Gentoo: GLSA-201701-36: Apache: Multiple vulnerabilities
Summary
Multiple vulnerabilities have been discovered in Apache. Please review the CVE identifiers, upstream Apache Software Foundation documentation, and HTTPoxy website referenced below for details.
Resolution
All Apache users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.25"
References
[ 1 ] Apache Software Foundation Projects and "httpoxy" CERT VU #797896 https://www.apache.org/security/asf-httpoxy-response.txt [ 2 ] CVE-2014-3583 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3583 [ 3 ] CVE-2016-0736 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0736 [ 4 ] CVE-2016-2161 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2161 [ 5 ] CVE-2016-5387 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5387 [ 6 ] CVE-2016-8073 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8073 [ 7 ] CVE-2016-8740 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8740 [ 8 ] CVE-2016-8743 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8743 [ 9 ] HTTPoxy Website https://httpoxy.org/
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201701-36
Concerns
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
Synopsis
Multiple vulnerabilities have been found in Apache, the worst of which could lead to a Denial of Service condition.
Background
The Apache HTTP server is one of the most popular web servers on the Internet.
Affected Packages
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/apache < 2.4.25 >= 2.4.25
Impact
===== A remote attacker could cause a Denial of Service condition via multiple vectors or response splitting and cache pollution. Additionally, an attacker could intercept unsecured (HTTP) transmissions via the HTTPoxy vulnerability.
Workaround
There is no known workaround at this time.