An update for httpd is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1852 Final 1.0 1.0 2024-07-19 Initial 2024-07-19 2024-07-19 openEuler SA Tool V1.0 2024-07-19 httpd security update An update for httpd is now available for openEuler-22.03-LTS-SP3 Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fix(es): Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.(CVE-2024-38474) null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477) An update for httpd is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High httpd https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1852 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-38474 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-38477 https://nvd.nist.gov/vuln/detail/CVE-2024-38474 https://nvd.nist.gov/vuln/detail/CVE-2024-38477 openEuler-22.03-LTS-SP3 httpd-filesystem-2.4.51-22.oe2203sp3.noarch.rpm httpd-help-2.4.51-22.oe2203sp3.noarch.rpm httpd-2.4.51-22.oe2203sp3.aarch64.rpm httpd-debuginfo-2.4.51-22.oe2203sp3.aarch64.rpm httpd-debugsource-2.4.51-22.oe2203sp3.aarch64.rpm httpd-devel-2.4.51-22.oe2203sp3.aarch64.rpm httpd-tools-2.4.51-22.oe2203sp3.aarch64.rpm mod_ldap-2.4.51-22.oe2203sp3.aarch64.rpm mod_md-2.4.51-22.oe2203sp3.aarch64.rpm mod_proxy_html-2.4.51-22.oe2203sp3.aarch64.rpm mod_session-2.4.51-22.oe2203sp3.aarch64.rpm mod_ssl-2.4.51-22.oe2203sp3.aarch64.rpm httpd-2.4.51-22.oe2203sp3.src.rpm httpd-2.4.51-22.oe2203sp3.x86_64.rpm httpd-debuginfo-2.4.51-22.oe2203sp3.x86_64.rpm httpd-debugsource-2.4.51-22.oe2203sp3.x86_64.rpm httpd-devel-2.4.51-22.oe2203sp3.x86_64.rpm httpd-tools-2.4.51-22.oe2203sp3.x86_64.rpm mod_ldap-2.4.51-22.oe2203sp3.x86_64.rpm mod_md-2.4.51-22.oe2203sp3.x86_64.rpm mod_proxy_html-2.4.51-22.oe2203sp3.x86_64.rpm mod_session-2.4.51-22.oe2203sp3.x86_64.rpm mod_ssl-2.4.51-22.oe2203sp3.x86_64.rpm Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. 2024-07-19 CVE-2024-38474 openEuler-22.03-LTS-SP3 High 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N httpd security update 2024-07-19 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1852 null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. 2024-07-19 CVE-2024-38477 openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H httpd security update 2024-07-19 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1852