Category Archives: Advisories

USN-6885-1: Apache HTTP Server vulnerabilities

Read Time:1 Minute, 12 Second

Marc Stern discovered that the Apache HTTP Server incorrectly handled
serving WebSocket protocol upgrades over HTTP/2 connections. A remote
attacker could possibly use this issue to cause the server to crash,
resulting in a denial of service. (CVE-2024-36387)

Orange Tsai discovered that the Apache HTTP Server mod_proxy module
incorrectly sent certain request URLs with incorrect encodings to backends.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2024-38473)

Orange Tsai discovered that the Apache HTTP Server mod_rewrite module
incorrectly handled certain substitutions. A remote attacker could possibly
use this issue to execute scripts in directories not directly reachable
by any URL, or cause a denial of service. Some environments may require
using the new UnsafeAllow3F flag to handle unsafe substitutions.
(CVE-2024-38474, CVE-2024-38475, CVE-2024-39573)

Orange Tsai discovered that the Apache HTTP Server incorrectly handled
certain response headers. A remote attacker could possibly use this issue
to obtain sensitive information, execute local scripts, or perform SSRF
attacks. (CVE-2024-38476)

Orange Tsai discovered that the Apache HTTP Server mod_proxy module
incorrectly handled certain requests. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
(CVE-2024-38477)

It was discovered that the Apache HTTP Server incorrectly handled certain
handlers configured via AddType. A remote attacker could possibly use this
issue to obtain source code. (CVE-2024-39884)

Read More

krb5-1.21.2-6.fc41

Read Time:22 Second

FEDORA-2024-36514cd080

Packages in this update:

krb5-1.21.2-6.fc41

Update description:

Automatic update for krb5-1.21.2-6.fc41.

Changelog

* Mon Jul 8 2024 Julien Rische <jrische@redhat.com> – 1.21.2-6
– CVE-2024-37370 CVE-2024-37371: GSS message token handling
Resolves: rhbz#2294678 rhbz#2294680
– Fix double free in klist’s show_ccache()
Resolves: rhbz#2257301
– Do not include files with “~” termination in krb5-tests

Read More