[arch-security] [ASA-201706-34] apache: multiple issues
Santiago Torres-Arias
santiago at archlinux.org
Wed Jun 28 17:26:52 UTC 2017
Arch Linux Security Advisory ASA-201706-34
==========================================
Severity: High
Date : 2017-06-28
CVE-ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668
CVE-2017-7679
Package : apache
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-316
Summary
=======
The package apache before version 2.4.26-1 is vulnerable to multiple
issues including denial of service, information disclosure and
authentication bypass.
Resolution
==========
Upgrade to 2.4.26-1.
# pacman -Syu "apache>=2.4.26-1"
The problems have been fixed upstream in version 2.4.26.
Workaround
==========
None.
Description
===========
- CVE-2017-3167 (authentication bypass)
An authentication bypass flaw has been found in Apache httpd < 2.4.26,
where the use of the ap_get_basic_auth_pw() function by third-party
modules outside of the authentication phase may lead to authentication
requirements being bypassed. Third-party module writers SHOULD use
ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead
of ap_get_basic_auth_pw(). Modules which call the legacy
ap_get_basic_auth_pw() during the authentication phase MUST either
immediately authenticate the user after the call, or else stop the
request immediately with an error response, to avoid incorrectly
authenticating the current request.
- CVE-2017-3169 (denial of service)
A NULL-pointer dereference leading to denial of service has been found
in the mod_ssl component of Apache httpd < 2.4.26. mod_ssl may
dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
- CVE-2017-7659 (denial of service)
A NULL-pointer dereference leading to denial of service has been found
in the mod_http2 component of Apache httpd < 2.4.26. A maliciously
constructed HTTP/2 request could cause mod_http2 to dereference a NULL
pointer and crash the server process.
- CVE-2017-7668 (information disclosure)
An out-of-bounds read has been found in Apache httpd < 2.4.26. The HTTP
strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
token list parsing, which allows ap_find_token() to search past the end
of its input string. By maliciously crafting a sequence of request
headers, an attacker may be able to cause a segmentation fault, or to
force ap_find_token() to return an incorrect value.
- CVE-2017-7679 (denial of service)
An out-of-bounds read has been found in Apache httpd < 2.4.26, where
mod_mime can read one byte past the end of a buffer when a malicious
Content-Type response header is sent.
Impact
======
A remote attacker can crash an apache server or obtain sensitive
information from the host by performing a maliciously-crafted HTTP
request. In addition, a malicious attacker can bypass a server's
authentication requirements via maliciously-crafted request headers.
References
==========
https://httpd.apache.org/security/vulnerabilities_24.html
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
https://security.archlinux.org/CVE-2017-3167
https://security.archlinux.org/CVE-2017-3169
https://security.archlinux.org/CVE-2017-7659
https://security.archlinux.org/CVE-2017-7668
https://security.archlinux.org/CVE-2017-7679
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170628/b457a2c4/attachment.asc>
More information about the arch-security
mailing list