#6723: httpd-2.4.16
-------------------------+-----------------------
Reporter: renodr | Owner: bdubbs@…
Type: enhancement | Status: closed
Priority: high | Milestone: 7.8
Component: BOOK | Version: SVN
Severity: normal | Resolution: fixed
Keywords: |
-------------------------+-----------------------
Changes (by fo):
* priority: normal => high
Old description:
> Currency check says that there is a new version, but I am unable to find
> it right now.
New description:
[https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2]
[https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2.asc]
[https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2.md5]
2b19cd338fd526dd5a63c57b1e9bfee2
[https://archive.apache.org/dist/httpd/CHANGES_2.4.16]
{{{
...
}}}
[https://httpd.apache.org/security/vulnerabilities_24.html]
{{{
Fixed in Apache httpd 2.4.16
low: mod_lua: Crash in websockets PING handling CVE-2015-0228
A stack recursion crash in the mod_lua module was found. A Lua
script executing the r:wsupgrade() function could crash the process
if a malicious client sent a carefully crafted PING request. This
issue affected releases 2.4.7 through 2.4.12 inclusive.
Acknowledgements: This issue was reported by Guido Vranken.
Reported to security team: 28th January 2015
Issue public: 4th February 2015
Update Released: 15th July 2015
Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7
low: Crash in ErrorDocument 400 handling CVE-2015-0253
A crash in ErrorDocument handling was found. If ErrorDocument 400
was configured pointing to a local URL-path with the INCLUDES filter
active, a NULL dereference would occur when handling the error,
causing the child process to crash. This issue affected the 2.4.12
release only. Reported to security team: 3rd February 2015 Issue
public: 5th March 2015 Update Released: 15th July 2015 Affects:
2.4.12
low: HTTP request smuggling attack against chunked request parser
CVE-2015-3183
An HTTP request smuggling attack was possible due to a bug in
parsing of chunked requests. A malicious client could force the
server to misinterpret the request length, allowing cache poisoning
or credential hijacking if an intermediary proxy is in use.
Acknowledgements: This issue was reported by Régis Leroy.
Reported to security team: 4th April 2015
Issue public: 9th June 2015
Update Released: 15th July 2015
Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.4, 2.4.3,
2.4.2, 2.4.1
low: ap_some_auth_required API unusable CVE-2015-3185
A design error in the "ap_some_auth_required" function renders the
API unusuable in httpd 2.4.x. In particular the API is documented to
answering if the request required authentication but only answers if
there are Require lines in the applicable configuration. Since 2.4.x
Require lines are used for authorization as well and can appear in
configurations even when no authentication is required and the
request is entirely unrestricted. This could lead to modules using
this API to allow access when they should otherwise not do so. API
users should use the new ap_some_authn_required API added in 2.4.16
instead.
Acknowledgements: This issue was reported by Ben Reser.
Reported to security team: 5th August 2013
Issue public: 9th June 2015
Update Released: 15th July 2015
Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.5, 2.4.4,
2.4.3, 2.4.2, 2.4.1, 2.4.0
}}}
--
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/6723#comment:4>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
