==========================================================================
Ubuntu Security Notice USN-3373-1
July 31, 2017
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Apache HTTP Server.
Software Description:
– apache2: Apache HTTP server
Details:
Emmanuel Dreyfus discovered that third-party modules using the
ap_get_basic_auth_pw() function outside of the authentication phase may
lead to authentication requirements being bypassed. This update adds a
new ap_get_basic_auth_components() function for use by third-party
modules. (CVE-2017-3167)
Vasileios Panopoulos discovered that the Apache mod_ssl module may
crash when third-party modules call ap_hook_process_connection() during
an HTTP request to an HTTPS port. (CVE-2017-3169)
Javier Jiménez discovered that the Apache HTTP Server incorrectly
handled parsing certain requests. A remote attacker could possibly use
this issue to cause the Apache HTTP Server to crash, resulting in a
denial of service. (CVE-2017-7668)
ChenQin and Hanno Böck discovered that the Apache mod_mime module
incorrectly handled certain Content-Type response headers. A remote
attacker could possibly use this issue to cause the Apache HTTP Server
to crash, resulting in a denial of service. (CVE-2017-7679)
David Dennerline and Régis Leroy discovered that the Apache HTTP Server
incorrectly handled unusual whitespace when parsing requests, contrary
to specifications. When being used in combination with a proxy or
backend server, a remote attacker could possibly use this issue to
perform an injection attack and pollute cache. This update may
introduce compatibility issues with clients that do not strictly follow
HTTP protocol specifications. A new configuration option
“HttpProtocolOptions Unsafe” can be used to revert to the previous
unsafe behaviour in problematic environments. (CVE-2016-8743)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
apache2.2-bin 2.2.22-1ubuntu1.12
In general, a standard system update will make all the necessary
changes.
References:
https://www.ubuntu.com/usn/usn-3373-1
CVE-2016-8743, CVE-2017-3167, CVE-2017-3169, CVE-2017-7668,
CVE-2017-7679
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2
iQIcBAABCAAGBQJZf15DAAoJEEW851uECx9pFX8P/iZmzJ3MG0gfNcHcRAFhBjsS
y3CixYtNEboWJMZ+xHey1KzGz4lTx+COKbzHzPTVjW2KAX4bvDeYGmyAgOOoVnxw
NGVinHEjpaIDwFpdEHR8D7ZsKzsE0dsxw188kqI6EQ3AYbZoRL+X7gGCK7cIfCDy
16vmtHmRnYKIe+IsbEZVDQnbmTrJQs6Lkhww1MoUJsBIFfKcZi3CK1ki1AP5aPt9
miVPONYrJbe3V5Ne4N2jezXywMmtNXVejuNdNAiKoMGTLPlQV0VyIv3t8ACSanKK
RiAQCpuF+JlMKc1LhFiFVMRmWXhVE5/r8q/zHiM16EY+HEo5xNKO8M6MkE2fb9Ua
Iffpt1T6HL7IZg+dRi1euNXgyd20zb9HdiCuqImscHir1kdumwRJo0/MPOniGn5V
DcDDrSVuO5mNR07DghXVymsqDUNKELPu0HW5D/0XivBCna0V+K6nDH6625z+qytk
m7RokHA9Q6pEbk3mO7/9M2sWeaSXn0wMe0GeqKIUXNYcb2jM5n78ISysuQZjLrAa
exkb66uphgrg2VDVOxFeOPNcRDnSNm1VE+ppGGhYmtQPu9BdtF5zO3UQHauSXoxZ
7E5xj0uoP5yc1SVpRznY2yvIq4iu7Nk28ftp6HjpE9FCnA9NMoLwjTY+uwXWK4K6
jqW9E9FTqO0EMcxmtMeg
=wmde
—–END PGP SIGNATURE—–
—