An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1553 Final 1.0 1.0 2024-05-10 Initial 2024-05-10 2024-05-10 openEuler SA Tool V1.0 2024-05-10 httpd security update An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fix(es): Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. (CVE-2023-38709) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.(CVE-2024-24795) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.(CVE-2024-27316) An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High httpd https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1553 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-38709 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-24795 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-27316 https://nvd.nist.gov/vuln/detail/CVE-2023-38709 https://nvd.nist.gov/vuln/detail/CVE-2024-24795 https://nvd.nist.gov/vuln/detail/CVE-2024-27316 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 mod_session-2.4.43-24.oe1.aarch64.rpm mod_md-2.4.43-24.oe1.aarch64.rpm httpd-devel-2.4.43-24.oe1.aarch64.rpm mod_ssl-2.4.43-24.oe1.aarch64.rpm httpd-debuginfo-2.4.43-24.oe1.aarch64.rpm mod_proxy_html-2.4.43-24.oe1.aarch64.rpm httpd-debugsource-2.4.43-24.oe1.aarch64.rpm httpd-2.4.43-24.oe1.aarch64.rpm httpd-tools-2.4.43-24.oe1.aarch64.rpm mod_ldap-2.4.43-24.oe1.aarch64.rpm mod_md-2.4.43-24.oe2003sp4.aarch64.rpm httpd-debugsource-2.4.43-24.oe2003sp4.aarch64.rpm mod_ssl-2.4.43-24.oe2003sp4.aarch64.rpm mod_ldap-2.4.43-24.oe2003sp4.aarch64.rpm httpd-devel-2.4.43-24.oe2003sp4.aarch64.rpm httpd-tools-2.4.43-24.oe2003sp4.aarch64.rpm httpd-debuginfo-2.4.43-24.oe2003sp4.aarch64.rpm mod_proxy_html-2.4.43-24.oe2003sp4.aarch64.rpm mod_session-2.4.43-24.oe2003sp4.aarch64.rpm httpd-2.4.43-24.oe2003sp4.aarch64.rpm httpd-debuginfo-2.4.51-21.oe2203.aarch64.rpm mod_session-2.4.51-21.oe2203.aarch64.rpm mod_md-2.4.51-21.oe2203.aarch64.rpm mod_ssl-2.4.51-21.oe2203.aarch64.rpm httpd-debugsource-2.4.51-21.oe2203.aarch64.rpm mod_ldap-2.4.51-21.oe2203.aarch64.rpm httpd-2.4.51-21.oe2203.aarch64.rpm mod_proxy_html-2.4.51-21.oe2203.aarch64.rpm httpd-devel-2.4.51-21.oe2203.aarch64.rpm httpd-tools-2.4.51-21.oe2203.aarch64.rpm mod_ssl-2.4.51-21.oe2203sp1.aarch64.rpm httpd-debugsource-2.4.51-21.oe2203sp1.aarch64.rpm httpd-2.4.51-21.oe2203sp1.aarch64.rpm httpd-debuginfo-2.4.51-21.oe2203sp1.aarch64.rpm mod_proxy_html-2.4.51-21.oe2203sp1.aarch64.rpm mod_session-2.4.51-21.oe2203sp1.aarch64.rpm mod_ldap-2.4.51-21.oe2203sp1.aarch64.rpm httpd-devel-2.4.51-21.oe2203sp1.aarch64.rpm httpd-tools-2.4.51-21.oe2203sp1.aarch64.rpm mod_md-2.4.51-21.oe2203sp1.aarch64.rpm mod_md-2.4.51-21.oe2203sp2.aarch64.rpm httpd-debugsource-2.4.51-21.oe2203sp2.aarch64.rpm mod_ldap-2.4.51-21.oe2203sp2.aarch64.rpm httpd-2.4.51-21.oe2203sp2.aarch64.rpm mod_proxy_html-2.4.51-21.oe2203sp2.aarch64.rpm mod_session-2.4.51-21.oe2203sp2.aarch64.rpm mod_ssl-2.4.51-21.oe2203sp2.aarch64.rpm httpd-tools-2.4.51-21.oe2203sp2.aarch64.rpm httpd-devel-2.4.51-21.oe2203sp2.aarch64.rpm httpd-debuginfo-2.4.51-21.oe2203sp2.aarch64.rpm httpd-devel-2.4.51-21.oe2203sp3.aarch64.rpm mod_md-2.4.51-21.oe2203sp3.aarch64.rpm mod_session-2.4.51-21.oe2203sp3.aarch64.rpm mod_ssl-2.4.51-21.oe2203sp3.aarch64.rpm httpd-2.4.51-21.oe2203sp3.aarch64.rpm mod_proxy_html-2.4.51-21.oe2203sp3.aarch64.rpm httpd-debuginfo-2.4.51-21.oe2203sp3.aarch64.rpm httpd-debugsource-2.4.51-21.oe2203sp3.aarch64.rpm httpd-tools-2.4.51-21.oe2203sp3.aarch64.rpm mod_ldap-2.4.51-21.oe2203sp3.aarch64.rpm httpd-filesystem-2.4.43-24.oe1.noarch.rpm httpd-help-2.4.43-24.oe1.noarch.rpm httpd-filesystem-2.4.43-24.oe2003sp4.noarch.rpm httpd-help-2.4.43-24.oe2003sp4.noarch.rpm httpd-filesystem-2.4.51-21.oe2203.noarch.rpm httpd-help-2.4.51-21.oe2203.noarch.rpm