Arch Linux Security Advisory ASA-201507-15 ========================================== Severity: Medium Date : 2015-07-17 CVE-ID : CVE-2015-0228 CVE-2015-0253 CVE-2015-3183 CVE-2015-3185 Package : apache Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package apache before version 2.4.16-1 is vulnerable to multiple issues including remote denial of service and authentication bypass. Resolution ========== Upgrade to 2.4.16-1. # pacman -Syu "apache>=2.4.16-1" The problem has been fixed upstream in version 2.4.16. Workaround ========== None. Description =========== - CVE-2015-0228 (denial of service): mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash. - CVE-2015-0253 (denial of service): Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. - CVE-2015-3183 (denial of service): core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. - CVE-2015-3185 (authentication bypass): Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook. Impact ====== A remote attacker might be able to bypass authentication required by a module incorrectly updated for 2.4.x, or crash the apache httpd server. References ========== https://access.redhat.com/security/cve/CVE-2015-0228 https://access.redhat.com/security/cve/CVE-2015-0253 https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/cve/CVE-2015-3185 http://www.apache.org/dist/httpd/CHANGES_2.4.16 https://bz.apache.org/bugzilla/show_bug.cgi?id=57531