Operating System:

[Debian]

Published:

23 June 2017

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2017.1583 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1583
                          apache2 security update
                               23 June 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           apache2
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
Impact/Access:     Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7679 CVE-2017-7668 CVE-2017-7659
                   CVE-2017-3169 CVE-2017-3167 

Reference:         ESB-2017.1533

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3896

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3896-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 22, 2017                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668
                 CVE-2017-7679

Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2017-3167

    Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by
    third-party modules outside of the authentication phase may lead to
    authentication requirements being bypassed.

CVE-2017-3169

    Vasileios Panopoulos of AdNovum Informatik AG discovered that
    mod_ssl may dereference a NULL pointer when third-party modules call
    ap_hook_process_connection() during an HTTP request to an HTTPS port
    leading to a denial of service.

CVE-2017-7659

    Robert Swiecki reported that a specially crafted HTTP/2 request
    could cause mod_http2 to dereference a NULL pointer and crash the
    server process.

CVE-2017-7668

    Javier Jimenez reported that the HTTP strict parsing contains a
    flaw leading to a buffer overread in ap_find_token(). A remote
    attacker can take advantage of this flaw by carefully crafting a
    sequence of request headers to cause a segmentation fault, or to
    force ap_find_token() to return an incorrect value.

CVE-2017-7679

    ChenQin and Hanno Boeck reported that mod_mime can read one byte
    past the end of a buffer when sending a malicious Content-Type
    response header.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.4.10-10+deb8u9. The oldstable distribution (jessie) is not
affected by CVE-2017-7659.

For the stable distribution (stretch), these problems have been fixed in
version 2.4.25-3+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.25-4.

We recommend that you upgrade your apache2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllMG3FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TeKRAAhVlS+pLGQzuA55qQUEWCi1I1r/BI4uZhA1+2lhH63o0yfkx7bmKLHGy/
TEQeBxY9MW6l/wVH3fuJinfnl72T3Q9MKuGgB9dFW+5j0G4EsX2Si4iHo49vcOOx
o2jXCcZa3N08EOlIzjHAc1Ll7QXhGD4Oz0jHhtRY6Ah3L4Cp263Ntui+SajjBko7
GtlPS2wa60xKbUMLFyBJjZxtZDHR/dqrwD4WNoEYCgQonSpZ9O2QZ4lcYmrQ2tTc
/sELhjDNQqgjYXG5PFS+1X0vfTMmLJpbG9/U6pbu6jP3PF/1zvvXnS8rZTCNA2WT
3BathHrPESOrFo2nSPSg4G9ZgQ9hw0q2ftXilWgXH7LV/ta2ZW4cf6qtxbQrKZH3
l+OukeZLn5F5EJRzQGrmKmzBA4IQKKlwOsvGGLr81yHPskEePTNZCoymsJm5Uj5u
NfSdc40S/wEVnJlUroJDsqujY/2CekrKw6ppy0saLoTzhnjmBYWmzl71Bd7ZbkHh
LtjmEjiAx7Aj9a3KGa9cnFk2oynDGUYKe1qY9lEP7iCDS8hCnkBYqkZ/w6MrahjL
0BfGCeLc3APdd/O4FDsfGhC9JL660OfYdvF4EcGT/o80xPmI7Gs2lVPaR+v+PilN
d9lqVxm2xXzaZ+bYEHd7MR0cfc3emeDLJGQonTe5MV9qkETdNy4=
=i4iT
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWUxaQYx+lLeg9Ub1AQglYA/9F5p4fXU+48ou/E3UUtG5UnhrbAjZ/tIT
Ks8+gn9hOmig/AI/yI+RHOFvSYbFNLyJMIFdJtbgA+IlLMa6yqJDjhqFAjzBnjDU
89rIhKA3tsobDYwCfY5pOq/xnb3qf3TaZXOH4Uajgm1RxDBw98m30SRFfODM9cKe
u54mOGRmPsiIGusHOurb/ozty/gKs3oeM+ju9PvGEjJLs0UYVykVoDgn4w7idS4l
14+XM0aa13vn/pOAm7l6Y9WUg2MNCime8du4ibbalhx8r40+Ab5zpiHLQas3Aszm
1NRgcnb4HwFTx85w24og1hTsBpPsth51Zy8JidJwrf7yT+MxueLdegxPl2v3iqf/
D9+c3FKrKg7k0Zq1HWVL1ZYoZh5RS99rdqijG+KlHYrrgmIjFmp7ffjmQz4dkb72
XeNFlhW5Mblw+VnAMP5/DDmK5gQIsgrSpzZIwxoyowhTNUKS7b0c5u/0uQPQ4BwV
2rCo1QCOTUt1lZmdKH2wxMkFYX7Q8vOBYqPOHFh7cbhPUV6Bz8DM4l01B/pH0noV
9RnECOPt26edc7ejCrsZsu5FFSxm2+GCelKBKQVGvSaxK0FAoNmlgYOgDlPwqbtI
CqQ5yR5ABFL9iVcmkh9hlB41Pq11x5/AK49JyX0lCosLbsFAplIHIOLxGLktlrro
9nz/IStiWdc=
=ymQu
-----END PGP SIGNATURE-----