httpd-filesystem-2.4.51-21.oe2203sp1.noarch.rpm httpd-help-2.4.51-21.oe2203sp1.noarch.rpm httpd-help-2.4.51-21.oe2203sp2.noarch.rpm httpd-filesystem-2.4.51-21.oe2203sp2.noarch.rpm httpd-help-2.4.51-21.oe2203sp3.noarch.rpm httpd-filesystem-2.4.51-21.oe2203sp3.noarch.rpm httpd-2.4.43-24.oe1.src.rpm httpd-2.4.43-24.oe2003sp4.src.rpm httpd-2.4.51-21.oe2203.src.rpm httpd-2.4.51-21.oe2203sp1.src.rpm httpd-2.4.51-21.oe2203sp2.src.rpm httpd-2.4.51-21.oe2203sp3.src.rpm mod_proxy_html-2.4.43-24.oe1.x86_64.rpm mod_ssl-2.4.43-24.oe1.x86_64.rpm httpd-tools-2.4.43-24.oe1.x86_64.rpm mod_session-2.4.43-24.oe1.x86_64.rpm mod_ldap-2.4.43-24.oe1.x86_64.rpm mod_md-2.4.43-24.oe1.x86_64.rpm httpd-2.4.43-24.oe1.x86_64.rpm httpd-debuginfo-2.4.43-24.oe1.x86_64.rpm httpd-devel-2.4.43-24.oe1.x86_64.rpm httpd-debugsource-2.4.43-24.oe1.x86_64.rpm mod_proxy_html-2.4.43-24.oe2003sp4.x86_64.rpm mod_ldap-2.4.43-24.oe2003sp4.x86_64.rpm httpd-debuginfo-2.4.43-24.oe2003sp4.x86_64.rpm mod_ssl-2.4.43-24.oe2003sp4.x86_64.rpm mod_session-2.4.43-24.oe2003sp4.x86_64.rpm httpd-debugsource-2.4.43-24.oe2003sp4.x86_64.rpm httpd-devel-2.4.43-24.oe2003sp4.x86_64.rpm httpd-tools-2.4.43-24.oe2003sp4.x86_64.rpm httpd-2.4.43-24.oe2003sp4.x86_64.rpm mod_md-2.4.43-24.oe2003sp4.x86_64.rpm httpd-tools-2.4.51-21.oe2203.x86_64.rpm httpd-devel-2.4.51-21.oe2203.x86_64.rpm httpd-2.4.51-21.oe2203.x86_64.rpm mod_md-2.4.51-21.oe2203.x86_64.rpm mod_session-2.4.51-21.oe2203.x86_64.rpm mod_ssl-2.4.51-21.oe2203.x86_64.rpm mod_ldap-2.4.51-21.oe2203.x86_64.rpm httpd-debugsource-2.4.51-21.oe2203.x86_64.rpm mod_proxy_html-2.4.51-21.oe2203.x86_64.rpm httpd-debuginfo-2.4.51-21.oe2203.x86_64.rpm httpd-tools-2.4.51-21.oe2203sp1.x86_64.rpm mod_ssl-2.4.51-21.oe2203sp1.x86_64.rpm httpd-devel-2.4.51-21.oe2203sp1.x86_64.rpm mod_session-2.4.51-21.oe2203sp1.x86_64.rpm mod_ldap-2.4.51-21.oe2203sp1.x86_64.rpm httpd-2.4.51-21.oe2203sp1.x86_64.rpm mod_proxy_html-2.4.51-21.oe2203sp1.x86_64.rpm httpd-debuginfo-2.4.51-21.oe2203sp1.x86_64.rpm mod_md-2.4.51-21.oe2203sp1.x86_64.rpm httpd-debugsource-2.4.51-21.oe2203sp1.x86_64.rpm mod_ldap-2.4.51-21.oe2203sp2.x86_64.rpm httpd-2.4.51-21.oe2203sp2.x86_64.rpm httpd-debugsource-2.4.51-21.oe2203sp2.x86_64.rpm mod_md-2.4.51-21.oe2203sp2.x86_64.rpm mod_ssl-2.4.51-21.oe2203sp2.x86_64.rpm mod_session-2.4.51-21.oe2203sp2.x86_64.rpm httpd-debuginfo-2.4.51-21.oe2203sp2.x86_64.rpm httpd-tools-2.4.51-21.oe2203sp2.x86_64.rpm mod_proxy_html-2.4.51-21.oe2203sp2.x86_64.rpm httpd-devel-2.4.51-21.oe2203sp2.x86_64.rpm httpd-tools-2.4.51-21.oe2203sp3.x86_64.rpm mod_session-2.4.51-21.oe2203sp3.x86_64.rpm mod_ssl-2.4.51-21.oe2203sp3.x86_64.rpm mod_proxy_html-2.4.51-21.oe2203sp3.x86_64.rpm mod_ldap-2.4.51-21.oe2203sp3.x86_64.rpm httpd-debugsource-2.4.51-21.oe2203sp3.x86_64.rpm httpd-debuginfo-2.4.51-21.oe2203sp3.x86_64.rpm mod_md-2.4.51-21.oe2203sp3.x86_64.rpm httpd-2.4.51-21.oe2203sp3.x86_64.rpm httpd-devel-2.4.51-21.oe2203sp3.x86_64.rpm Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. 2024-05-10 CVE-2023-38709 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Medium 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N httpd security update 2024-05-10 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1553 HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. 2024-05-10 CVE-2024-24795 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Medium 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N httpd security update 2024-05-10 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1553 HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. 2024-05-10 CVE-2024-27316 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H httpd security update 2024-05-10 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1553