Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1583 apache2 security update 23 June 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: apache2 Publisher: Debian Operating System: Debian GNU/Linux 8 Debian GNU/Linux 9 Impact/Access: Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-7679 CVE-2017-7668 CVE-2017-7659 CVE-2017-3169 CVE-2017-3167 Reference: ESB-2017.1533 Original Bulletin: http://www.debian.org/security/2017/dsa-3896 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3896-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : apache2 CVE ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668 CVE-2017-7679 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2017-3167 Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. CVE-2017-3169 Vasileios Panopoulos of AdNovum Informatik AG discovered that mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port leading to a denial of service. CVE-2017-7659 Robert Swiecki reported that a specially crafted HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process. CVE-2017-7668 Javier Jimenez reported that the HTTP strict parsing contains a flaw leading to a buffer overread in ap_find_token(). A remote attacker can take advantage of this flaw by carefully crafting a sequence of request headers to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. CVE-2017-7679 ChenQin and Hanno Boeck reported that mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. For the oldstable distribution (jessie), these problems have been fixed in version 2.4.10-10+deb8u9. The oldstable distribution (jessie) is not affected by CVE-2017-7659. For the stable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u1. For the unstable distribution (sid), these problems have been fixed in version 2.4.25-4. We recommend that you upgrade your apache2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllMG3FfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TeKRAAhVlS+pLGQzuA55qQUEWCi1I1r/BI4uZhA1+2lhH63o0yfkx7bmKLHGy/ TEQeBxY9MW6l/wVH3fuJinfnl72T3Q9MKuGgB9dFW+5j0G4EsX2Si4iHo49vcOOx o2jXCcZa3N08EOlIzjHAc1Ll7QXhGD4Oz0jHhtRY6Ah3L4Cp263Ntui+SajjBko7 GtlPS2wa60xKbUMLFyBJjZxtZDHR/dqrwD4WNoEYCgQonSpZ9O2QZ4lcYmrQ2tTc /sELhjDNQqgjYXG5PFS+1X0vfTMmLJpbG9/U6pbu6jP3PF/1zvvXnS8rZTCNA2WT 3BathHrPESOrFo2nSPSg4G9ZgQ9hw0q2ftXilWgXH7LV/ta2ZW4cf6qtxbQrKZH3 l+OukeZLn5F5EJRzQGrmKmzBA4IQKKlwOsvGGLr81yHPskEePTNZCoymsJm5Uj5u NfSdc40S/wEVnJlUroJDsqujY/2CekrKw6ppy0saLoTzhnjmBYWmzl71Bd7ZbkHh LtjmEjiAx7Aj9a3KGa9cnFk2oynDGUYKe1qY9lEP7iCDS8hCnkBYqkZ/w6MrahjL 0BfGCeLc3APdd/O4FDsfGhC9JL660OfYdvF4EcGT/o80xPmI7Gs2lVPaR+v+PilN d9lqVxm2xXzaZ+bYEHd7MR0cfc3emeDLJGQonTe5MV9qkETdNy4= =i4iT - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWUxaQYx+lLeg9Ub1AQglYA/9F5p4fXU+48ou/E3UUtG5UnhrbAjZ/tIT Ks8+gn9hOmig/AI/yI+RHOFvSYbFNLyJMIFdJtbgA+IlLMa6yqJDjhqFAjzBnjDU 89rIhKA3tsobDYwCfY5pOq/xnb3qf3TaZXOH4Uajgm1RxDBw98m30SRFfODM9cKe u54mOGRmPsiIGusHOurb/ozty/gKs3oeM+ju9PvGEjJLs0UYVykVoDgn4w7idS4l 14+XM0aa13vn/pOAm7l6Y9WUg2MNCime8du4ibbalhx8r40+Ab5zpiHLQas3Aszm 1NRgcnb4HwFTx85w24og1hTsBpPsth51Zy8JidJwrf7yT+MxueLdegxPl2v3iqf/ D9+c3FKrKg7k0Zq1HWVL1ZYoZh5RS99rdqijG+KlHYrrgmIjFmp7ffjmQz4dkb72 XeNFlhW5Mblw+VnAMP5/DDmK5gQIsgrSpzZIwxoyowhTNUKS7b0c5u/0uQPQ4BwV 2rCo1QCOTUt1lZmdKH2wxMkFYX7Q8vOBYqPOHFh7cbhPUV6Bz8DM4l01B/pH0noV 9RnECOPt26edc7ejCrsZsu5FFSxm2+GCelKBKQVGvSaxK0FAoNmlgYOgDlPwqbtI CqQ5yR5ABFL9iVcmkh9hlB41Pq11x5/AK49JyX0lCosLbsFAplIHIOLxGLktlrro 9nz/IStiWdc= =ymQu -----END PGP SIGNATURE-----