-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3896-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2017 https://www.debian.org/security/faq - -------------------------------------------------------------------------
Package : apache2 CVE ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668 CVE-2017-7679 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2017-3167 Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. CVE-2017-3169 Vasileios Panopoulos of AdNovum Informatik AG discovered that mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port leading to a denial of service. CVE-2017-7659 Robert Swiecki reported that a specially crafted HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process. CVE-2017-7668 Javier Jimenez reported that the HTTP strict parsing contains a flaw leading to a buffer overread in ap_find_token(). A remote attacker can take advantage of this flaw by carefully crafting a sequence of request headers to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. CVE-2017-7679 ChenQin and Hanno Boeck reported that mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. For the oldstable distribution (jessie), these problems have been fixed in version 2.4.10-10+deb8u9. The oldstable distribution (jessie) is not affected by CVE-2017-7659. For the stable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u1. For the unstable distribution (sid), these problems have been fixed in version 2.4.25-4. We recommend that you upgrade your apache2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllMG3FfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TeKRAAhVlS+pLGQzuA55qQUEWCi1I1r/BI4uZhA1+2lhH63o0yfkx7bmKLHGy/ TEQeBxY9MW6l/wVH3fuJinfnl72T3Q9MKuGgB9dFW+5j0G4EsX2Si4iHo49vcOOx o2jXCcZa3N08EOlIzjHAc1Ll7QXhGD4Oz0jHhtRY6Ah3L4Cp263Ntui+SajjBko7 GtlPS2wa60xKbUMLFyBJjZxtZDHR/dqrwD4WNoEYCgQonSpZ9O2QZ4lcYmrQ2tTc /sELhjDNQqgjYXG5PFS+1X0vfTMmLJpbG9/U6pbu6jP3PF/1zvvXnS8rZTCNA2WT 3BathHrPESOrFo2nSPSg4G9ZgQ9hw0q2ftXilWgXH7LV/ta2ZW4cf6qtxbQrKZH3 l+OukeZLn5F5EJRzQGrmKmzBA4IQKKlwOsvGGLr81yHPskEePTNZCoymsJm5Uj5u NfSdc40S/wEVnJlUroJDsqujY/2CekrKw6ppy0saLoTzhnjmBYWmzl71Bd7ZbkHh LtjmEjiAx7Aj9a3KGa9cnFk2oynDGUYKe1qY9lEP7iCDS8hCnkBYqkZ/w6MrahjL 0BfGCeLc3APdd/O4FDsfGhC9JL660OfYdvF4EcGT/o80xPmI7Gs2lVPaR+v+PilN d9lqVxm2xXzaZ+bYEHd7MR0cfc3emeDLJGQonTe5MV9qkETdNy4= =i4iT -----END PGP SIGNATURE-----