An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2022-1596
Final
1.0
1.0
2022-03-26
Initial
2022-03-26
2022-03-26
openEuler SA Tool V1.0
2022-03-26
httpd security update
An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.
Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.
Security Fix(es):
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.(CVE-2022-23943)
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.(CVE-2022-22721)
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling(CVE-2022-22720)
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.(CVE-2022-22719)
An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
httpd
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1596
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23943
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-22721
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-22720
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-22719
https://nvd.nist.gov/vuln/detail/CVE-2022-23943
https://nvd.nist.gov/vuln/detail/CVE-2022-22721
https://nvd.nist.gov/vuln/detail/CVE-2022-22720
https://nvd.nist.gov/vuln/detail/CVE-2022-22719
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
openEuler-20.03-LTS-SP3
mod_ssl-2.4.43-14.oe1.aarch64.rpm
httpd-tools-2.4.43-14.oe1.aarch64.rpm
mod_ldap-2.4.43-14.oe1.aarch64.rpm
httpd-devel-2.4.43-14.oe1.aarch64.rpm
httpd-debuginfo-2.4.43-14.oe1.aarch64.rpm
httpd-2.4.43-14.oe1.aarch64.rpm
mod_proxy_html-2.4.43-14.oe1.aarch64.rpm
mod_md-2.4.43-14.oe1.aarch64.rpm
mod_session-2.4.43-14.oe1.aarch64.rpm
httpd-debugsource-2.4.43-14.oe1.aarch64.rpm
mod_session-2.4.43-14.oe1.aarch64.rpm
mod_ldap-2.4.43-14.oe1.aarch64.rpm
httpd-tools-2.4.43-14.oe1.aarch64.rpm
httpd-debuginfo-2.4.43-14.oe1.aarch64.rpm
mod_md-2.4.43-14.oe1.aarch64.rpm
mod_proxy_html-2.4.43-14.oe1.aarch64.rpm
httpd-debugsource-2.4.43-14.oe1.aarch64.rpm
httpd-2.4.43-14.oe1.aarch64.rpm
httpd-devel-2.4.43-14.oe1.aarch64.rpm
mod_ssl-2.4.43-14.oe1.aarch64.rpm
httpd-debugsource-2.4.43-14.oe1.aarch64.rpm
httpd-devel-2.4.43-14.oe1.aarch64.rpm
mod_proxy_html-2.4.43-14.oe1.aarch64.rpm
mod_session-2.4.43-14.oe1.aarch64.rpm
mod_ldap-2.4.43-14.oe1.aarch64.rpm
httpd-tools-2.4.43-14.oe1.aarch64.rpm
httpd-2.4.43-14.oe1.aarch64.rpm
mod_md-2.4.43-14.oe1.aarch64.rpm
mod_ssl-2.4.43-14.oe1.aarch64.rpm
httpd-debuginfo-2.4.43-14.oe1.aarch64.rpm
httpd-help-2.4.43-14.oe1.noarch.rpm
httpd-filesystem-2.4.43-14.oe1.noarch.rpm
httpd-filesystem-2.4.43-14.oe1.noarch.rpm
httpd-help-2.4.43-14.oe1.noarch.rpm
httpd-filesystem-2.4.43-14.oe1.noarch.rpm
httpd-help-2.4.43-14.oe1.noarch.rpm
httpd-2.4.43-14.oe1.src.rpm
httpd-2.4.43-14.oe1.src.rpm
httpd-2.4.43-14.oe1.src.rpm
mod_md-2.4.43-14.oe1.x86_64.rpm
httpd-2.4.43-14.oe1.x86_64.rpm
mod_ssl-2.4.43-14.oe1.x86_64.rpm
httpd-tools-2.4.43-14.oe1.x86_64.rpm
httpd-devel-2.4.43-14.oe1.x86_64.rpm
mod_ldap-2.4.43-14.oe1.x86_64.rpm
mod_proxy_html-2.4.43-14.oe1.x86_64.rpm
mod_session-2.4.43-14.oe1.x86_64.rpm
httpd-debuginfo-2.4.43-14.oe1.x86_64.rpm
httpd-debugsource-2.4.43-14.oe1.x86_64.rpm
httpd-2.4.43-14.oe1.x86_64.rpm
mod_session-2.4.43-14.oe1.x86_64.rpm
httpd-debugsource-2.4.43-14.oe1.x86_64.rpm
httpd-devel-2.4.43-14.oe1.x86_64.rpm
httpd-tools-2.4.43-14.oe1.x86_64.rpm
mod_ssl-2.4.43-14.oe1.x86_64.rpm
mod_proxy_html-2.4.43-14.oe1.x86_64.rpm
httpd-debuginfo-2.4.43-14.oe1.x86_64.rpm
mod_md-2.4.43-14.oe1.x86_64.rpm
mod_ldap-2.4.43-14.oe1.x86_64.rpm
mod_proxy_html-2.4.43-14.oe1.x86_64.rpm
httpd-devel-2.4.43-14.oe1.x86_64.rpm
mod_ldap-2.4.43-14.oe1.x86_64.rpm
mod_session-2.4.43-14.oe1.x86_64.rpm
httpd-debuginfo-2.4.43-14.oe1.x86_64.rpm
httpd-tools-2.4.43-14.oe1.x86_64.rpm
mod_ssl-2.4.43-14.oe1.x86_64.rpm
mod_md-2.4.43-14.oe1.x86_64.rpm
httpd-2.4.43-14.oe1.x86_64.rpm
httpd-debugsource-2.4.43-14.oe1.x86_64.rpm
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.
2022-03-26
CVE-2022-23943
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
openEuler-20.03-LTS-SP3
High
8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
httpd security update
2022-03-26
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1596
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
2022-03-26
CVE-2022-22721
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
openEuler-20.03-LTS-SP3
High
7.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
httpd security update
2022-03-26
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1596
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling
2022-03-26
CVE-2022-22720
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
openEuler-20.03-LTS-SP3
High
7.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
httpd security update
2022-03-26
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1596
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.
2022-03-26
CVE-2022-22719
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
openEuler-20.03-LTS-SP3
Medium
4.3
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
httpd security update
2022-03-26
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1596