Tuesday, November 23, 2021

Oracle Linux: (CVE-2021-20325) ELSA-2021-4537: httpd:2.4 security update

Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.From ELSA-2021-4537:httpd [2.4.37-43.0.1] - Set vstring per ORACLE_SUPPORT_PRODUCT [Orabug: 29892262] - Replace index.html with Oracle's index page oracle_index.html. [2.4.37-43] - Related: #2007235 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via a crafted request uri-path [2.4.37-42] - Resolves: #2007235 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via a crafted request uri-path - Resolves: #2014063 - CVE-2021-26691 httpd:2.4/httpd: Heap overflow in mod_session [2.4.37-41] - Resolves: #1680111 - httpd sends reply to HTTPS GET using two TLS records - Resolves: #1905613 - mod_ssl does not like valid certificate chain - Resolves: #1935742 - [RFE] backport samesite/httponly/secure flags for usertrack - Resolves: #1972500 - CVE-2021-30641 httpd:2.4/httpd: MergeSlashes regression - Resolves: #1968307 - CVE-2021-26690 httpd:2.4/httpd: mod_session NULL pointer dereference in parser - Resolves: #1934741 - Apache trademark update - new logo [2.4.37-40] - Resolves: #1952557 - mod_proxy_wstunnel.html is a malformed XML - Resolves: #1937334 - SSLProtocol with based virtual hosts mod_http2 [1.15.7-3] - Resolves: #1869077 - CVE-2020-11993 httpd:2.4/mod_http2: httpd: mod_http2 concurrent pool usage mod_md [1:2.0.8-8] - Resolves: #1832844 - mod_md does not work with ACME server that does not provide keyChange or revokeCert resources
Solution(s)
  • oracle-linux-upgrade-httpd
  • oracle-linux-upgrade-httpd-devel
  • oracle-linux-upgrade-httpd-filesystem
  • oracle-linux-upgrade-httpd-manual
  • oracle-linux-upgrade-httpd-tools
  • oracle-linux-upgrade-mod_http2
  • oracle-linux-upgrade-mod_ldap
  • oracle-linux-upgrade-mod_md
  • oracle-linux-upgrade-mod_proxy_html
  • oracle-linux-upgrade-mod_session
  • oracle-linux-upgrade-mod_ssl


  • References
  • ELSA-2021-4537
  • CVE-2021-20325




  •  

    Copyright © 2021 Vulnerability Database | Cyber Details™

    thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore