An update for httpd is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1230 Final 1.0 1.0 2023-04-14 Initial 2023-04-14 2023-04-14 openEuler SA Tool V1.0 2023-04-14 httpd security update An update for httpd is now available for openEuler-20.03-LTS-SP1. Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fix(es): Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.(CVE-2019-17567) An update for httpd is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium httpd https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1230 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2019-17567 https://nvd.nist.gov/vuln/detail/CVE-2019-17567 openEuler-20.03-LTS-SP1 mod_md-2.4.43-22.oe1.aarch64.rpm httpd-debuginfo-2.4.43-22.oe1.aarch64.rpm httpd-tools-2.4.43-22.oe1.aarch64.rpm httpd-debugsource-2.4.43-22.oe1.aarch64.rpm mod_ldap-2.4.43-22.oe1.aarch64.rpm httpd-devel-2.4.43-22.oe1.aarch64.rpm mod_ssl-2.4.43-22.oe1.aarch64.rpm mod_session-2.4.43-22.oe1.aarch64.rpm mod_proxy_html-2.4.43-22.oe1.aarch64.rpm httpd-2.4.43-22.oe1.aarch64.rpm httpd-filesystem-2.4.43-22.oe1.noarch.rpm httpd-help-2.4.43-22.oe1.noarch.rpm httpd-2.4.43-22.oe1.src.rpm mod_proxy_html-2.4.43-22.oe1.x86_64.rpm httpd-devel-2.4.43-22.oe1.x86_64.rpm httpd-tools-2.4.43-22.oe1.x86_64.rpm httpd-2.4.43-22.oe1.x86_64.rpm mod_ssl-2.4.43-22.oe1.x86_64.rpm httpd-debugsource-2.4.43-22.oe1.x86_64.rpm mod_md-2.4.43-22.oe1.x86_64.rpm httpd-debuginfo-2.4.43-22.oe1.x86_64.rpm mod_ldap-2.4.43-22.oe1.x86_64.rpm mod_session-2.4.43-22.oe1.x86_64.rpm Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured. 2023-04-14 CVE-2019-17567 openEuler-20.03-LTS-SP1 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N httpd security update 2023-04-14 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1230