ALAS-2021-1514

Amazon Linux 1 Security Advisory: ALAS-2021-1514
Advisory Release Date: 2021-07-08 18:38 Pacific
Advisory Updated Date: 2021-07-12 21:50 Pacific

Severity: Medium

References: CVE-2019-17567 CVE-2020-13938 CVE-2020-13950 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in Apache httpd. The mod_proxy_wstunnel module tunnels non-upgraded connections. (CVE-2019-17567)

A flaw was found in HTTPd. In some Apache HTTP Server versions, unprivileged local users can stop HTTPd on Windows. The highest threat from this vulnerability is to system availability. (CVE-2020-13938)

A flaw was found In Apache httpd. The mod_proxy has a NULL pointer dereference. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-13950)

A flaw was found in Apache httpd. The mod_auth_digest has a single zero byte stack overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-35452)

A NULL pointer dereference was found in Apache httpd mod_session. The highest threat from this vulnerability is to system availability. (CVE-2021-26690)

A heap overflow flaw was found In Apache httpd mod_session. The highest threat from this vulnerability is to system availability. (CVE-2021-26691)

A flaw was found in Apache httpd. A possible regression from an earlier security fix broke behavior of MergeSlashes. The highest threat from this vulnerability is to data integrity. (CVE-2021-30641)

Affected Packages:

httpd24

Issue Correction:
Run yum update httpd24 to update your system.

New Packages:

i686:
    mod24_session-2.4.48-1.92.amzn1.i686
    mod24_ssl-2.4.48-1.92.amzn1.i686
    mod24_proxy_html-2.4.48-1.92.amzn1.i686
    mod24_md-2.4.48-1.92.amzn1.i686
    httpd24-devel-2.4.48-1.92.amzn1.i686
    httpd24-2.4.48-1.92.amzn1.i686
    httpd24-tools-2.4.48-1.92.amzn1.i686
    httpd24-debuginfo-2.4.48-1.92.amzn1.i686
    mod24_ldap-2.4.48-1.92.amzn1.i686

noarch:
    httpd24-manual-2.4.48-1.92.amzn1.noarch

src:
    httpd24-2.4.48-1.92.amzn1.src

x86_64:
    mod24_proxy_html-2.4.48-1.92.amzn1.x86_64
    mod24_ldap-2.4.48-1.92.amzn1.x86_64
    httpd24-devel-2.4.48-1.92.amzn1.x86_64
    httpd24-2.4.48-1.92.amzn1.x86_64
    httpd24-tools-2.4.48-1.92.amzn1.x86_64
    httpd24-debuginfo-2.4.48-1.92.amzn1.x86_64
    mod24_md-2.4.48-1.92.amzn1.x86_64
    mod24_session-2.4.48-1.92.amzn1.x86_64
    mod24_ssl-2.4.48-1.92.amzn1.x86_64

Additional References

Red Hat: CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641

Mitre: CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641