AIX Open Source

 View Only
Expand all | Collapse all

Please update httpd > httpd-2.4.56

  • 1.  Please update httpd > httpd-2.4.56

    Posted Fri March 10, 2023 01:26 AM

    Tenable is reporting these vulnerabilities in IBM httpd-2.4.x, please update to 2.4.56

    The version of Apache httpd installed on the remote host is prior to 2.4.56.
    It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.56 advisory.



    ------------------------------
    De Quan Qu
    ------------------------------


  • 2.  RE: Please update httpd > httpd-2.4.56

    Posted Fri March 10, 2023 03:04 AM
    HTTP request splitting with mod_rewrite and mod_proxy: Some mod_proxy configurations on Apache HTTP Server     versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when     mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern     matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the     proxied request-target using variable substitution. For example, something like: RewriteEngine on     RewriteRule ^/here/(.*)  http://example.com:8080/elsewhere?$1 http://example.com:8080/elsewhere ; [P]     ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/ Request splitting/smuggling     could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin     servers, and cache poisoning. Acknowledgements: finder: Lars Krapf of Adobe (CVE-2023-25690)
    
      - Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting: HTTP Response Smuggling vulnerability in     Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.
        Special characters in the origin response header can truncate/split the response forwarded to the client.
        Acknowledgements: finder: Dimas Fariski Setyawan Putra (nyxsorcerer) (CVE-2023-27522)


    ------------------------------
    De Quan Qu
    ------------------------------



  • 3.  RE: Please update httpd > httpd-2.4.56

    Posted Fri March 10, 2023 04:28 AM

    Thanks for reporting this. We will update httpd in AIX Toolbox to 2.4.56 soon.



    ------------------------------
    RESHMA KUMAR
    ------------------------------



  • 4.  RE: Please update httpd > httpd-2.4.56

    Posted Wed March 22, 2023 01:18 AM

    i'm sorry,  httpd 2.4.56 when what update?



    ------------------------------
    De Quan Qu
    ------------------------------



  • 5.  RE: Please update httpd > httpd-2.4.56

    Posted Thu March 23, 2023 05:47 AM

    We will be updating httpd to 2.4.56 in AIX Toolbox in a day or two. 



    ------------------------------
    Ayappan P
    ------------------------------



  • 6.  RE: Please update httpd > httpd-2.4.56

    Posted Fri March 24, 2023 01:21 PM

    Httpd 2.4.56 is now available in AIX Toolbox.

    https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/httpd/httpd-2.4.56-1.aix7.1.ppc.rpm

    You can use dnf to update to this version.



    ------------------------------
    RESHMA KUMAR
    ------------------------------



  • 7.  RE: Please update httpd > httpd-2.4.56

    Posted Sun March 26, 2023 10:48 PM

    Thanks



    ------------------------------
    De Quan Qu
    ------------------------------



  • 8.  RE: Please update httpd > httpd-2.4.56

    Posted Mon March 27, 2023 03:40 PM

    Thanks for providing this update.  When I try to install it using yum ("yum update httpd"), I get this error on some systems:


    anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml: [Errno 14] curl#27 - "SSL: couldn't create a context: error:140A6041:SSL routines:ssl_create_cipher_list:malloc failure"
    Trying other mirror.
    anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml: [Errno 14] curl#27 - "SSL: couldn't create a context: error:140A6041:SSL routines:ssl_create_cipher_list:malloc failure"
    Trying other mirror.
    anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml: [Errno 14] curl#27 - "SSL: couldn't create a context: error:140A6041:SSL routines:ssl_create_cipher_list:malloc failure"
    Trying other mirror.
    Setting up Update Process
    No Packages marked for Update

    These systems are all OS 7200-04-01-1939 running httpd-2.4.55-1.ppc and openssl.base:1.1.2.1202



    ------------------------------
    Lisa Isaly
    ------------------------------



  • 9.  RE: Please update httpd > httpd-2.4.56

    Posted Tue March 28, 2023 09:19 AM

    Try to use DNF to install httpd or smitty install if it is *.rpm file.






  • 10.  RE: Please update httpd > httpd-2.4.56

    Posted Tue March 28, 2023 12:08 PM

    I worked around the yum issue by using a local  yum repository for the systems that gave the malloc error when trying to pull the file down from IBM.



    ------------------------------
    Lisa Isaly
    ------------------------------