[3.7] apache2: Multiple vulnerabilities (CVE-2017-15710, CVE-2017-15715, CVE-2018-1301, CVE-2018-1302, CVE-2018-1303, CVE-2018-1283, CVE-2018-1312)
CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values
Affected Versions:
httpd 2.4.1 to 2.4.29
Fixed in:
Apache httpd 2.4.30
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2017-15715: bypass with a trailing newline in the file name
The expression specified in could match ‘$’ to a newline
character in a malicious filename, rather than matching only the end of
the filename.
This could be exploited in environments where uploads of some files are
are externally blocked, but only by matching the trailing portion of the
filename.
Affected Versions:
httpd 2.4.1 to 2.4.29
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
http://openwall.com/lists/oss-security/2018/03/24/6
CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request
A specially crafted request could have crashed the Apache HTTP Server
prior to
version 2.4.30, due to an out of bound access after a size limit is
reached by
reading the HTTP header.
Affected Versions:
httpd 2.4.1 to 2.4.29
Fixed in:
Apache httpd 2.4.30
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
http://openwall.com/lists/oss-security/2018/03/24/2
CVE-2018-1302: Possible write of after free on HTTP/2 stream shutdown
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP
Server prior to version 2.4.30
could have written a NULL pointer potentially to an already freed
memory.
Affected Versions:
httpd 2.4.17 to 2.4.29
Fixed in:
Apache httpd 2.4.30
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
http://openwall.com/lists/oss-security/2018/03/24/5
CVE-2018-1303: Possible out of bound read in mod_cache_socache
A specially crafted HTTP request header could have crashed the Apache
HTTP Server prior to version 2.4.30 due to an out of bound read
while preparing data to be cached in shared memory. It could be used as
a Denial of Service attack against users of mod_cache_socache.
Affected Versions:
httpd 2.4.6 to 2.4.29
Fixed in:
Apache httpd 2.4.30
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
http://openwall.com/lists/oss-security/2018/03/24/3
CVE-2018-1283: Tampering of mod_session data for CGI applications
When mod_session is configured to forward its session data to CGI
applications (SessionEnv on, not the default), a remote user may
influence their content by
using a “Session” header. This comes from the “HTTP_SESSION” variable
name used by mod_session to forward its data to CGIs, since the prefix
“HTTP_” is
also used by the Apache HTTP Server to pass HTTP header fields, per CGI
specifications.
Affected Versions:
httpd 2.4.1 to 2.4.29
Fixed in:
Apache httpd 2.4.30
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
http://openwall.com/lists/oss-security/2018/03/24/4
CVE-2018-1312: Weak Digest auth nonce generation in mod_auth_digest
When generating an HTTP Digest authentication challenge, the nonce sent
to prevent reply attacks was not correctly generated using a
pseudo-random seed.
In a cluster of servers using a common Digest authentication
configuration, HTTP requests could be replayed across servers by an
attacker without detection.
Affected Versions:
httpd 2.4.1 to 2.4.29
Fixed in:
Apache httpd 2.4.30
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
(from redmine: issue id 8729, created on 2018-03-26, closed on 2018-03-29)
- Relations:
- copied_to #8727 (closed)
- parent #8727 (closed)
- Changesets:
- Revision 746c8ef1 by Kaarle Ritvanen on 2018-03-27T11:29:36Z:
main/apache2: security upgrade to 2.4.33
fixes #8729