An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1596 Final 1.0 1.0 2022-03-26 Initial 2022-03-26 2022-03-26 openEuler SA Tool V1.0 2022-03-26 httpd security update An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3. Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fix(es): Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.(CVE-2022-23943) If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.(CVE-2022-22721) Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling(CVE-2022-22720) A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.(CVE-2022-22719) An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High httpd https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1596 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23943 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-22721 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-22720 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-22719 https://nvd.nist.gov/vuln/detail/CVE-2022-23943 https://nvd.nist.gov/vuln/detail/CVE-2022-22721 https://nvd.nist.gov/vuln/detail/CVE-2022-22720 https://nvd.nist.gov/vuln/detail/CVE-2022-22719 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 mod_ssl-2.4.43-14.oe1.aarch64.rpm httpd-tools-2.4.43-14.oe1.aarch64.rpm mod_ldap-2.4.43-14.oe1.aarch64.rpm httpd-devel-2.4.43-14.oe1.aarch64.rpm httpd-debuginfo-2.4.43-14.oe1.aarch64.rpm httpd-2.4.43-14.oe1.aarch64.rpm mod_proxy_html-2.4.43-14.oe1.aarch64.rpm mod_md-2.4.43-14.oe1.aarch64.rpm mod_session-2.4.43-14.oe1.aarch64.rpm httpd-debugsource-2.4.43-14.oe1.aarch64.rpm mod_session-2.4.43-14.oe1.aarch64.rpm mod_ldap-2.4.43-14.oe1.aarch64.rpm httpd-tools-2.4.43-14.oe1.aarch64.rpm httpd-debuginfo-2.4.43-14.oe1.aarch64.rpm mod_md-2.4.43-14.oe1.aarch64.rpm mod_proxy_html-2.4.43-14.oe1.aarch64.rpm httpd-debugsource-2.4.43-14.oe1.aarch64.rpm httpd-2.4.43-14.oe1.aarch64.rpm httpd-devel-2.4.43-14.oe1.aarch64.rpm mod_ssl-2.4.43-14.oe1.aarch64.rpm httpd-debugsource-2.4.43-14.oe1.aarch64.rpm httpd-devel-2.4.43-14.oe1.aarch64.rpm mod_proxy_html-2.4.43-14.oe1.aarch64.rpm mod_session-2.4.43-14.oe1.aarch64.rpm mod_ldap-2.4.43-14.oe1.aarch64.rpm httpd-tools-2.4.43-14.oe1.aarch64.rpm httpd-2.4.43-14.oe1.aarch64.rpm mod_md-2.4.43-14.oe1.aarch64.rpm mod_ssl-2.4.43-14.oe1.aarch64.rpm httpd-debuginfo-2.4.43-14.oe1.aarch64.rpm httpd-help-2.4.43-14.oe1.noarch.rpm httpd-filesystem-2.4.43-14.oe1.noarch.rpm httpd-filesystem-2.4.43-14.oe1.noarch.rpm httpd-help-2.4.43-14.oe1.noarch.rpm httpd-filesystem-2.4.43-14.oe1.noarch.rpm httpd-help-2.4.43-14.oe1.noarch.rpm httpd-2.4.43-14.oe1.src.rpm httpd-2.4.43-14.oe1.src.rpm httpd-2.4.43-14.oe1.src.rpm mod_md-2.4.43-14.oe1.x86_64.rpm httpd-2.4.43-14.oe1.x86_64.rpm mod_ssl-2.4.43-14.oe1.x86_64.rpm httpd-tools-2.4.43-14.oe1.x86_64.rpm httpd-devel-2.4.43-14.oe1.x86_64.rpm mod_ldap-2.4.43-14.oe1.x86_64.rpm mod_proxy_html-2.4.43-14.oe1.x86_64.rpm mod_session-2.4.43-14.oe1.x86_64.rpm httpd-debuginfo-2.4.43-14.oe1.x86_64.rpm httpd-debugsource-2.4.43-14.oe1.x86_64.rpm httpd-2.4.43-14.oe1.x86_64.rpm mod_session-2.4.43-14.oe1.x86_64.rpm httpd-debugsource-2.4.43-14.oe1.x86_64.rpm httpd-devel-2.4.43-14.oe1.x86_64.rpm httpd-tools-2.4.43-14.oe1.x86_64.rpm mod_ssl-2.4.43-14.oe1.x86_64.rpm mod_proxy_html-2.4.43-14.oe1.x86_64.rpm httpd-debuginfo-2.4.43-14.oe1.x86_64.rpm mod_md-2.4.43-14.oe1.x86_64.rpm mod_ldap-2.4.43-14.oe1.x86_64.rpm mod_proxy_html-2.4.43-14.oe1.x86_64.rpm httpd-devel-2.4.43-14.oe1.x86_64.rpm mod_ldap-2.4.43-14.oe1.x86_64.rpm mod_session-2.4.43-14.oe1.x86_64.rpm httpd-debuginfo-2.4.43-14.oe1.x86_64.rpm httpd-tools-2.4.43-14.oe1.x86_64.rpm mod_ssl-2.4.43-14.oe1.x86_64.rpm mod_md-2.4.43-14.oe1.x86_64.rpm httpd-2.4.43-14.oe1.x86_64.rpm httpd-debugsource-2.4.43-14.oe1.x86_64.rpm Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. 2022-03-26 CVE-2022-23943 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H httpd security update 2022-03-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1596 If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. 2022-03-26 CVE-2022-22721 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 High 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L httpd security update 2022-03-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1596 Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling 2022-03-26 CVE-2022-22720 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 High 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L httpd security update 2022-03-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1596 A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. 2022-03-26 CVE-2022-22719 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 Medium 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L httpd security update 2022-03-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1596