[ubuntu/trusty-updates] apache2 2.4.7-1ubuntu4.15 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Tue May 9 16:58:14 UTC 2017


apache2 (2.4.7-1ubuntu4.15) trusty-security; urgency=medium

  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

Date: 2017-05-09 16:11:22.381179+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.15
-------------- next part --------------
Sorry, changesfile not available.


More information about the Trusty-changes mailing list