SB2025082709 - Anolis OS update for httpd

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) HTTP response splitting (CVE-ID: CVE-2024-42516)

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correctly process CRLF character sequences. A remote attacker with ability to manipulate the Content-Type response headers of applications hosted or proxied by the server can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.

Note, this vulnerability exists due a missing fix for #VU88151 (CVE-2023-38709).

2) HTTP response splitting (CVE-ID: CVE-2023-38709)

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correctly process CRLF character sequences. A malicious or exploitable backend/content generators can send specially crafted response containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.

3) Cryptographic issues (CVE-ID: CVE-2025-49812)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to he way certain mod_ssl configurations handle TLS upgrades. A remote attacker can launch an HTTP desynchronisation attack, which allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Note, only configurations using "SSLEngine optional" to enable TLS upgrades are affected.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2025:0586