[users@httpd] CVE-2017-7679: mod_mime buffer overread

2017-06-19 Thread Jacob Champion 

CVE-2017-7679: mod_mime buffer overread

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

Description:
mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.

Mitigation:
2.2.x users should either apply the patch available at
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.x users should upgrade to 2.4.26.

Credit:
The Apache HTTP Server security team would like to thank ChenQin and
Hanno Böck for reporting this issue.

References:
https://httpd.apache.org/security_report.html

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] CVE-2017-3169: mod_ssl null pointer dereference

2017-06-19 Thread Jacob Champion 

CVE-2017-3169: mod_ssl null pointer dereference

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

Description:
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.

Mitigation:
2.2.x users should either apply the patch available at
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.x users should upgrade to 2.4.26.

Credit:
The Apache HTTP Server security team would like to thank Vasileios
Panopoulos and AdNovum Informatik AG for reporting this issue.

References:
https://httpd.apache.org/security_report.html

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] CVE-2017-7668: ap_find_token buffer overread

2017-06-19 Thread Jacob Champion 

CVE-2017-7668: ap_find_token buffer overread

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.32
httpd 2.4.24 (unreleased)
httpd 2.4.25

Description:
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.

Mitigation:
2.2.32 users should either apply the patch available at
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.25 users should upgrade to 2.4.26.

Credit:
The Apache HTTP Server security team would like to thank Javier Jiménez
(javij...@gmail.com) for reporting this issue.

References:
https://httpd.apache.org/security_report.html

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

2017-06-19 Thread Jacob Champion 

CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

Description:
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.

Mitigation:
2.2.x users should either apply the patch available at
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.x users should upgrade to 2.4.26.

Third-party module writers SHOULD use ap_get_basic_auth_components(),
available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
Modules which call the legacy ap_get_basic_auth_pw() during the
authentication phase MUST either immediately authenticate the user after
the call, or else stop the request immediately with an error response,
to avoid incorrectly authenticating the current request.

Credit:
The Apache HTTP Server security team would like to thank Emmanuel
Dreyfus for reporting this issue.

References:
https://httpd.apache.org/security_report.html

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Building httpd2.4.25 on powerpc-ibm-aix7.1.0.0

2017-06-19 Thread Joseph, Anselm 
Hi Eric et al.,
I built apache and I am able to successfully reach the url from Firefox: "It 
works".
However, when I run  ./davautocheck.sh from 
~/ci/subversion/subversion/tests/cmdline, it finds apxs but generates this 
error:
 davautocheck.sh: Using '~/ci/httpd-2.4.25/apache/bin/apxs'...
Use of uninitialized value in concatenation (.) or string at 
~/ci/httpd-2.4.25/apache/bin/apxs line 222.
Use of uninitialized value in concatenation (.) or string at 
~/ci/httpd-2.4.25/apache/bin/apxs line 222.
Use of uninitialized value in concatenation (.) or string at 
~/ci/httpd-2.4.25/apache/bin/apxs line 222.
davautocheck.sh: HTTPD '~/ci/httpd-2.4.25/apache/bin/httpd' doesn't start 
properly
HTTPD stopped.
Any idea what's wrong with the built-in apxs? (PS. There are other issues with 
the subversion build but I am not sure if they are related to this error)

Thank you in advance for your insights.
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com] 
Sent: Thursday, June 08, 2017 5:00 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Building httpd2.4.25 on powerpc-ibm-aix7.1.0.0

CAUTION - EXTERNAL EMAIL



On Thu, Jun 8, 2017 at 4:49 PM, Joseph, Anselm  wrote:
> Do you know how I can install the module mod_dav_svn.so? It is missing and 
> causing an error in my subversion build.

I thought it was part of the subversion build.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] check_forensic script on Red Hat?

2017-06-19 Thread Rose, John B 
Does check_forensic still exist?

I am not finding it.

[users@httpd] CVE-2017-7659: mod_http2 null pointer dereference

2017-06-19 Thread Jim Jagielski 
CVE-2017-7659: mod_http2 null pointer dereference 

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.24 (unreleased)
httpd 2.4.25

Description:
A maliciously constructed HTTP/2 request could cause mod_http2 to
dereference a NULL pointer and crash the server process.

Mitigation:
2.4.25 users of mod_http2 should upgrade to 2.4.26.

Credit:
The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.

References:
https://httpd.apache.org/security_report.html


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] [ANNOUNCE] Apache HTTP Server 2.4.26 Released

2017-06-19 Thread Jim Jagielski 
Apache HTTP Server 2.4.26 Released

   June 19, 2017

   The Apache Software Foundation and the Apache HTTP Server Project
   are pleased to announce the release of version 2.4.26 of the Apache
   HTTP Server ("Apache").  This version of Apache is our latest GA
   release of the new generation 2.4.x branch of Apache HTTPD and
   represents fifteen years of innovation by the project, and is
   recommended over all previous releases. This release of Apache is
   a security, feature, and bug fix release.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.4.26 is available for download from:

 http://httpd.apache.org/download.cgi

   Apache 2.4 offers numerous enhancements, improvements, and performance
   boosts over the 2.2 codebase.  For an overview of new features
   introduced since 2.4 please see:

 http://httpd.apache.org/docs/trunk/new_features_2_4.html

   Please see the CHANGES_2.4 file, linked from the download page, for a
   full list of changes. A condensed list, CHANGES_2.4.26 includes only
   those changes introduced since the prior 2.4 release.  A summary of all 
   of the security vulnerabilities addressed in this and earlier releases 
   is available:

 http://httpd.apache.org/security/vulnerabilities_24.html

   This release requires the Apache Portable Runtime (APR), minimum
   version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
   require the 1.6.x version of both APR and APR-Util. The APR libraries
   must be upgraded for all features of httpd to operate correctly.

   This release builds on and extends the Apache 2.2 API.  Modules written
   for Apache 2.2 will need to be recompiled in order to run with Apache
   2.4, and require minimal or no source code changes.

 http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.

   Please note that Apache Web Server Project will only provide maintenance
   releases of the 2.2.x flavor through June of 2017, and will provide some
   security patches beyond this date through at least December of 2017.
   Minimal maintenance patches of 2.2.x are expected throughout this period,
   and users are strongly encouraged to promptly complete their transitions
   to the the 2.4.x flavor of httpd to benefit from a much larger assortment
   of minor security and bug fixes as well as new features.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org