ELSA-2021-4537

ELSA-2021-4537 - httpd:2.4 security update

Type:	SECURITY
Impact:	IMPORTANT
Release Date:	2021-11-18

Description

httpd
[2.4.37-43.0.1]
- Set vstring per ORACLE_SUPPORT_PRODUCT [Orabug: 29892262]
- Replace index.html with Oracle's index page oracle_index.html.

[2.4.37-43]
- Related: #2007235 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
a crafted request uri-path

[2.4.37-42]
- Resolves: #2007235 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
a crafted request uri-path
- Resolves: #2014063 - CVE-2021-26691 httpd:2.4/httpd: Heap overflow in
mod_session

[2.4.37-41]
- Resolves: #1680111 - httpd sends reply to HTTPS GET using two TLS records
- Resolves: #1905613 - mod_ssl does not like valid certificate chain
- Resolves: #1935742 - [RFE] backport samesite/httponly/secure flags for
usertrack
- Resolves: #1972500 - CVE-2021-30641 httpd:2.4/httpd: MergeSlashes regression
- Resolves: #1968307 - CVE-2021-26690 httpd:2.4/httpd: mod_session NULL pointer
dereference in parser
- Resolves: #1934741 - Apache trademark update - new logo

[2.4.37-40]
- Resolves: #1952557 - mod_proxy_wstunnel.html is a malformed XML
- Resolves: #1937334 - SSLProtocol with based virtual hosts

mod_http2
[1.15.7-3]
- Resolves: #1869077 - CVE-2020-11993 httpd:2.4/mod_http2: httpd:
mod_http2 concurrent pool usage

mod_md
[1:2.0.8-8]
- Resolves: #1832844 - mod_md does not work with ACME server that does not
provide keyChange or revokeCert resources

Related CVEs

CVE-2021-20325

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label
Oracle Linux 8 (aarch64)	httpd-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.src.rpm	e9752d9ace2087eb054497e01f883f1a1b7610d1153d1c0df337f8dd1b9ce49d	-	ol8_aarch64_appstream
	mod_http2-1.15.7-3.module+el8.4.0+20024+b87b2deb.src.rpm	a825aa32e247302cfffb427b8ceaf978d4e2f1d294d7f523d6ea1aadb124bf2d	-	ol8_aarch64_appstream
	mod_md-2.0.8-8.module+el8.3.0+7816+49791cfd.src.rpm	964586d1cb6f8a232b71f89b8f82f4970b2c0e1c1300d1fac8d7a902dfe879cb	-	ol8_aarch64_appstream
	httpd-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.aarch64.rpm	70b10f2ec1a2b67622cd94639f019211bb7126f90305c5bc3dd2ba8b93de8c88	-	ol8_aarch64_appstream
	httpd-devel-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.aarch64.rpm	10a81566bb0e37afa372734565067e161168a54166c6de878e789c7d6a3f4c8f	-	ol8_aarch64_appstream
	httpd-filesystem-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.noarch.rpm	d362e2f1922b5e80dd1cff937f9390ec1775ac1cfffa833b240a629116022935	-	ol8_aarch64_appstream
	httpd-manual-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.noarch.rpm	b4374d863d106f411f009108f896e681276db24dfd2c34b60bc1ecc018910835	-	ol8_aarch64_appstream
	httpd-tools-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.aarch64.rpm	8df6cac6105c8621a71fddc533529c03d93b31fb5c4de208cae80ca2d4fce215	-	ol8_aarch64_appstream
	mod_http2-1.15.7-3.module+el8.4.0+20024+b87b2deb.aarch64.rpm	48c211ad4477b6c8230e9683533f757a3549be1d1e25f509cdfce3a8d2f318b6	-	ol8_aarch64_appstream
	mod_ldap-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.aarch64.rpm	0e92526248c0fb164c6fee9eea27234bda63960503c7b0ff6f0b2fb3f257782f	-	ol8_aarch64_appstream
	mod_md-2.0.8-8.module+el8.3.0+7816+49791cfd.aarch64.rpm	59828ad0b80a3834a86568cf0b9789c1f921dfc22ea814250ce6846afb30ba5f	-	ol8_aarch64_appstream
	mod_proxy_html-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.aarch64.rpm	806dba942bfbba87236704accdfb476617ca4d7dac05e39faed9824c274d3deb	-	ol8_aarch64_appstream
	mod_session-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.aarch64.rpm	528b2e57ebf0130f9bf2317b4d2a895e5bcf42b88b9622b1319e510198c26f70	-	ol8_aarch64_appstream
	mod_ssl-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.aarch64.rpm	48a2635aaa09eb8463a4712e82263701aac511da7d99f32cae6441af818188f2	-	ol8_aarch64_appstream
Oracle Linux 8 (x86_64)	httpd-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.src.rpm	e9752d9ace2087eb054497e01f883f1a1b7610d1153d1c0df337f8dd1b9ce49d	-	ol8_x86_64_appstream
	mod_http2-1.15.7-3.module+el8.4.0+20024+b87b2deb.src.rpm	a825aa32e247302cfffb427b8ceaf978d4e2f1d294d7f523d6ea1aadb124bf2d	-	ol8_x86_64_appstream
	mod_md-2.0.8-8.module+el8.3.0+7816+49791cfd.src.rpm	964586d1cb6f8a232b71f89b8f82f4970b2c0e1c1300d1fac8d7a902dfe879cb	-	ol8_x86_64_appstream
	httpd-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.x86_64.rpm	54d87509d7a648b0f3f3a8fc62e3e92b5abc1292859d68dc8f046e82b705181f	-	ol8_x86_64_appstream
	httpd-devel-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.x86_64.rpm	9e562abbef002fa8cf93a9307bf59f4ad0d113cce8249dcc2005912eec2ab25a	-	ol8_x86_64_appstream
	httpd-filesystem-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.noarch.rpm	d362e2f1922b5e80dd1cff937f9390ec1775ac1cfffa833b240a629116022935	-	ol8_x86_64_appstream
	httpd-manual-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.noarch.rpm	b4374d863d106f411f009108f896e681276db24dfd2c34b60bc1ecc018910835	-	ol8_x86_64_appstream
	httpd-tools-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.x86_64.rpm	47517d14aa6db33047be9ed9e8b2700fa8e7167488f60e798c9242f8111987b9	-	ol8_x86_64_appstream
	mod_http2-1.15.7-3.module+el8.4.0+20024+b87b2deb.x86_64.rpm	2aaaad69193253ef2e42e24a199ca542ce5a5958773ab46180b297744cfa4706	-	ol8_x86_64_appstream
	mod_ldap-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.x86_64.rpm	126067db90735b47d2098f27af392aff3a91cbd19a00e370911d20019bc64bd5	-	ol8_x86_64_appstream
	mod_md-2.0.8-8.module+el8.3.0+7816+49791cfd.x86_64.rpm	145c47237014a0d3b92273ad9863060c4dde48fd83ccdc814e191954d78ebe22	-	ol8_x86_64_appstream
	mod_proxy_html-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.x86_64.rpm	964bda115be6406c3a84510eaf725d203f76c2d4fec0adaf558387c3f32b1afc	-	ol8_x86_64_appstream
	mod_session-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.x86_64.rpm	e84232673b7a9aaf3f94c4643007dfc4ddc937fda6ae26d58dd447b063db2065	-	ol8_x86_64_appstream
	mod_ssl-2.4.37-43.0.1.module+el8.5.0+20426+404a9eb9.x86_64.rpm	bb1fcdeea3b87e282952d838a5dd7582fb7daa5de06ee4773b04acf7f6851fda	-	ol8_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team