Ubuntu 3373-1: Apache HTTP Server vulnerabilities

    Date31 Jul 2017
    CategoryUbuntu
    56
    Posted ByLinuxSecurity Advisories
    Several security issues were fixed in Apache HTTP Server.
    ==========================================================================
    Ubuntu Security Notice USN-3373-1
    July 31, 2017
    
    apache2 vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 12.04 ESM
    
    Summary:
    
    Several security issues were fixed in Apache HTTP Server.
    
    Software Description:
    - apache2: Apache HTTP server
    
    Details:
    
    Emmanuel Dreyfus discovered that third-party modules using the
    ap_get_basic_auth_pw() function outside of the authentication phase may
    lead to authentication requirements being bypassed. This update adds a
    new ap_get_basic_auth_components() function for use by third-party
    modules. (CVE-2017-3167)
    
    Vasileios Panopoulos discovered that the Apache mod_ssl module may
    crash when third-party modules call ap_hook_process_connection() during
    an HTTP request to an HTTPS port. (CVE-2017-3169)
    
    Javier Jiménez discovered that the Apache HTTP Server incorrectly
    handled parsing certain requests. A remote attacker could possibly use
    this issue to cause the Apache HTTP Server to crash, resulting in a
    denial of service. (CVE-2017-7668)
    
    ChenQin and Hanno Böck discovered that the Apache mod_mime module
    incorrectly handled certain Content-Type response headers. A remote
    attacker could possibly use this issue to cause the Apache HTTP Server
    to crash, resulting in a denial of service. (CVE-2017-7679)
    
    David Dennerline and Régis Leroy discovered that the Apache HTTP Server
    incorrectly handled unusual whitespace when parsing requests, contrary
    to specifications. When being used in combination with a proxy or
    backend server, a remote attacker could possibly use this issue to
    perform an injection attack and pollute cache. This update may
    introduce compatibility issues with clients that do not strictly follow
    HTTP protocol specifications. A new configuration option
    "HttpProtocolOptions Unsafe" can be used to revert to the previous
    unsafe behaviour in problematic environments. (CVE-2016-8743)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 12.04 ESM:
      apache2.2-bin                   2.2.22-1ubuntu1.12
    
    In general, a standard system update will make all the necessary
    changes.
    
    References:
      https://www.ubuntu.com/usn/usn-3373-1
      CVE-2016-8743, CVE-2017-3167, CVE-2017-3169, CVE-2017-7668,
      CVE-2017-7679
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"39","type":"x","order":"1","pct":50,"resources":[]},{"id":"88","title":"Should be more technical","votes":"11","type":"x","order":"2","pct":14.1,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"28","type":"x","order":"3","pct":35.9,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.