MGASA-2024-0118 - Updated apache packages fix security vulnerabilities

Publication date: 10 Apr 2024
URL: https://advisories.mageia.org/MGASA-2024-0118.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2024-27316,
     CVE-2024-24795,
     CVE-2023-38709

Apache has been updated to version 2.4.59 to fix CVE-2024-27316,
CVE-2024-24795 and CVE-2023-38709.
CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on
endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily buffered in
nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)
CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple
modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP Server allows
an attacker that can inject malicious response
headers into backend applications to cause an HTTP desynchronization
attack.
Users are recommended to upgrade to version 2.4.59, which fixes this
issue.
Credits: Keran Mu, Tsinghua University and Zhongguancun Laboratory.
CVE-2023-38709: Apache HTTP Server: HTTP response splitting
(cve.mitre.org)
Faulty input validation in the core of Apache allows malicious or
exploitable backend/content generators to split HTTP responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE

References:
- https://bugs.mageia.org/show_bug.cgi?id=33059
- https://www.openwall.com/lists/oss-security/2024/04/03/16
- https://nowotarski.info/http2-continuation-flood/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709

SRPMS:
- 9/core/apache-2.4.59-1.mga9

Mageia 2024-0118: apache security update

Apache has been updated to version 2.4.59 to fix CVE-2024-27316, CVE-2024-24795 and CVE-2023-38709

Summary

Apache has been updated to version 2.4.59 to fix CVE-2024-27316, CVE-2024-24795 and CVE-2023-38709. CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credits: Bartek Nowotarski (https://nowotarski.info/) CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. Credits: Keran Mu, Tsinghua University and Zhongguancun Laboratory. CVE-2023-38709: Apache HTTP Server: HTTP response splitting (cve.mitre.org) Faul...

References

- https://bugs.mageia.org/show_bug.cgi?id=33059

- https://www.openwall.com/lists/oss-security/2024/04/03/16

- https://nowotarski.info/http2-continuation-flood/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709

Resolution

MGASA-2024-0118 - Updated apache packages fix security vulnerabilities

SRPMS

- 9/core/apache-2.4.59-1.mga9

Severity
Publication date: 10 Apr 2024
URL: https://advisories.mageia.org/MGASA-2024-0118.html
Type: security
CVE: CVE-2024-27316, CVE-2024-24795, CVE-2023-38709

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved