An update for httpd is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1854 Final 1.0 1.0 2024-07-19 Initial 2024-07-19 2024-07-19 openEuler SA Tool V1.0 2024-07-19 httpd security update An update for httpd is now available for openEuler-24.03-LTS Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fix(es): Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.(CVE-2024-36387) Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.(CVE-2024-38474) null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477) An update for httpd is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High httpd https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1854 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-36387 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-38474 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-38477 https://nvd.nist.gov/vuln/detail/CVE-2024-36387 https://nvd.nist.gov/vuln/detail/CVE-2024-38474 https://nvd.nist.gov/vuln/detail/CVE-2024-38477 openEuler-24.03-LTS httpd-2.4.58-6.oe2403.aarch64.rpm httpd-debuginfo-2.4.58-6.oe2403.aarch64.rpm httpd-debugsource-2.4.58-6.oe2403.aarch64.rpm httpd-devel-2.4.58-6.oe2403.aarch64.rpm httpd-tools-2.4.58-6.oe2403.aarch64.rpm mod_ldap-2.4.58-6.oe2403.aarch64.rpm mod_md-2.4.58-6.oe2403.aarch64.rpm mod_proxy_html-2.4.58-6.oe2403.aarch64.rpm mod_session-2.4.58-6.oe2403.aarch64.rpm mod_ssl-2.4.58-6.oe2403.aarch64.rpm httpd-2.4.58-6.oe2403.src.rpm httpd-2.4.58-6.oe2403.x86_64.rpm httpd-debuginfo-2.4.58-6.oe2403.x86_64.rpm httpd-debugsource-2.4.58-6.oe2403.x86_64.rpm httpd-devel-2.4.58-6.oe2403.x86_64.rpm httpd-tools-2.4.58-6.oe2403.x86_64.rpm mod_ldap-2.4.58-6.oe2403.x86_64.rpm mod_md-2.4.58-6.oe2403.x86_64.rpm mod_proxy_html-2.4.58-6.oe2403.x86_64.rpm mod_session-2.4.58-6.oe2403.x86_64.rpm mod_ssl-2.4.58-6.oe2403.x86_64.rpm httpd-filesystem-2.4.58-6.oe2403.noarch.rpm httpd-help-2.4.58-6.oe2403.noarch.rpm Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. 2024-07-19 CVE-2024-36387 openEuler-24.03-LTS None 0.0 httpd security update 2024-07-19 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1854 Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. 2024-07-19 CVE-2024-38474 openEuler-24.03-LTS High 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N httpd security update 2024-07-19 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1854 null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. 2024-07-19 CVE-2024-38477 openEuler-24.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H httpd security update 2024-07-19 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1854