it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
- From: Salvatore Bonaccorso <carnil AT debian.org>
- To: debian-security-announce AT lists.debian.org
- Subject: [IT-SecNots] [SECURITY] [DSA 3896-1] apache2 security update
- Date: Thu, 22 Jun 2017 19:41:41 +0000
- List-archive: https://lists.debian.org/msgid-search/E1dO7z3-0002Pc-3V AT master.debian.org
- List-id: <debian-security-announce.lists.debian.org>
- List-url: <http://lists.debian.org/debian-security-announce/>
- Old-return-path: <carnil AT master.debian.org>
- Priority: urgent
- Resent-date: Thu, 22 Jun 2017 19:41:58 +0000 (UTC)
- Resent-from: debian-security-announce AT lists.debian.org
- Resent-message-id: <R_r13xNtGHM.A.uuD.G2BTZB@bendel>
- Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3896-1 security AT debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 22, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : apache2
CVE ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668
CVE-2017-7679
Several vulnerabilities have been found in the Apache HTTPD server.
CVE-2017-3167
Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by
third-party modules outside of the authentication phase may lead to
authentication requirements being bypassed.
CVE-2017-3169
Vasileios Panopoulos of AdNovum Informatik AG discovered that
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port
leading to a denial of service.
CVE-2017-7659
Robert Swiecki reported that a specially crafted HTTP/2 request
could cause mod_http2 to dereference a NULL pointer and crash the
server process.
CVE-2017-7668
Javier Jimenez reported that the HTTP strict parsing contains a
flaw leading to a buffer overread in ap_find_token(). A remote
attacker can take advantage of this flaw by carefully crafting a
sequence of request headers to cause a segmentation fault, or to
force ap_find_token() to return an incorrect value.
CVE-2017-7679
ChenQin and Hanno Boeck reported that mod_mime can read one byte
past the end of a buffer when sending a malicious Content-Type
response header.
For the oldstable distribution (jessie), these problems have been fixed
in version 2.4.10-10+deb8u9. The oldstable distribution (jessie) is not
affected by CVE-2017-7659.
For the stable distribution (stretch), these problems have been fixed in
version 2.4.25-3+deb9u1.
For the unstable distribution (sid), these problems have been fixed in
version 2.4.25-4.
We recommend that you upgrade your apache2 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllMG3FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TeKRAAhVlS+pLGQzuA55qQUEWCi1I1r/BI4uZhA1+2lhH63o0yfkx7bmKLHGy/
TEQeBxY9MW6l/wVH3fuJinfnl72T3Q9MKuGgB9dFW+5j0G4EsX2Si4iHo49vcOOx
o2jXCcZa3N08EOlIzjHAc1Ll7QXhGD4Oz0jHhtRY6Ah3L4Cp263Ntui+SajjBko7
GtlPS2wa60xKbUMLFyBJjZxtZDHR/dqrwD4WNoEYCgQonSpZ9O2QZ4lcYmrQ2tTc
/sELhjDNQqgjYXG5PFS+1X0vfTMmLJpbG9/U6pbu6jP3PF/1zvvXnS8rZTCNA2WT
3BathHrPESOrFo2nSPSg4G9ZgQ9hw0q2ftXilWgXH7LV/ta2ZW4cf6qtxbQrKZH3
l+OukeZLn5F5EJRzQGrmKmzBA4IQKKlwOsvGGLr81yHPskEePTNZCoymsJm5Uj5u
NfSdc40S/wEVnJlUroJDsqujY/2CekrKw6ppy0saLoTzhnjmBYWmzl71Bd7ZbkHh
LtjmEjiAx7Aj9a3KGa9cnFk2oynDGUYKe1qY9lEP7iCDS8hCnkBYqkZ/w6MrahjL
0BfGCeLc3APdd/O4FDsfGhC9JL660OfYdvF4EcGT/o80xPmI7Gs2lVPaR+v+PilN
d9lqVxm2xXzaZ+bYEHd7MR0cfc3emeDLJGQonTe5MV9qkETdNy4=
=i4iT
-----END PGP SIGNATURE-----
- [IT-SecNots] [SECURITY] [DSA 3896-1] apache2 security update, Salvatore Bonaccorso, 22.06.2017
Archiv bereitgestellt durch MHonArc 2.6.19.