An update for httpd is now available for openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1830 Final 1.0 1.0 2024-07-12 Initial 2024-07-12 2024-07-12 openEuler SA Tool V1.0 2024-07-12 httpd security update An update for httpd is now available for openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP3 Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fix(es): Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.(CVE-2024-38475) Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-39573) An update for httpd is now available for openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical httpd https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1830 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-38475 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-39573 https://nvd.nist.gov/vuln/detail/CVE-2024-38475 https://nvd.nist.gov/vuln/detail/CVE-2024-39573 openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-24.03-LTS openEuler-22.03-LTS-SP3 httpd-2.4.51-22.oe2203sp4.aarch64.rpm httpd-debuginfo-2.4.51-22.oe2203sp4.aarch64.rpm httpd-debugsource-2.4.51-22.oe2203sp4.aarch64.rpm httpd-devel-2.4.51-22.oe2203sp4.aarch64.rpm httpd-tools-2.4.51-22.oe2203sp4.aarch64.rpm mod_ldap-2.4.51-22.oe2203sp4.aarch64.rpm mod_md-2.4.51-22.oe2203sp4.aarch64.rpm mod_proxy_html-2.4.51-22.oe2203sp4.aarch64.rpm mod_session-2.4.51-22.oe2203sp4.aarch64.rpm mod_ssl-2.4.51-22.oe2203sp4.aarch64.rpm httpd-2.4.51-22.oe2203sp1.aarch64.rpm httpd-debuginfo-2.4.51-22.oe2203sp1.aarch64.rpm httpd-debugsource-2.4.51-22.oe2203sp1.aarch64.rpm httpd-devel-2.4.51-22.oe2203sp1.aarch64.rpm httpd-tools-2.4.51-22.oe2203sp1.aarch64.rpm mod_ldap-2.4.51-22.oe2203sp1.aarch64.rpm mod_md-2.4.51-22.oe2203sp1.aarch64.rpm mod_proxy_html-2.4.51-22.oe2203sp1.aarch64.rpm mod_session-2.4.51-22.oe2203sp1.aarch64.rpm mod_ssl-2.4.51-22.oe2203sp1.aarch64.rpm httpd-2.4.43-25.oe2003sp4.aarch64.rpm httpd-debuginfo-2.4.43-25.oe2003sp4.aarch64.rpm httpd-debugsource-2.4.43-25.oe2003sp4.aarch64.rpm httpd-devel-2.4.43-25.oe2003sp4.aarch64.rpm httpd-tools-2.4.43-25.oe2003sp4.aarch64.rpm mod_ldap-2.4.43-25.oe2003sp4.aarch64.rpm mod_md-2.4.43-25.oe2003sp4.aarch64.rpm mod_proxy_html-2.4.43-25.oe2003sp4.aarch64.rpm mod_session-2.4.43-25.oe2003sp4.aarch64.rpm mod_ssl-2.4.43-25.oe2003sp4.aarch64.rpm httpd-2.4.58-6.oe2403.aarch64.rpm httpd-debuginfo-2.4.58-6.oe2403.aarch64.rpm httpd-debugsource-2.4.58-6.oe2403.aarch64.rpm httpd-devel-2.4.58-6.oe2403.aarch64.rpm httpd-tools-2.4.58-6.oe2403.aarch64.rpm mod_ldap-2.4.58-6.oe2403.aarch64.rpm mod_md-2.4.58-6.oe2403.aarch64.rpm mod_proxy_html-2.4.58-6.oe2403.aarch64.rpm mod_session-2.4.58-6.oe2403.aarch64.rpm mod_ssl-2.4.58-6.oe2403.aarch64.rpm httpd-2.4.51-22.oe2203sp3.aarch64.rpm httpd-debuginfo-2.4.51-22.oe2203sp3.aarch64.rpm httpd-debugsource-2.4.51-22.oe2203sp3.aarch64.rpm httpd-devel-2.4.51-22.oe2203sp3.aarch64.rpm httpd-tools-2.4.51-22.oe2203sp3.aarch64.rpm mod_ldap-2.4.51-22.oe2203sp3.aarch64.rpm mod_md-2.4.51-22.oe2203sp3.aarch64.rpm mod_proxy_html-2.4.51-22.oe2203sp3.aarch64.rpm mod_session-2.4.51-22.oe2203sp3.aarch64.rpm mod_ssl-2.4.51-22.oe2203sp3.aarch64.rpm httpd-2.4.51-22.oe2203sp4.src.rpm httpd-2.4.51-22.oe2203sp1.src.rpm httpd-2.4.43-25.oe2003sp4.src.rpm