An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1052 Final 1.0 1.0 2023-02-03 Initial 2023-02-03 2023-02-03 openEuler SA Tool V1.0 2023-02-03 httpd security update An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1. Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fix(es): Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.(CVE-2022-36760) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.(CVE-2022-37436) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.(CVE-2006-20001) An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical httpd https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1052 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-36760 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-37436 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2006-20001 https://nvd.nist.gov/vuln/detail/CVE-2022-36760 https://nvd.nist.gov/vuln/detail/CVE-2022-37436 https://nvd.nist.gov/vuln/detail/CVE-2006-20001 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 mod_ssl-2.4.43-20.oe1.aarch64.rpm httpd-devel-2.4.43-20.oe1.aarch64.rpm httpd-debugsource-2.4.43-20.oe1.aarch64.rpm mod_proxy_html-2.4.43-20.oe1.aarch64.rpm mod_ldap-2.4.43-20.oe1.aarch64.rpm httpd-2.4.43-20.oe1.aarch64.rpm mod_md-2.4.43-20.oe1.aarch64.rpm httpd-tools-2.4.43-20.oe1.aarch64.rpm httpd-debuginfo-2.4.43-20.oe1.aarch64.rpm mod_session-2.4.43-20.oe1.aarch64.rpm mod_ldap-2.4.43-19.oe1.aarch64.rpm mod_session-2.4.43-19.oe1.aarch64.rpm mod_proxy_html-2.4.43-19.oe1.aarch64.rpm httpd-devel-2.4.43-19.oe1.aarch64.rpm httpd-debugsource-2.4.43-19.oe1.aarch64.rpm mod_ssl-2.4.43-19.oe1.aarch64.rpm httpd-debuginfo-2.4.43-19.oe1.aarch64.rpm mod_md-2.4.43-19.oe1.aarch64.rpm httpd-2.4.43-19.oe1.aarch64.rpm httpd-tools-2.4.43-19.oe1.aarch64.rpm httpd-2.4.51-12.oe2203.aarch64.rpm mod_md-2.4.51-12.oe2203.aarch64.rpm mod_session-2.4.51-12.oe2203.aarch64.rpm httpd-devel-2.4.51-12.oe2203.aarch64.rpm httpd-tools-2.4.51-12.oe2203.aarch64.rpm mod_ldap-2.4.51-12.oe2203.aarch64.rpm httpd-debuginfo-2.4.51-12.oe2203.aarch64.rpm httpd-debugsource-2.4.51-12.oe2203.aarch64.rpm mod_ssl-2.4.51-12.oe2203.aarch64.rpm mod_proxy_html-2.4.51-12.oe2203.aarch64.rpm httpd-debugsource-2.4.51-13.oe2203sp1.aarch64.rpm httpd-2.4.51-13.oe2203sp1.aarch64.rpm mod_ssl-2.4.51-13.oe2203sp1.aarch64.rpm mod_session-2.4.51-13.oe2203sp1.aarch64.rpm mod_md-2.4.51-13.oe2203sp1.aarch64.rpm httpd-devel-2.4.51-13.oe2203sp1.aarch64.rpm mod_ldap-2.4.51-13.oe2203sp1.aarch64.rpm httpd-debuginfo-2.4.51-13.oe2203sp1.aarch64.rpm mod_proxy_html-2.4.51-13.oe2203sp1.aarch64.rpm httpd-tools-2.4.51-13.oe2203sp1.aarch64.rpm httpd-help-2.4.43-20.oe1.noarch.rpm httpd-filesystem-2.4.43-20.oe1.noarch.rpm httpd-help-2.4.43-19.oe1.noarch.rpm httpd-filesystem-2.4.43-19.oe1.noarch.rpm httpd-help-2.4.51-12.oe2203.noarch.rpm httpd-filesystem-2.4.51-12.oe2203.noarch.rpm httpd-help-2.4.51-13.oe2203sp1.noarch.rpm httpd-filesystem-2.4.51-13.oe2203sp1.noarch.rpm httpd-2.4.43-20.oe1.src.rpm httpd-2.4.43-19.oe1.src.rpm httpd-2.4.51-12.oe2203.src.rpm httpd-2.4.51-13.oe2203sp1.src.rpm httpd-devel-2.4.43-20.oe1.x86_64.rpm httpd-debuginfo-2.4.43-20.oe1.x86_64.rpm httpd-tools-2.4.43-20.oe1.x86_64.rpm mod_ldap-2.4.43-20.oe1.x86_64.rpm mod_ssl-2.4.43-20.oe1.x86_64.rpm mod_session-2.4.43-20.oe1.x86_64.rpm mod_proxy_html-2.4.43-20.oe1.x86_64.rpm httpd-debugsource-2.4.43-20.oe1.x86_64.rpm httpd-2.4.43-20.oe1.x86_64.rpm mod_md-2.4.43-20.oe1.x86_64.rpm httpd-debugsource-2.4.43-19.oe1.x86_64.rpm mod_ssl-2.4.43-19.oe1.x86_64.rpm httpd-devel-2.4.43-19.oe1.x86_64.rpm httpd-2.4.43-19.oe1.x86_64.rpm mod_proxy_html-2.4.43-19.oe1.x86_64.rpm httpd-tools-2.4.43-19.oe1.x86_64.rpm mod_md-2.4.43-19.oe1.x86_64.rpm httpd-debuginfo-2.4.43-19.oe1.x86_64.rpm mod_session-2.4.43-19.oe1.x86_64.rpm mod_ldap-2.4.43-19.oe1.x86_64.rpm mod_session-2.4.51-12.oe2203.x86_64.rpm httpd-devel-2.4.51-12.oe2203.x86_64.rpm httpd-tools-2.4.51-12.oe2203.x86_64.rpm mod_ldap-2.4.51-12.oe2203.x86_64.rpm mod_proxy_html-2.4.51-12.oe2203.x86_64.rpm mod_ssl-2.4.51-12.oe2203.x86_64.rpm httpd-2.4.51-12.oe2203.x86_64.rpm mod_md-2.4.51-12.oe2203.x86_64.rpm httpd-debugsource-2.4.51-12.oe2203.x86_64.rpm httpd-debuginfo-2.4.51-12.oe2203.x86_64.rpm httpd-debuginfo-2.4.51-13.oe2203sp1.x86_64.rpm mod_proxy_html-2.4.51-13.oe2203sp1.x86_64.rpm mod_ssl-2.4.51-13.oe2203sp1.x86_64.rpm httpd-devel-2.4.51-13.oe2203sp1.x86_64.rpm httpd-tools-2.4.51-13.oe2203sp1.x86_64.rpm mod_md-2.4.51-13.oe2203sp1.x86_64.rpm httpd-debugsource-2.4.51-13.oe2203sp1.x86_64.rpm httpd-2.4.51-13.oe2203sp1.x86_64.rpm mod_ldap-2.4.51-13.oe2203sp1.x86_64.rpm mod_session-2.4.51-13.oe2203sp1.x86_64.rpm Inconsistent Interpretation of HTTP Requests ( HTTP Request Smuggling ) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. 2023-02-03 CVE-2022-36760 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 Critical 9.0 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H httpd security update 2023-02-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1052 Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. 2023-02-03 CVE-2022-37436 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N httpd security update 2023-02-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1052 A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. 2023-02-03 CVE-2006-20001 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H httpd security update 2023-02-03 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1052