操作系统--麒麟信安操作系统,国产操作系统,麒麟信安云桌面—

公告ID (KylinSec-SA-2024-4804)

摘要:

httpd security update

安全等级: High

公告ID: KylinSec-SA-2024-4804

发布日期: 2025年2月17日

关联CVE: CVE-2024-38477 CVE-2024-38474 CVE-2024-36387

详细介绍

1. 漏洞描述

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.

Security Fix(es):

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.(CVE-2024-36387)

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in
directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.(CVE-2024-38474)

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.
Users are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)

2. 影响范围

cve名称	产品	组件	是否受影响
CVE-2024-38477	V6	httpd	Fixed
CVE-2024-38474	V6	httpd	Fixed
CVE-2024-36387	V6	mod_http2	Fixed

3. 影响组件

httpd

4. 修复版本

V6

软件名称	架构	版本号
httpd-filesystem	noarch	2.4.58-7.ks6.kb1
httpd-help	noarch	2.4.58-7.ks6.kb1
httpd	x86_64	2.4.58-7.ks6.kb1
httpd-devel	x86_64	2.4.58-7.ks6.kb1
httpd-tools	x86_64	2.4.58-7.ks6.kb1
mod_ldap	x86_64	2.4.58-7.ks6.kb1
mod_md	x86_64	2.4.58-7.ks6.kb1
mod_proxy_html	x86_64	2.4.58-7.ks6.kb1
mod_session	x86_64	2.4.58-7.ks6.kb1
mod_ssl	x86_64	2.4.58-7.ks6.kb1
httpd	aarch64	2.4.58-7.ks6.kb1
httpd-devel	aarch64	2.4.58-7.ks6.kb1
httpd-tools	aarch64	2.4.58-7.ks6.kb1
mod_ldap	aarch64	2.4.58-7.ks6.kb1
mod_md	aarch64	2.4.58-7.ks6.kb1
mod_proxy_html	aarch64	2.4.58-7.ks6.kb1
mod_session	aarch64	2.4.58-7.ks6.kb1
mod_ssl	aarch64	2.4.58-7.ks6.kb1