httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jchamp...@apache.org
Subject svn commit: r1799284 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Date Mon, 19 Jun 2017 22:01:00 GMT
Author: jchampion
Date: Mon Jun 19 22:01:00 2017
New Revision: 1799284

URL: http://svn.apache.org/viewvc?rev=1799284&view=rev
Log:
vulns: add CVE descriptions for the 2.4.26 release

Modified:
    httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1799284&r1=1799283&r2=1799284&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Mon Jun 19 22:01:00 2017
@@ -1,4 +1,216 @@
-<security updated="20160726">
+<security updated="20170619">
+
+<issue fixed="2.4.26" reported="20170206" public="20170619" released="20170619">
+<cve name="CVE-2017-3167"/>
+<severity level="2">important</severity>
+<title>ap_get_basic_auth_pw() Authentication Bypass</title>
+<description><p>
+Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+authentication phase may lead to authentication requirements being bypassed.
+</p><p>
+Third-party module writers SHOULD use ap_get_basic_auth_components(), available
+in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().  Modules which call the
+legacy ap_get_basic_auth_pw() during the authentication phase MUST either
+immediately authenticate the user after the call, or else stop the request
+immediately with an error response, to avoid incorrectly authenticating the
+current request.
+</p></description>
+<acknowledgements>
+We would like to thank Emmanuel Dreyfus for reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+<affects prod="httpd" version="2.2.32"/>
+<affects prod="httpd" version="2.2.31"/>
+<affects prod="httpd" version="2.2.29"/>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.4.26" reported="20161205" public="20170619" released="20170619">
+<cve name="CVE-2017-3169"/>
+<severity level="2">important</severity>
+<title>mod_ssl Null Pointer Dereference</title>
+<description><p>
+mod_ssl may dereference a NULL pointer when third-party modules call
+ap_hook_process_connection() during an HTTP request to an HTTPS port.
+</p></description>
+<acknowledgements>
+We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for
+reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+<affects prod="httpd" version="2.2.32"/>
+<affects prod="httpd" version="2.2.31"/>
+<affects prod="httpd" version="2.2.29"/>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.4.26" reported="20161118" public="20170619" released="20170619">
+<cve name="CVE-2017-7659"/>
+<severity level="2">important</severity>
+<title>mod_http2 Null Pointer Dereference</title>
+<description><p>
+A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a
+NULL pointer and crash the server process.
+</p></description>
+<acknowledgements>
+We would like to thank Robert Święcki for reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.25"/>
+</issue>
+
+<issue fixed="2.4.26" reported="20170506" public="20170619" released="20170619">
+<cve name="CVE-2017-7668"/>
+<severity level="2">important</severity>
+<title>ap_find_token() Buffer Overread</title>
+<description><p>
+The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
+token list parsing, which allows ap_find_token() to search past the end of its
+input string. By maliciously crafting a sequence of request headers, an attacker
+may be able to cause a segmentation fault, or to force ap_find_token() to return
+an incorrect value.
+</p></description>
+<acknowledgements>
+We would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this
+issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.2.32"/>
+</issue>
+
+<issue fixed="2.4.26" reported="20151115" public="20170619" released="20170619">
+<cve name="CVE-2017-7679"/>
+<severity level="2">important</severity>
+<title>mod_mime Buffer Overread</title>
+<description><p>
+mod_mime can read one byte past the end of a buffer when sending a malicious
+Content-Type response header.
+</p></description>
+<acknowledgements>
+We would like to thank ChenQin and Hanno Böck for reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+<affects prod="httpd" version="2.2.32"/>
+<affects prod="httpd" version="2.2.31"/>
+<affects prod="httpd" version="2.2.29"/>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
 
 <issue fixed="2.4.25" reported="20160210" public="20161220" released="20161220">
 <cve name="CVE-2016-8743"/>
@@ -220,7 +432,221 @@ this issue.
 <affects prod="httpd" version="2.4.1"/>
 </issue>
 
-<issue fixed="2.2.32-dev" reported="20160702" public="20160718" released="20160718">
+<issue fixed="2.2.33-dev" reported="20170206" public="20170619" released="20170619">
+<cve name="CVE-2017-3167"/>
+<severity level="2">important</severity>
+<title>ap_get_basic_auth_pw() Authentication Bypass</title>
+<description><p>
+Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+authentication phase may lead to authentication requirements being bypassed.
+</p><p>
+Third-party module writers SHOULD use ap_get_basic_auth_components(), available
+in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().  Modules which call the
+legacy ap_get_basic_auth_pw() during the authentication phase MUST either
+immediately authenticate the user after the call, or else stop the request
+immediately with an error response, to avoid incorrectly authenticating the
+current request.
+</p><p>
+A patch for 2.2.32 is available at
+<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch"
+   >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch</a>.
+</p></description>
+<acknowledgements>
+We would like to thank Emmanuel Dreyfus for reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+<affects prod="httpd" version="2.2.32"/>
+<affects prod="httpd" version="2.2.31"/>
+<affects prod="httpd" version="2.2.29"/>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.2.33-dev" reported="20161205" public="20170619" released="20170619">
+<cve name="CVE-2017-3169"/>
+<severity level="2">important</severity>
+<title>mod_ssl Null Pointer Dereference</title>
+<description><p>
+mod_ssl may dereference a NULL pointer when third-party modules call
+ap_hook_process_connection() during an HTTP request to an HTTPS port.
+</p><p>
+A patch for 2.2.32 is available at
+<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch"
+   >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch</a>.
+</p></description>
+<acknowledgements>
+We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for
+reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+<affects prod="httpd" version="2.2.32"/>
+<affects prod="httpd" version="2.2.31"/>
+<affects prod="httpd" version="2.2.29"/>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.2.33-dev" reported="20170506" public="20170619" released="20170619">
+<cve name="CVE-2017-7668"/>
+<severity level="2">important</severity>
+<title>ap_find_token() Buffer Overread</title>
+<description><p>
+The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
+token list parsing, which allows ap_find_token() to search past the end of its
+input string. By maliciously crafting a sequence of request headers, an attacker
+may be able to cause a segmentation fault, or to force ap_find_token() to return
+an incorrect value.
+</p><p>
+A patch for 2.2.32 is available at
+<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch"
+   >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch</a>.
+</p></description>
+<acknowledgements>
+We would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this
+issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.2.32"/>
+</issue>
+
+<issue fixed="2.2.33-dev" reported="20151115" public="20170619" released="20170619">
+<cve name="CVE-2017-7679"/>
+<severity level="2">important</severity>
+<title>mod_mime Buffer Overread</title>
+<description><p>
+mod_mime can read one byte past the end of a buffer when sending a malicious
+Content-Type response header.
+</p><p>
+A patch for 2.2.32 is available at
+<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch"
+   >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch</a>.
+</p></description>
+<acknowledgements>
+We would like to thank ChenQin and Hanno Böck for reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+<affects prod="httpd" version="2.2.32"/>
+<affects prod="httpd" version="2.2.31"/>
+<affects prod="httpd" version="2.2.29"/>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.2.32" reported="20160702" public="20160718" released="20160718">
 <cve name="CVE-2016-5387"/>
 <severity level="0">n/a</severity>
 <title>HTTP_PROXY environment variable "httpoxy" mitigation</title>



Mime
View raw message