Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 41012200CAC for ; Tue, 20 Jun 2017 00:01:07 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 3F7C6160BE1; Mon, 19 Jun 2017 22:01:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 11367160BCD for ; Tue, 20 Jun 2017 00:01:05 +0200 (CEST) Received: (qmail 97671 invoked by uid 500); 19 Jun 2017 22:01:05 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 97614 invoked by uid 99); 19 Jun 2017 22:01:05 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 19 Jun 2017 22:01:05 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id AC5633A0042 for ; Mon, 19 Jun 2017 22:01:02 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: svn commit: r1799284 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml Date: Mon, 19 Jun 2017 22:01:00 -0000 To: cvs@httpd.apache.org From: jchampion@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20170619220103.AC5633A0042@svn01-us-west.apache.org> archived-at: Mon, 19 Jun 2017 22:01:07 -0000 Author: jchampion Date: Mon Jun 19 22:01:00 2017 New Revision: 1799284 URL: http://svn.apache.org/viewvc?rev=1799284&view=rev Log: vulns: add CVE descriptions for the 2.4.26 release Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1799284&r1=1799283&r2=1799284&view=diff ============================================================================== --- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original) +++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Mon Jun 19 22:01:00 2017 @@ -1,4 +1,216 @@ - + + + + +important +ap_get_basic_auth_pw() Authentication Bypass +

+Use of the ap_get_basic_auth_pw() by third-party modules outside of the +authentication phase may lead to authentication requirements being bypassed. +

+Third-party module writers SHOULD use ap_get_basic_auth_components(), available +in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the +legacy ap_get_basic_auth_pw() during the authentication phase MUST either +immediately authenticate the user after the call, or else stop the request +immediately with an error response, to avoid incorrectly authenticating the +current request. +

 + +We would like to thank Emmanuel Dreyfus for reporting this issue. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +important +mod_ssl Null Pointer Dereference +

+mod_ssl may dereference a NULL pointer when third-party modules call +ap_hook_process_connection() during an HTTP request to an HTTPS port. +

 + +We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for +reporting this issue. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +important +mod_http2 Null Pointer Dereference +

+A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a +NULL pointer and crash the server process. +

 + +We would like to thank Robert Święcki for reporting this issue. + + + + + + +important +ap_find_token() Buffer Overread +

+The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in +token list parsing, which allows ap_find_token() to search past the end of its +input string. By maliciously crafting a sequence of request headers, an attacker +may be able to cause a segmentation fault, or to force ap_find_token() to return +an incorrect value. +

 + +We would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this +issue. + + + + + + + +important +mod_mime Buffer Overread +

+mod_mime can read one byte past the end of a buffer when sending a malicious +Content-Type response header. +

 + +We would like to thank ChenQin and Hanno Böck for reporting this issue. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -220,7 +432,221 @@ this issue. - + + +important +ap_get_basic_auth_pw() Authentication Bypass +

+Use of the ap_get_basic_auth_pw() by third-party modules outside of the +authentication phase may lead to authentication requirements being bypassed. +

+Third-party module writers SHOULD use ap_get_basic_auth_components(), available +in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the +legacy ap_get_basic_auth_pw() during the authentication phase MUST either +immediately authenticate the user after the call, or else stop the request +immediately with an error response, to avoid incorrectly authenticating the +current request. +

+A patch for 2.2.32 is available at +https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch. +

 + +We would like to thank Emmanuel Dreyfus for reporting this issue. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +important +mod_ssl Null Pointer Dereference +

+mod_ssl may dereference a NULL pointer when third-party modules call +ap_hook_process_connection() during an HTTP request to an HTTPS port. +

+A patch for 2.2.32 is available at +https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch. +

 + +We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for +reporting this issue. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +important +ap_find_token() Buffer Overread +

+The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in +token list parsing, which allows ap_find_token() to search past the end of its +input string. By maliciously crafting a sequence of request headers, an attacker +may be able to cause a segmentation fault, or to force ap_find_token() to return +an incorrect value. +

+A patch for 2.2.32 is available at +https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch. +

 + +We would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this +issue. + + + + + + + +important +mod_mime Buffer Overread +

+mod_mime can read one byte past the end of a buffer when sending a malicious +Content-Type response header. +

+A patch for 2.2.32 is available at +https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch. +

 + +We would like to thank ChenQin and Hanno Böck for reporting this issue. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + n/a HTTP_PROXY environment variable "httpoxy" mitigation