Ubuntu Security Notice 3373-1 - Emmanuel Dreyfus discovered that third-party modules using the ap_get_basic_auth_pw function outside of the authentication phase may lead to authentication requirements being bypassed. This update adds a new ap_get_basic_auth_components function for use by third-party modules. Vasileios Panopoulos discovered that the Apache mod_ssl module may crash when third-party modules call ap_hook_process_connection during an HTTP request to an HTTPS port. Various other issues were also addressed.
4a9a5dea68311374e8d780883cdb344eae2007b3b5ebe311aa079e3e743f2f21==========================================================================
Ubuntu Security Notice USN-3373-1
July 31, 2017
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
Emmanuel Dreyfus discovered that third-party modules using the
ap_get_basic_auth_pw() function outside of the authentication phase may
lead to authentication requirements being bypassed. This update adds a
new ap_get_basic_auth_components() function for use by third-party
modules. (CVE-2017-3167)
Vasileios Panopoulos discovered that the Apache mod_ssl module may
crash when third-party modules call ap_hook_process_connection() during
an HTTP request to an HTTPS port. (CVE-2017-3169)
Javier JimA(c)nez discovered that the Apache HTTP Server incorrectly
handled parsing certain requests. A remote attacker could possibly use
this issue to cause the Apache HTTP Server to crash, resulting in a
denial of service. (CVE-2017-7668)
ChenQin and Hanno BAPck discovered that the Apache mod_mime module
incorrectly handled certain Content-Type response headers. A remote
attacker could possibly use this issue to cause the Apache HTTP Server
to crash, resulting in a denial of service. (CVE-2017-7679)
David Dennerline and RA(c)gis Leroy discovered that the Apache HTTP Server
incorrectly handled unusual whitespace when parsing requests, contrary
to specifications. When being used in combination with a proxy or
backend server, a remote attacker could possibly use this issue to
perform an injection attack and pollute cache. This update may
introduce compatibility issues with clients that do not strictly follow
HTTP protocol specifications. A new configuration option
"HttpProtocolOptions Unsafe" can be used to revert to the previous
unsafe behaviour in problematic environments. (CVE-2016-8743)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
A apache2.2-binA A A A A A A A A A A A A A A A A A A 2.2.22-1ubuntu1.12
In general, a standard system update will make all the necessary
changes.
References:
A https://www.ubuntu.com/usn/usn-3373-1
A CVE-2016-8743, CVE-2017-3167, CVE-2017-3169, CVE-2017-7668,
A CVE-2017-7679
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed