ELSA-2020-4751

ELSA-2020-4751 - httpd:2.4 security, bug fix, and enhancement update

Type:	SECURITY
Impact:	MODERATE
Release Date:	2020-11-10

Description

httpd
[2.4.37-13.0.1]
- Set vstring per ORACLE_SUPPORT_PRODUCT [Orabug: 29892262]
- Replace index.html with Oracles index page oracle_index.html

[2.4.37-30]
- Resolves: #1209162 - support logging to journald from CustomLog

[2.4.37-29]
- Resolves: #1823263 (CVE-2020-1934) - CVE-2020-1934 httpd: mod_proxy_ftp use of
uninitialized value

[2.4.37-28]
- Related: #1771847 - BalancerMember ping parameter for mod_proxy_http
doesnt work

[2.4.37-27]
- Resolves: #1823259 - CVE-2020-1927 httpd:2.4/httpd: mod_rewrite configurations
vulnerable to open redirect
- Resolves: #1747284 - CVE-2019-10098 httpd:2.4/httpd: mod_rewrite potential
open redirect
- Resolves: #1747281 - CVE-2019-10092 httpd:2.4/httpd: limited cross-site
scripting in mod_proxy error page
- Resolves: #1747291 - CVE-2019-10097 httpd:2.4/httpd: null-pointer dereference
in mod_remoteip
- Resolves: #1771847 - BalancerMember ping parameter for mod_proxy_http
doesnt work
- Resolves: #1794728 - Backport of SessionExpiryUpdateInterval directive

mod_http2
[1.15.7-2]
- Resolves: #1869073 - CVE-2020-9490 httpd:2.4/mod_http2: httpd:
Push diary crash on specifically crafted HTTP/2 header

[1.15.7-1]
- new version 1.15.7
- Resolves: #1814236 - RFE: mod_http2 rebase
- Resolves: #1747289 - CVE-2019-10082 httpd:2.4/mod_http2: httpd:
read-after-free in h2 connection shutdown
- Resolves: #1696099 - CVE-2019-0197 httpd:2.4/mod_http2: httpd:
mod_http2: possible crash on late upgrade
- Resolves: #1696094 - CVE-2019-0196 httpd:2.4/mod_http2: httpd:
mod_http2: read-after-free on a string compare
- Resolves: #1677591 - CVE-2018-17189 httpd:2.4/mod_http2: httpd:
mod_http2: DoS via slow, unneeded request bodies

mod_md
[1:2.0.8-8]
- Resolves: #1832844 - mod_md does not work with ACME server that does not
provide keyChange or revokeCert resources

