Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 50B4F200CBB for ; Tue, 20 Jun 2017 00:35:16 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 4F351160BE4; Mon, 19 Jun 2017 22:35:16 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 94526160BE1 for ; Tue, 20 Jun 2017 00:35:15 +0200 (CEST) Received: (qmail 79507 invoked by uid 500); 19 Jun 2017 22:35:14 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 79497 invoked by uid 99); 19 Jun 2017 22:35:14 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 19 Jun 2017 22:35:14 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 17F11180313 for ; Mon, 19 Jun 2017 22:35:14 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.479 X-Spam-Level: X-Spam-Status: No, score=0.479 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=rowe-clan-net.20150623.gappssmtp.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id FZ4ZRZMMPtSg for ; Mon, 19 Jun 2017 22:35:12 +0000 (UTC) Received: from mail-ot0-f181.google.com (mail-ot0-f181.google.com [74.125.82.181]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id EBF945F2F2 for ; Mon, 19 Jun 2017 22:35:11 +0000 (UTC) Received: by mail-ot0-f181.google.com with SMTP id u13so63729342otd.2 for ; Mon, 19 Jun 2017 15:35:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rowe-clan-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=gLOAgbvq8l+b9BjvuFzB+NQ/g/O+xRg0lBDLAIFHwME=; b=wC68agt1AMAuOUeisGS6jiWfwzAT5FeCZExDivK7iuoT+LX7R19m+A3JS5lMHLpfQe pQoA3DkBzqQ5cYRk2/1CftsK8JebhBEK7G0ykzlCQuIkukr9l+vA6gVY+xxgKRxtva38 X4UEPNj7PL2Fp3kidZQucA27xljJtmCN1lD/sS96UkHCsU4v/p6VoA/SBGF+VYXc0s6x UYuNxSezl9LjLhe6VxYRfNIufvGYX5Ms8I/jYKqbt3FV6aA36gqOLIlcUCjzrT/Nf5e7 oZMADh8qSVCBWZiHHNwLC80JoJVbyX8CgRukT32wZ2B4UAmkF17O3xepvxvGF0MOvHSn 9anA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=gLOAgbvq8l+b9BjvuFzB+NQ/g/O+xRg0lBDLAIFHwME=; b=CS1PCTXNLQVh73P74AMVYkSBdTEHLUY6fZG/FLa7f3X+1FqprOnlxXu1ZhZ4luR9Nj 7ArwL5f+WzrIeP+G2OZ/sk5vHkKbnWbSEO/i/J5TA5pwp+GQI0owizMojkQZU1cp25tT BuDMVmkKlXb+hyWoRpwy74EcSiwlG0bh11rUGiF/EyXtWENSW96icR8TnCVOllEW2p9T K/5HCo3R1smwbpPPRczJAa/wojRVKkBwTv0MN2g240D48EgQCmQP6wlF9RC/kfpOPmaJ CVJdIyjBIVSqbEJd5FD4zkuClt8qUChvehoD7L1L70wrsM4pTtqLyvwf3GBujrhS9lRn PSGg== X-Gm-Message-State: AKS2vOxKBlXk0cgombeTLEuD3DnozM/fiiq/BhDLku+/GkXRa41bgQXx 6kQitdJRukWU6WwrWQxgQc1F85GP6uVn X-Received: by 10.157.51.150 with SMTP id u22mr5256056otc.189.1497911704931; Mon, 19 Jun 2017 15:35:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.21.79 with HTTP; Mon, 19 Jun 2017 15:35:04 -0700 (PDT) In-Reply-To: References: From: William A Rowe Jr Date: Mon, 19 Jun 2017 17:35:04 -0500 Message-ID: Subject: Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass To: httpd Content-Type: text/plain; charset="UTF-8" archived-at: Mon, 19 Jun 2017 22:35:16 -0000 Not to announce@httpd? users@ and dev@ aren't particularly broadcast channels. announce@a.o might be too wide an audience, but that's why we document the CVE's with short notes in the foundation-wide release announcement. At least, used to document them. On Mon, Jun 19, 2017 at 5:08 PM, Jacob Champion wrote: > CVE-2017-3167: ap_get_basic_auth_pw authentication bypass > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > httpd 2.2.0 to 2.2.32 > httpd 2.4.0 to 2.4.25 > > Description: > Use of the ap_get_basic_auth_pw() by third-party modules outside of the > authentication phase may lead to authentication requirements being > bypassed. > > Mitigation: > 2.2.x users should either apply the patch available at > https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch > or upgrade in the future to 2.2.33, which is currently unreleased. > > 2.4.x users should upgrade to 2.4.26. > > Third-party module writers SHOULD use ap_get_basic_auth_components(), > available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). > Modules which call the legacy ap_get_basic_auth_pw() during the > authentication phase MUST either immediately authenticate the user after > the call, or else stop the request immediately with an error response, > to avoid incorrectly authenticating the current request. > > Credit: > The Apache HTTP Server security team would like to thank Emmanuel > Dreyfus for reporting this issue. > > References: > https://httpd.apache.org/security_report.html