[3.7] apache2: Several vulnerabilities (CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668, CVE-2017-7679)
CVE-2017-3167: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before
2.4.26, use of the ap_get_basic_auth_pw() by third-party
modules outside of the authentication phase may lead to authentication
requirements being bypassed.
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2017-3169: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before
2.4.26, mod_ssl may dereference a NULL pointer when
third-party modules call ap_hook_process_connection() during an HTTP
request to an HTTPS port.
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2017-7659: mod_http2 null pointer dereference
Affects: 2.4.25
Fixed in: 2.4.26.
References:
http://www.openwall.com/lists/oss-security/2017/06/19/5
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2017-7668: ap_find_token() buffer overread
Affects: 2.4.25
Fixed in: 2.4.26
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2017-7679: mod_mime Buffer Overread
Affects: 2.4.25
Fixed in: 2.4.26
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
(from redmine: issue id 7463, created on 2017-06-29, closed on 2017-07-11)
- Relations:
- parent #7462 (closed)
- Changesets:
- Revision c930c29f by Kaarle Ritvanen on 2017-07-06T11:26:18Z:
main/apache2: security upgrade to 2.4.26
fixes #7463