apache2: Several vulnerabilities (CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668, CVE-2017-7679)
CVE-2017-3167: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before
2.4.26, use of the ap_get_basic_auth_pw() by third-party
modules outside of the authentication phase may lead to authentication
requirements being bypassed.
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2017-3169: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before
2.4.26, mod_ssl may dereference a NULL pointer when
third-party modules call ap_hook_process_connection() during an HTTP
request to an HTTPS port.
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2017-7659: mod_http2 null pointer dereference
Affects: 2.4.25
Fixed in: 2.4.26.
References:
http://www.openwall.com/lists/oss-security/2017/06/19/5
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2017-7668: ap_find_token() buffer overread
Affects: 2.4.25
Fixed in: 2.4.26
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2017-7679: mod_mime Buffer Overread
Affects: 2.4.25
Fixed in: 2.4.26
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
(from redmine: issue id 7462, created on 2017-06-29, closed on 2017-07-11)
- Relations:
- child #7463 (closed)
- child #7464 (closed)
- child #7465 (closed)
- child #7466 (closed)
- child #7467 (closed)