1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3896-1] apache2 security update

    From Salvatore Bonaccorso@1:229/2 to All on Thu Jun 22 21:50:02 2017
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3896-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso
    June 22, 2017 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : apache2
    CVE ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668
    CVE-2017-7679

    Several vulnerabilities have been found in the Apache HTTPD server.

    CVE-2017-3167

    Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by
    third-party modules outside of the authentication phase may lead to
    authentication requirements being bypassed.

    CVE-2017-3169

    Vasileios Panopoulos of AdNovum Informatik AG discovered that
    mod_ssl may dereference a NULL pointer when third-party modules call
    ap_hook_process_connection() during an HTTP request to an HTTPS port
    leading to a denial of service.

    CVE-2017-7659

    Robert Swiecki reported that a specially crafted HTTP/2 request
    could cause mod_http2 to dereference a NULL pointer and crash the
    server process.

    CVE-2017-7668

    Javier Jimenez reported that the HTTP strict parsing contains a
    flaw leading to a buffer overread in ap_find_token(). A remote
    attacker can take advantage of this flaw by carefully crafting a
    sequence of request headers to cause a segmentation fault, or to
    force ap_find_token() to return an incorrect value.

    CVE-2017-7679

    ChenQin and Hanno Boeck reported that mod_mime can read one byte
    past the end of a buffer when sending a malicious Content-Type
    response header.

    For the oldstable distribution (jessie), these problems have been fixed
    in version 2.4.10-10+deb8u9. The oldstable distribution (jessie) is not affected by CVE-2017-7659.

    For the stable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u1.

    For the unstable distribution (sid), these problems have been fixed in
    version 2.4.25-4.

    We recommend that you upgrade your apache2 packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllMG3FfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TeKRAAhVlS+pLGQzuA55qQUEWCi1I1r/BI4uZhA1+2lhH63o0yfkx7bmKLHGy/ TEQeBxY9MW6l/wVH3fuJinfnl72T3Q9MKuGgB9dFW+5j0G4EsX2Si4iHo49vcOOx o2jXCcZa3N08EOlIzjHAc1Ll7QXhGD4Oz0jHhtRY6Ah3L4Cp263Ntui+SajjBko7 GtlPS2wa60xKbUMLFyBJjZxtZDHR/dqrwD4WNoEYCgQonSpZ9O2QZ4lcYmrQ2tTc /sELhjDNQqgjYXG5PFS+1X0vfTMmLJpbG9/U6pbu6jP3PF/1zvvXnS8rZTCNA2WT 3BathHrPESOrFo2nSPSg4G9ZgQ9hw0q2ftXilWgXH7LV/ta2ZW4cf6qtxbQrKZH3 l+OukeZLn5F5EJRzQGrmKmzBA4IQKKlwOsvGGLr81yHPskEePTNZCoymsJm5Uj5u NfSdc40S/wEVnJlUroJDsqujY/2CekrKw6ppy0saLoTzhnjmBYWmzl71Bd7ZbkHh LtjmEjiAx7Aj9a3KGa9cnFk2oynDGUYKe1qY9lEP7iCDS8hCnkBYqkZ/w6MrahjL 0BfGCeLc3APdd/O4FDsfGhC9JL660OfYdvF4EcGT/o80xPmI7Gs2lVPaR+v+PilN d9lqVxm2xXzaZ+bYEHd7MR0cfc3emeDLJGQonTe5MV9qkETdNy4=
    =i4iT
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)