ALAS-2024-607

Amazon Linux 2023 Security Advisory: ALAS-2024-607
Advisory Release Date: 2024-04-25 16:40 Pacific
Advisory Updated Date: 2024-04-25 16:40 Pacific

Severity: Medium

References: CVE-2023-38709 CVE-2024-24795
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.

This issue affects Apache HTTP Server: through 2.4.58. (CVE-2023-38709)

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

Users are recommended to upgrade to version 2.4.59, which fixes this issue. (CVE-2024-24795)

Affected Packages:

httpd

Issue Correction:
Run dnf update httpd --releasever 2023.4.20240429 to update your system.

New Packages:

aarch64:
    mod_session-2.4.59-2.amzn2023.aarch64
    httpd-tools-2.4.59-2.amzn2023.aarch64
    httpd-tools-debuginfo-2.4.59-2.amzn2023.aarch64
    mod_session-debuginfo-2.4.59-2.amzn2023.aarch64
    mod_lua-debuginfo-2.4.59-2.amzn2023.aarch64
    mod_lua-2.4.59-2.amzn2023.aarch64
    mod_proxy_html-debuginfo-2.4.59-2.amzn2023.aarch64
    httpd-devel-2.4.59-2.amzn2023.aarch64
    mod_ldap-debuginfo-2.4.59-2.amzn2023.aarch64
    httpd-debuginfo-2.4.59-2.amzn2023.aarch64
    mod_proxy_html-2.4.59-2.amzn2023.aarch64
    httpd-2.4.59-2.amzn2023.aarch64
    mod_ssl-2.4.59-2.amzn2023.aarch64
    mod_ldap-2.4.59-2.amzn2023.aarch64
    httpd-core-2.4.59-2.amzn2023.aarch64
    httpd-core-debuginfo-2.4.59-2.amzn2023.aarch64
    mod_ssl-debuginfo-2.4.59-2.amzn2023.aarch64
    httpd-debugsource-2.4.59-2.amzn2023.aarch64

noarch:
    httpd-filesystem-2.4.59-2.amzn2023.noarch
    httpd-manual-2.4.59-2.amzn2023.noarch

src:
    httpd-2.4.59-2.amzn2023.src

x86_64:
    httpd-debugsource-2.4.59-2.amzn2023.x86_64
    mod_proxy_html-2.4.59-2.amzn2023.x86_64
    httpd-tools-2.4.59-2.amzn2023.x86_64
    mod_ssl-2.4.59-2.amzn2023.x86_64
    mod_lua-2.4.59-2.amzn2023.x86_64
    httpd-tools-debuginfo-2.4.59-2.amzn2023.x86_64
    httpd-debuginfo-2.4.59-2.amzn2023.x86_64
    mod_lua-debuginfo-2.4.59-2.amzn2023.x86_64
    mod_ssl-debuginfo-2.4.59-2.amzn2023.x86_64
    mod_ldap-2.4.59-2.amzn2023.x86_64
    httpd-devel-2.4.59-2.amzn2023.x86_64
    mod_session-2.4.59-2.amzn2023.x86_64
    mod_proxy_html-debuginfo-2.4.59-2.amzn2023.x86_64
    mod_session-debuginfo-2.4.59-2.amzn2023.x86_64
    mod_ldap-debuginfo-2.4.59-2.amzn2023.x86_64
    httpd-2.4.59-2.amzn2023.x86_64
    httpd-core-debuginfo-2.4.59-2.amzn2023.x86_64
    httpd-core-2.4.59-2.amzn2023.x86_64

Additional References

Red Hat: CVE-2023-38709, CVE-2024-24795

Mitre: CVE-2023-38709, CVE-2024-24795

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-607

Additional References