Mageia 2024-0118: apache security update
Summary
Apache has been updated to version 2.4.59 to fix CVE-2024-27316,
CVE-2024-24795 and CVE-2023-38709.
CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on
endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily buffered in
nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)
CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple
modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP Server allows
an attacker that can inject malicious response
headers into backend applications to cause an HTTP desynchronization
attack.
Users are recommended to upgrade to version 2.4.59, which fixes this
issue.
Credits: Keran Mu, Tsinghua University and Zhongguancun Laboratory.
CVE-2023-38709: Apache HTTP Server: HTTP response splitting
(cve.mitre.org)
Faulty input validation in the core of Apache allows malicious or
exploitable backend/content generators to split HTTP responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE
References
- https://bugs.mageia.org/show_bug.cgi?id=33059
- https://www.openwall.com/lists/oss-security/2024/04/03/16
- https://nowotarski.info/http2-continuation-flood/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709
Resolution
MGASA-2024-0118 - Updated apache packages fix security vulnerabilities
SRPMS
- 9/core/apache-2.4.59-1.mga9