An update for httpd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1473 Final 1.0 1.0 2021-12-25 Initial 2021-12-25 2021-12-25 openEuler SA Tool V1.0 2021-12-25 httpd security update An update for httpd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. Apache HTTP Server. Security Fix(es): A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).(CVE-2021-44224) A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.(CVE-2021-44790) An update for httpd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical httpd https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1473 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44224 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44790 https://nvd.nist.gov/vuln/detail/CVE-2021-44224 https://nvd.nist.gov/vuln/detail/CVE-2021-44790 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 httpd-devel-2.4.43-12.oe1.aarch64.rpm mod_md-2.4.43-12.oe1.aarch64.rpm httpd-debugsource-2.4.43-12.oe1.aarch64.rpm mod_ssl-2.4.43-12.oe1.aarch64.rpm mod_session-2.4.43-12.oe1.aarch64.rpm httpd-debuginfo-2.4.43-12.oe1.aarch64.rpm mod_proxy_html-2.4.43-12.oe1.aarch64.rpm mod_ldap-2.4.43-12.oe1.aarch64.rpm httpd-2.4.43-12.oe1.aarch64.rpm httpd-tools-2.4.43-12.oe1.aarch64.rpm httpd-devel-2.4.43-12.oe1.aarch64.rpm httpd-debugsource-2.4.43-12.oe1.aarch64.rpm httpd-tools-2.4.43-12.oe1.aarch64.rpm mod_md-2.4.43-12.oe1.aarch64.rpm mod_session-2.4.43-12.oe1.aarch64.rpm mod_proxy_html-2.4.43-12.oe1.aarch64.rpm httpd-debuginfo-2.4.43-12.oe1.aarch64.rpm mod_ssl-2.4.43-12.oe1.aarch64.rpm httpd-2.4.43-12.oe1.aarch64.rpm mod_ldap-2.4.43-12.oe1.aarch64.rpm httpd-filesystem-2.4.43-12.oe1.noarch.rpm httpd-help-2.4.43-12.oe1.noarch.rpm httpd-help-2.4.43-12.oe1.noarch.rpm httpd-filesystem-2.4.43-12.oe1.noarch.rpm httpd-2.4.43-12.oe1.src.rpm httpd-2.4.43-12.oe1.src.rpm mod_session-2.4.43-12.oe1.x86_64.rpm httpd-debugsource-2.4.43-12.oe1.x86_64.rpm mod_ldap-2.4.43-12.oe1.x86_64.rpm httpd-debuginfo-2.4.43-12.oe1.x86_64.rpm httpd-2.4.43-12.oe1.x86_64.rpm httpd-tools-2.4.43-12.oe1.x86_64.rpm mod_md-2.4.43-12.oe1.x86_64.rpm mod_proxy_html-2.4.43-12.oe1.x86_64.rpm mod_ssl-2.4.43-12.oe1.x86_64.rpm httpd-devel-2.4.43-12.oe1.x86_64.rpm httpd-tools-2.4.43-12.oe1.x86_64.rpm httpd-2.4.43-12.oe1.x86_64.rpm mod_session-2.4.43-12.oe1.x86_64.rpm mod_md-2.4.43-12.oe1.x86_64.rpm mod_ldap-2.4.43-12.oe1.x86_64.rpm httpd-devel-2.4.43-12.oe1.x86_64.rpm httpd-debugsource-2.4.43-12.oe1.x86_64.rpm mod_proxy_html-2.4.43-12.oe1.x86_64.rpm httpd-debuginfo-2.4.43-12.oe1.x86_64.rpm mod_ssl-2.4.43-12.oe1.x86_64.rpm A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). 2021-12-25 CVE-2021-44224 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 High 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H httpd security update 2021-12-25 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1473 A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. 2021-12-25 CVE-2021-44790 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H httpd security update 2021-12-25 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1473