Related CVEs

CVE-2019-10082

CVE-2018-17189

CVE-2020-1927

CVE-2019-10081

CVE-2019-10097

CVE-2019-10092

CVE-2019-0197

CVE-2019-10098

CVE-2020-1934

CVE-2019-0196

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label
Oracle Linux 8 (aarch64)	httpd-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.src.rpm	df41817b36243337d0463b75b1c41bbcdd1b87f13c7a58dcb059900f024efd5d	-	ol8_aarch64_appstream
	mod_http2-1.15.7-2.module+el8.3.0+7816+49791cfd.src.rpm	cf539b73361b45ad2cd69b2fc2b19c81bbca328a5edf78376e41d1ac383d6f29	-	ol8_aarch64_appstream
	mod_md-2.0.8-8.module+el8.3.0+7816+49791cfd.src.rpm	964586d1cb6f8a232b71f89b8f82f4970b2c0e1c1300d1fac8d7a902dfe879cb	-	ol8_aarch64_appstream
	httpd-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.aarch64.rpm	0dd4090a2eb6def7cf0ca53bccf0a6a728b1658d0c8195062ff3dd0c8aa9006d	-	ol8_aarch64_appstream
	httpd-devel-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.aarch64.rpm	49101de2526ff278d2d3dd15459b1137fa18acadc353577e030b61a5b88f0f84	-	ol8_aarch64_appstream
	httpd-filesystem-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.noarch.rpm	ad56a66b9b3f72a6fe22f26c989c4651394e75fbfda20d41dc765be2a3194820	-	ol8_aarch64_appstream
	httpd-manual-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.noarch.rpm	448f340b2eb18bb2b7c53529383f2a73032add2232b212d273cf94a3c43431f2	-	ol8_aarch64_appstream
	httpd-tools-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.aarch64.rpm	8e47fa0d5e981c2efab943adc9a440d8d20ce2d8c4a74c7d3163ed6fb1ca7819	-	ol8_aarch64_appstream
	mod_http2-1.15.7-2.module+el8.3.0+7816+49791cfd.aarch64.rpm	72f0e2c5a43e2f36a023debf3cb1a21c01a79473bf380d5ca845c083f3de3777	-	ol8_aarch64_appstream
	mod_ldap-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.aarch64.rpm	6b4a702bca7dcc6a9c1a1a3a467733f8c8b5ed4c7ce6139113f7196e259245e5	-	ol8_aarch64_appstream
	mod_md-2.0.8-8.module+el8.3.0+7816+49791cfd.aarch64.rpm	59828ad0b80a3834a86568cf0b9789c1f921dfc22ea814250ce6846afb30ba5f	-	ol8_aarch64_appstream
	mod_proxy_html-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.aarch64.rpm	1d03421b87f7fa0224ad1c8902b91501abdd8fcb2ed4b71508566339ed91a66a	-	ol8_aarch64_appstream
	mod_session-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.aarch64.rpm	1dcaefe174433781321af075b18eab8a515f28ff49e87102af89794a7ed9a4a8	-	ol8_aarch64_appstream
	mod_ssl-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.aarch64.rpm	3caa7ffd4a19ccf53732b786063b879dde6398972f76fe99f4efe48dcb5e42aa	-	ol8_aarch64_appstream
Oracle Linux 8 (x86_64)	httpd-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.src.rpm	df41817b36243337d0463b75b1c41bbcdd1b87f13c7a58dcb059900f024efd5d	-	ol8_x86_64_appstream
	mod_http2-1.15.7-2.module+el8.3.0+7816+49791cfd.src.rpm	cf539b73361b45ad2cd69b2fc2b19c81bbca328a5edf78376e41d1ac383d6f29	-	ol8_x86_64_appstream
	mod_md-2.0.8-8.module+el8.3.0+7816+49791cfd.src.rpm	964586d1cb6f8a232b71f89b8f82f4970b2c0e1c1300d1fac8d7a902dfe879cb	-	ol8_x86_64_appstream
	httpd-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.x86_64.rpm	bf475818bee371e3b64b1566cddc0343ea8a254fa9b84c5ed53819df207e9a38	-	ol8_x86_64_appstream
	httpd-devel-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.x86_64.rpm	f8e6d6b8a1b9a4c7373e1d4c9cca2a5eca3e3226812d22dc782e63092dbb6764	-	ol8_x86_64_appstream
	httpd-filesystem-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.noarch.rpm	ad56a66b9b3f72a6fe22f26c989c4651394e75fbfda20d41dc765be2a3194820	-	ol8_x86_64_appstream
	httpd-manual-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.noarch.rpm	448f340b2eb18bb2b7c53529383f2a73032add2232b212d273cf94a3c43431f2	-	ol8_x86_64_appstream
	httpd-tools-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.x86_64.rpm	7664c0b3464c463539499748904a65905518f540c317ff082e7b23b779b3b48c	-	ol8_x86_64_appstream
	mod_http2-1.15.7-2.module+el8.3.0+7816+49791cfd.x86_64.rpm	12dd02c86334961c6b3c6b9f58624e7387078281466b02f6725c11b82e1e18fe	-	ol8_x86_64_appstream
	mod_ldap-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.x86_64.rpm	806af553a37a924d3d6de1b73f4309268a19061d9c700c36ed8c39fa3e7623ca	-	ol8_x86_64_appstream
	mod_md-2.0.8-8.module+el8.3.0+7816+49791cfd.x86_64.rpm	145c47237014a0d3b92273ad9863060c4dde48fd83ccdc814e191954d78ebe22	-	ol8_x86_64_appstream
	mod_proxy_html-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.x86_64.rpm	bb73ed4a5ba2b406070f3ab618dfb1f833ef6e79b6943e5f8c786bd1c4d93a58	-	ol8_x86_64_appstream
	mod_session-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.x86_64.rpm	eeb29aac004339d5cf2fd6286cdf5ab7a27f2d49ed3338c3dbbc262a97aec5e5	-	ol8_x86_64_appstream
	mod_ssl-2.4.37-30.0.1.module+el8.3.0+7816+49791cfd.x86_64.rpm	d2cc49096078d5e3ddab78fd942530884069fe47acf9ae579684e5b7185427f1	-	ol8_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team