[USN-3373-1] Apache HTTP Server vulnerabilities

Leonidas S. Barbosa leo.barbosa at canonical.com
Mon Jul 31 16:43:47 UTC 2017


==========================================================================
Ubuntu Security Notice USN-3373-1
July 31, 2017

apache2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in Apache HTTP Server.

Software Description:
- apache2: Apache HTTP server

Details:

Emmanuel Dreyfus discovered that third-party modules using the
ap_get_basic_auth_pw() function outside of the authentication phase may
lead to authentication requirements being bypassed. This update adds a
new ap_get_basic_auth_components() function for use by third-party
modules. (CVE-2017-3167)

Vasileios Panopoulos discovered that the Apache mod_ssl module may
crash when third-party modules call ap_hook_process_connection() during
an HTTP request to an HTTPS port. (CVE-2017-3169)

Javier Jiménez discovered that the Apache HTTP Server incorrectly
handled parsing certain requests. A remote attacker could possibly use
this issue to cause the Apache HTTP Server to crash, resulting in a
denial of service. (CVE-2017-7668)

ChenQin and Hanno Böck discovered that the Apache mod_mime module
incorrectly handled certain Content-Type response headers. A remote
attacker could possibly use this issue to cause the Apache HTTP Server
to crash, resulting in a denial of service. (CVE-2017-7679)

David Dennerline and Régis Leroy discovered that the Apache HTTP Server
incorrectly handled unusual whitespace when parsing requests, contrary
to specifications. When being used in combination with a proxy or
backend server, a remote attacker could possibly use this issue to
perform an injection attack and pollute cache. This update may
introduce compatibility issues with clients that do not strictly follow
HTTP protocol specifications. A new configuration option
"HttpProtocolOptions Unsafe" can be used to revert to the previous
unsafe behaviour in problematic environments. (CVE-2016-8743)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  apache2.2-bin                   2.2.22-1ubuntu1.12

In general, a standard system update will make all the necessary
changes.

References:
  https://www.ubuntu.com/usn/usn-3373-1
  CVE-2016-8743, CVE-2017-3167, CVE-2017-3169, CVE-2017-7668,
  CVE-2017-7679
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20170731/ce30f9d3/attachment.pgp>


More information about the ubuntu-security-announce mailing list