An update for httpd is now available for openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1222 Final 1.0 1.0 2023-04-14 Initial 2023-04-14 2023-04-14 openEuler SA Tool V1.0 2023-04-14 httpd security update An update for httpd is now available for openEuler-20.03-LTS-SP3. Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fix(es): Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.(CVE-2019-17567) An update for httpd is now available for openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium httpd https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1222 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2019-17567 https://nvd.nist.gov/vuln/detail/CVE-2019-17567 openEuler-20.03-LTS-SP3 httpd-2.4.43-22.oe1.aarch64.rpm mod_md-2.4.43-22.oe1.aarch64.rpm httpd-debugsource-2.4.43-22.oe1.aarch64.rpm mod_session-2.4.43-22.oe1.aarch64.rpm mod_proxy_html-2.4.43-22.oe1.aarch64.rpm httpd-devel-2.4.43-22.oe1.aarch64.rpm mod_ldap-2.4.43-22.oe1.aarch64.rpm httpd-debuginfo-2.4.43-22.oe1.aarch64.rpm httpd-tools-2.4.43-22.oe1.aarch64.rpm mod_ssl-2.4.43-22.oe1.aarch64.rpm httpd-help-2.4.43-22.oe1.noarch.rpm httpd-filesystem-2.4.43-22.oe1.noarch.rpm httpd-2.4.43-22.oe1.src.rpm httpd-2.4.43-22.oe1.x86_64.rpm httpd-debugsource-2.4.43-22.oe1.x86_64.rpm httpd-debuginfo-2.4.43-22.oe1.x86_64.rpm mod_md-2.4.43-22.oe1.x86_64.rpm mod_proxy_html-2.4.43-22.oe1.x86_64.rpm httpd-tools-2.4.43-22.oe1.x86_64.rpm mod_ssl-2.4.43-22.oe1.x86_64.rpm httpd-devel-2.4.43-22.oe1.x86_64.rpm mod_session-2.4.43-22.oe1.x86_64.rpm mod_ldap-2.4.43-22.oe1.x86_64.rpm Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured. 2023-04-14 CVE-2019-17567 openEuler-20.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N httpd security update 2023-04-14 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1222