in forward proxy configurations
[1.15.7-4]
- Resolves: #1966728 - CVE-2021-33193 httpd:2.4/mod_http2: httpd: Request splitting via HTTP/2 method injection and mod_proxy
[1.15.7-3]
- Resolves: #1869077 - CVE-2020-11993 httpd:2.4/mod_http2: httpd: mod_http2 concurrent pool usage
[1.15.7-2]
- Resolves: #1869073 - CVE-2020-9490 httpd:2.4/mod_http2: httpd: Push diary crash on specifically crafted HTTP/2 header
[1.15.7-1]
- new version 1.15.7
- Resolves: #1814236 - RFE: mod_http2 rebase
- Resolves: #1747289 - CVE-2019-10082 httpd:2.4/mod_http2: httpd: read-after-free in h2 connection shutdown
- Resolves: #1696099 - CVE-2019-0197 httpd:2.4/mod_http2: httpd: mod_http2: possible crash on late upgrade
- Resolves: #1696094 - CVE-2019-0196 httpd:2.4/mod_http2: httpd: mod_http2: read-after-free on a string compare
- Resolves: #1677591 - CVE-2018-17189 httpd:2.4/mod_http2: httpd: mod_http2: DoS via slow, unneeded request bodies
[1.11.3-3]
- Resolves: #1744999 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount of data request leads to denial of service
- Resolves: #1745086 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length headers leads to denial of service
- Resolves: #1745154 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request for large response leads to denial of service
[1.11.3-2]
- update release (#1695587)
[1.11.3-1]
- new version 1.11.3
- Resolves: #1633401 - CVE-2018-11763 mod_http2: httpd: DoS for HTTP/2 connections by continuous SETTINGS
[1.10.20-1]
- update to 1.10.20
[1.10.18-1]
- update to 1.10.18
[1.10.16-1]
- update to 1.10.16 (CVE-2018-1302)
[1.10.13-2]
[1.10.13-1]
- update to 1.10.13
[1.10.12-1]
- update to 1.10.12
[1.10.10-2]
[1.10.10-1]
- update to 1.10.10
[1.10.7-2]
[1.10.7-1]
- update to 1.10.7
[1.10.6-1]
- update to 1.10.6
[1.10.5-1]
- update to 1.10.5
[1.10.1-1]
- Initial import (#1440780).
mod_md
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module httpd:2.4 is enabled
httpd
2.4.37-64.module+el8.10.0+90271+3bc76a16
httpd-devel
2.4.37-64.module+el8.10.0+90271+3bc76a16
httpd-filesystem
2.4.37-64.module+el8.10.0+90271+3bc76a16
httpd-manual
2.4.37-64.module+el8.10.0+90271+3bc76a16
httpd-tools
2.4.37-64.module+el8.10.0+90271+3bc76a16
mod_http2
1.15.7-10.module+el8.10.0+90327+96b8ea28
mod_ldap
2.4.37-64.module+el8.10.0+90271+3bc76a16
mod_md
2.0.8-8.module+el8.9.0+90011+2f9c6a23
mod_proxy_html
2.4.37-64.module+el8.10.0+90271+3bc76a16
mod_session
2.4.37-64.module+el8.10.0+90271+3bc76a16
mod_ssl
2.4.37-64.module+el8.10.0+90271+3bc76a16
Oracle Linux x86_64
Module httpd:2.4 is enabled
httpd
2.4.37-64.module+el8.10.0+90271+3bc76a16
httpd-devel
2.4.37-64.module+el8.10.0+90271+3bc76a16
httpd-filesystem
2.4.37-64.module+el8.10.0+90271+3bc76a16
httpd-manual
2.4.37-64.module+el8.10.0+90271+3bc76a16
httpd-tools
2.4.37-64.module+el8.10.0+90271+3bc76a16
mod_http2
1.15.7-10.module+el8.10.0+90327+96b8ea28
mod_ldap
2.4.37-64.module+el8.10.0+90271+3bc76a16
mod_md
2.0.8-8.module+el8.9.0+90011+2f9c6a23
mod_proxy_html
2.4.37-64.module+el8.10.0+90271+3bc76a16
mod_session
2.4.37-64.module+el8.10.0+90271+3bc76a16
mod_ssl
2.4.37-64.module+el8.10.0+90271+3bc76a16
Связанные CVE
Связанные уязвимости
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
When a HTTP/2 stream was reset (RST frame) by a client, there was a ti ...