I worked around the yum issue by using a local yum repository for the systems that gave the malloc error when trying to pull the file down from IBM.
Original Message:
Sent: Tue March 28, 2023 09:18 AM
From: minesh patel
Subject: Please update httpd > httpd-2.4.56
Try to use DNF to install httpd or smitty install if it is *.rpm file.
Original Message:
Sent: 3/27/2023 3:40:00 PM
From: Lisa Isaly
Subject: RE: Please update httpd > httpd-2.4.56
Thanks for providing this update. When I try to install it using yum ("yum update httpd"), I get this error on some systems:
anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml: [Errno 14] curl#27 - "SSL: couldn't create a context: error:140A6041:SSL routines:ssl_create_cipher_list:malloc failure"
Trying other mirror.
anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml: [Errno 14] curl#27 - "SSL: couldn't create a context: error:140A6041:SSL routines:ssl_create_cipher_list:malloc failure"
Trying other mirror.
anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml: [Errno 14] curl#27 - "SSL: couldn't create a context: error:140A6041:SSL routines:ssl_create_cipher_list:malloc failure"
Trying other mirror.
Setting up Update Process
No Packages marked for Update
These systems are all OS 7200-04-01-1939 running httpd-2.4.55-1.ppc and openssl.base:1.1.2.1202
------------------------------
Lisa Isaly
Original Message:
Sent: Fri March 24, 2023 01:20 PM
From: RESHMA KUMAR
Subject: Please update httpd > httpd-2.4.56
Httpd 2.4.56 is now available in AIX Toolbox.
https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/httpd/httpd-2.4.56-1.aix7.1.ppc.rpm
You can use dnf to update to this version.
------------------------------
RESHMA KUMAR
Original Message:
Sent: Thu March 23, 2023 05:47 AM
From: Ayappan P
Subject: Please update httpd > httpd-2.4.56
We will be updating httpd to 2.4.56 in AIX Toolbox in a day or two.
------------------------------
Ayappan P
Original Message:
Sent: Wed March 22, 2023 01:17 AM
From: De Quan Qu
Subject: Please update httpd > httpd-2.4.56
i'm sorry, httpd 2.4.56 when what update?
------------------------------
De Quan Qu
Original Message:
Sent: Fri March 10, 2023 04:27 AM
From: RESHMA KUMAR
Subject: Please update httpd > httpd-2.4.56
Thanks for reporting this. We will update httpd in AIX Toolbox to 2.4.56 soon.
------------------------------
RESHMA KUMAR
Original Message:
Sent: Fri March 10, 2023 03:03 AM
From: De Quan Qu
Subject: Please update httpd > httpd-2.4.56
HTTP request splitting with mod_rewrite and mod_proxy: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule ^/here/(.*) http://example.com:8080/elsewhere?$1 http://example.com:8080/elsewhere ; [P] ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Acknowledgements: finder: Lars Krapf of Adobe (CVE-2023-25690) - Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Acknowledgements: finder: Dimas Fariski Setyawan Putra (nyxsorcerer) (CVE-2023-27522)
------------------------------
De Quan Qu
Original Message:
Sent: Thu March 09, 2023 08:34 PM
From: De Quan Qu
Subject: Please update httpd > httpd-2.4.56
Tenable is reporting these vulnerabilities in IBM httpd-2.4.x, please update to 2.4.56
The version of Apache httpd installed on the remote host is prior to 2.4.56.
It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.56 advisory.
------------------------------
De Quan Qu
------------------------------