安全公告详情

NS-SA-2024-0032

2024-07-01 19:14:58

简介

important: httpd/dnsmasq security update

严重级别

important

主题

An update for httpd/dnsmasq is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

httpd:
dnsmasq:


Security Fix(es):
httpd: A flaw was found in the mod_proxy module of httpd. A malicious backend can cause the response headers to be truncated because they are not cleaned when an error is found while reading them, resulting in some headers being incorporated into the response body and not being interpreted by a client.(CVE-2022-37436)
httpd: A flaw was found in the mod_proxy_ajp module of httpd. The connection is not closed when there is an invalid Transfer-Encoding header, allowing an attacker to smuggle requests to the AJP server, where it forwards requests.(CVE-2022-36760)
httpd: A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.(CVE-2023-25690)
httpd: An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via mod_proxy_uwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client.(CVE-2023-27522)
httpd: bugfix
dnsmasq: A flaw was found in Dnsmasq. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.(CVE-2023-28450)
dnsmasq: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.F0B9.

影响组件

  • httpd
  • dnsmasq

影响产品

  • CGSL MAIN 6.02

更新包

{"fix":[{"product":"CGSL MAIN 6.02","pkgs":[{"binary":["httpd-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.x86_64.rpm","httpd-devel-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.x86_64.rpm","httpd-filesystem-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.noarch.rpm","httpd-manual-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.noarch.rpm","httpd-tools-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.x86_64.rpm","mod_ssl-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.x86_64.rpm"],"source":"httpd-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.src.rpm"},{"binary":["dnsmasq-2.79-19.el8.cgslv6_2.1.g42a8dfc.x86_64.rpm","dnsmasq-utils-2.79-19.el8.cgslv6_2.1.g42a8dfc.x86_64.rpm"],"source":"dnsmasq-2.79-19.el8.cgslv6_2.1.g42a8dfc.src.rpm"}]}]}
CGSL MAIN 6.02
  • httpd-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.src.rpm
    • httpd-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.x86_64.rpm
    • httpd-devel-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.x86_64.rpm
    • httpd-filesystem-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.noarch.rpm
    • httpd-manual-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.noarch.rpm
    • httpd-tools-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.x86_64.rpm
    • mod_ssl-2.4.37-51.module+el8.7.0+18026+7b169787.1.cgslv6_2.2.g9aeac14.x86_64.rpm
  • dnsmasq-2.79-19.el8.cgslv6_2.1.g42a8dfc.src.rpm
    • dnsmasq-2.79-19.el8.cgslv6_2.1.g42a8dfc.x86_64.rpm
    • dnsmasq-utils-2.79-19.el8.cgslv6_2.1.g42a8dfc.x86_64.rpm

CVE

参考

© 2004-2023 广东中兴新支点技术有限公司 版权所有 (www.gd-linux.com) 粤ICP备15061780号-2

全国服务热线:400-033-0108