[manjaro-security] [arch-security] [ASA-201706-34] apache: multiple issues

Santiago Torres-Arias santiago at archlinux.org
Wed Jun 28 19:26:52 CEST 2017


Arch Linux Security Advisory ASA-201706-34
==========================================

Severity: High
Date    : 2017-06-28
CVE-ID  : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668
          CVE-2017-7679
Package : apache
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-316

Summary
=======

The package apache before version 2.4.26-1 is vulnerable to multiple
issues including denial of service, information disclosure and
authentication bypass.

Resolution
==========

Upgrade to 2.4.26-1.

# pacman -Syu "apache>=2.4.26-1"

The problems have been fixed upstream in version 2.4.26.

Workaround
==========

None.

Description
===========

- CVE-2017-3167 (authentication bypass)

An authentication bypass flaw has been found in Apache httpd < 2.4.26,
where the use of the ap_get_basic_auth_pw() function by third-party
modules outside of the authentication phase may lead to authentication
requirements being bypassed. Third-party module writers SHOULD use
ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead
of ap_get_basic_auth_pw(). Modules which call the legacy
ap_get_basic_auth_pw() during the authentication phase MUST either
immediately authenticate the user after the call, or else stop the
request immediately with an error response, to avoid incorrectly
authenticating the current request.

- CVE-2017-3169 (denial of service)

A NULL-pointer dereference leading to denial of service has been found
in the mod_ssl component of Apache httpd < 2.4.26. mod_ssl may
dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.

- CVE-2017-7659 (denial of service)

A NULL-pointer dereference leading to denial of service has been found
in the mod_http2 component of Apache httpd < 2.4.26. A maliciously
constructed HTTP/2 request could cause mod_http2 to dereference a NULL
pointer and crash the server process.

- CVE-2017-7668 (information disclosure)

An out-of-bounds read has been found in Apache httpd < 2.4.26. The HTTP
strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
token list parsing, which allows ap_find_token() to search past the end
of its input string. By maliciously crafting a sequence of request
headers, an attacker may be able to cause a segmentation fault, or to
force ap_find_token() to return an incorrect value.

- CVE-2017-7679 (denial of service)

An out-of-bounds read has been found in Apache httpd < 2.4.26, where
mod_mime can read one byte past the end of a buffer when a malicious
Content-Type response header is sent.

Impact
======

A remote attacker can crash an apache server or obtain sensitive
information from the host by performing a maliciously-crafted HTTP
request. In addition, a malicious attacker can bypass a server's
authentication requirements via maliciously-crafted request headers.

References
==========

https://httpd.apache.org/security/vulnerabilities_24.html
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
https://security.archlinux.org/CVE-2017-3167
https://security.archlinux.org/CVE-2017-3169
https://security.archlinux.org/CVE-2017-7659
https://security.archlinux.org/CVE-2017-7668
https://security.archlinux.org/CVE-2017-7679
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20170628/b457a2c4/attachment.sig>


More information about the manjaro-security mailing list