Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 754
Alerts This Week
Warning Icon 1 754

Ubuntu 17.04 Advisory 3340-1 Moderate: Apache DoS and Bypass Risks

ubuntu
Calendar Grey June 26, 2017
Dist Ubuntu Esm H88
Ubuntu Security Advisory for Apache HTTP Server vulnerabilities, highlighting potential crash scenarios and authentication circumvention risks.
Several security issues were fixed in Apache HTTP Server.

Summary

Several security issues were fixed in Apache HTTP Server.

Software Description:

- apache2: Apache HTTP server

Details:

Emmanuel Dreyfus discovered that third-party modules using the

ap_get_basic_auth_pw() function outside of the authentication phase may

lead to authentication requirements being bypassed. This update adds a new

ap_get_basic_auth_components() function for use by third-party modules.

(CVE-2017-3167)

Vasileios Panopoulos discovered that the Apache mod_ssl module may crash

when third-party modules call ap_hook_process_connection() during an HTTP

request to an HTTPS port. (CVE-2017-3169)

Javier Jiménez discovered that the Apache HTTP Server incorrectly handled

parsing certain requests. A remote attacker could possibly use this issue

to cause the Apache HTTP Server to crash, resulting in a denial of service.

(CVE-2017-7668)

ChenQin and Hanno Böck discovered that the Apache mod_mime module

incorrectly handled certain Content-Type response he...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  apache2-bin                     2.4.25-3ubuntu2.1

Ubuntu 16.10:
  apache2-bin                     2.4.18-2ubuntu4.2

Ubuntu 16.04 LTS:
  apache2-bin                     2.4.18-2ubuntu3.3

Ubuntu 14.04 LTS:
  apache2-bin                     2.4.7-1ubuntu4.16

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3340-1

CVE-2017-3167, CVE-2017-3169, CVE-2017-7668, CVE-2017-7679

Severity
important
Lowest
Low
Medium
High
Critical

June 26, 2017

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.