ALAS-2021-1514


Amazon Linux AMI Security Advisory: ALAS-2021-1514
Advisory Release Date: 2021-07-08 18:38 Pacific
Advisory Updated Date: 2021-07-12 21:50 Pacific
Severity: Medium

Issue Overview:

A flaw was found in Apache httpd. The mod_proxy_wstunnel module tunnels non-upgraded connections. (CVE-2019-17567)

A flaw was found in HTTPd. In some Apache HTTP Server versions, unprivileged local users can stop HTTPd on Windows. The highest threat from this vulnerability is to system availability. (CVE-2020-13938)

A flaw was found In Apache httpd. The mod_proxy has a NULL pointer dereference. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-13950)

A flaw was found in Apache httpd. The mod_auth_digest has a single zero byte stack overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-35452)

A NULL pointer dereference was found in Apache httpd mod_session. The highest threat from this vulnerability is to system availability. (CVE-2021-26690)

A heap overflow flaw was found In Apache httpd mod_session. The highest threat from this vulnerability is to system availability. (CVE-2021-26691)

A flaw was found in Apache httpd. A possible regression from an earlier security fix broke behavior of MergeSlashes. The highest threat from this vulnerability is to data integrity. (CVE-2021-30641)


Affected Packages:

httpd24


Issue Correction:
Run yum update httpd24 to update your system.

New Packages:
i686:
    mod24_session-2.4.48-1.92.amzn1.i686
    mod24_ssl-2.4.48-1.92.amzn1.i686
    mod24_proxy_html-2.4.48-1.92.amzn1.i686
    mod24_md-2.4.48-1.92.amzn1.i686
    httpd24-devel-2.4.48-1.92.amzn1.i686
    httpd24-2.4.48-1.92.amzn1.i686
    httpd24-tools-2.4.48-1.92.amzn1.i686
    httpd24-debuginfo-2.4.48-1.92.amzn1.i686
    mod24_ldap-2.4.48-1.92.amzn1.i686

noarch:
    httpd24-manual-2.4.48-1.92.amzn1.noarch

src:
    httpd24-2.4.48-1.92.amzn1.src

x86_64:
    mod24_proxy_html-2.4.48-1.92.amzn1.x86_64
    mod24_ldap-2.4.48-1.92.amzn1.x86_64
    httpd24-devel-2.4.48-1.92.amzn1.x86_64
    httpd24-2.4.48-1.92.amzn1.x86_64
    httpd24-tools-2.4.48-1.92.amzn1.x86_64
    httpd24-debuginfo-2.4.48-1.92.amzn1.x86_64
    mod24_md-2.4.48-1.92.amzn1.x86_64
    mod24_session-2.4.48-1.92.amzn1.x86_64
    mod24_ssl-2.4.48-1.92.amzn1.x86_64