httpd-2.4.58-6.oe2403.src.rpm httpd-2.4.51-22.oe2203sp3.src.rpm httpd-2.4.51-22.oe2203sp4.x86_64.rpm httpd-debuginfo-2.4.51-22.oe2203sp4.x86_64.rpm httpd-debugsource-2.4.51-22.oe2203sp4.x86_64.rpm httpd-devel-2.4.51-22.oe2203sp4.x86_64.rpm httpd-tools-2.4.51-22.oe2203sp4.x86_64.rpm mod_ldap-2.4.51-22.oe2203sp4.x86_64.rpm mod_md-2.4.51-22.oe2203sp4.x86_64.rpm mod_proxy_html-2.4.51-22.oe2203sp4.x86_64.rpm mod_session-2.4.51-22.oe2203sp4.x86_64.rpm mod_ssl-2.4.51-22.oe2203sp4.x86_64.rpm httpd-2.4.51-22.oe2203sp1.x86_64.rpm httpd-debuginfo-2.4.51-22.oe2203sp1.x86_64.rpm httpd-debugsource-2.4.51-22.oe2203sp1.x86_64.rpm httpd-devel-2.4.51-22.oe2203sp1.x86_64.rpm httpd-tools-2.4.51-22.oe2203sp1.x86_64.rpm mod_ldap-2.4.51-22.oe2203sp1.x86_64.rpm mod_md-2.4.51-22.oe2203sp1.x86_64.rpm mod_proxy_html-2.4.51-22.oe2203sp1.x86_64.rpm mod_session-2.4.51-22.oe2203sp1.x86_64.rpm mod_ssl-2.4.51-22.oe2203sp1.x86_64.rpm httpd-2.4.43-25.oe2003sp4.x86_64.rpm httpd-debuginfo-2.4.43-25.oe2003sp4.x86_64.rpm httpd-debugsource-2.4.43-25.oe2003sp4.x86_64.rpm httpd-devel-2.4.43-25.oe2003sp4.x86_64.rpm httpd-tools-2.4.43-25.oe2003sp4.x86_64.rpm mod_ldap-2.4.43-25.oe2003sp4.x86_64.rpm mod_md-2.4.43-25.oe2003sp4.x86_64.rpm mod_proxy_html-2.4.43-25.oe2003sp4.x86_64.rpm mod_session-2.4.43-25.oe2003sp4.x86_64.rpm mod_ssl-2.4.43-25.oe2003sp4.x86_64.rpm httpd-2.4.58-6.oe2403.x86_64.rpm httpd-debuginfo-2.4.58-6.oe2403.x86_64.rpm httpd-debugsource-2.4.58-6.oe2403.x86_64.rpm httpd-devel-2.4.58-6.oe2403.x86_64.rpm httpd-tools-2.4.58-6.oe2403.x86_64.rpm mod_ldap-2.4.58-6.oe2403.x86_64.rpm mod_md-2.4.58-6.oe2403.x86_64.rpm mod_proxy_html-2.4.58-6.oe2403.x86_64.rpm mod_session-2.4.58-6.oe2403.x86_64.rpm mod_ssl-2.4.58-6.oe2403.x86_64.rpm httpd-2.4.51-22.oe2203sp3.x86_64.rpm httpd-debuginfo-2.4.51-22.oe2203sp3.x86_64.rpm httpd-debugsource-2.4.51-22.oe2203sp3.x86_64.rpm httpd-devel-2.4.51-22.oe2203sp3.x86_64.rpm httpd-tools-2.4.51-22.oe2203sp3.x86_64.rpm mod_ldap-2.4.51-22.oe2203sp3.x86_64.rpm mod_md-2.4.51-22.oe2203sp3.x86_64.rpm mod_proxy_html-2.4.51-22.oe2203sp3.x86_64.rpm mod_session-2.4.51-22.oe2203sp3.x86_64.rpm mod_ssl-2.4.51-22.oe2203sp3.x86_64.rpm httpd-filesystem-2.4.51-22.oe2203sp4.noarch.rpm httpd-help-2.4.51-22.oe2203sp4.noarch.rpm httpd-filesystem-2.4.51-22.oe2203sp1.noarch.rpm httpd-help-2.4.51-22.oe2203sp1.noarch.rpm httpd-filesystem-2.4.43-25.oe2003sp4.noarch.rpm httpd-help-2.4.43-25.oe2003sp4.noarch.rpm httpd-filesystem-2.4.58-6.oe2403.noarch.rpm httpd-help-2.4.58-6.oe2403.noarch.rpm httpd-filesystem-2.4.51-22.oe2203sp3.noarch.rpm httpd-help-2.4.51-22.oe2203sp3.noarch.rpm Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. 2024-07-12 CVE-2024-38475 openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-24.03-LTS openEuler-22.03-LTS-SP3 Critical 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N httpd security update 2024-07-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1830 Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. 2024-07-12 CVE-2024-39573 openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-24.03-LTS openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N httpd security update 2024-07-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1830