Subject: [ASA-201706-34] apache: multiple issues Arch Linux Security Advisory ASA-201706-34 ========================================== Severity: High Date : 2017-06-28 CVE-ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668 CVE-2017-7679 Package : apache Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-316 Summary ======= The package apache before version 2.4.26-1 is vulnerable to multiple issues including denial of service, information disclosure and authentication bypass. Resolution ========== Upgrade to 2.4.26-1. # pacman -Syu "apache>=2.4.26-1" The problems have been fixed upstream in version 2.4.26. Workaround ========== None. Description =========== - CVE-2017-3167 (authentication bypass) An authentication bypass flaw has been found in Apache httpd < 2.4.26, where the use of the ap_get_basic_auth_pw() function by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request. - CVE-2017-3169 (denial of service) A NULL-pointer dereference leading to denial of service has been found in the mod_ssl component of Apache httpd < 2.4.26. mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. - CVE-2017-7659 (denial of service) A NULL-pointer dereference leading to denial of service has been found in the mod_http2 component of Apache httpd < 2.4.26. A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process. - CVE-2017-7668 (information disclosure) An out-of-bounds read has been found in Apache httpd < 2.4.26. The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. - CVE-2017-7679 (denial of service) An out-of-bounds read has been found in Apache httpd < 2.4.26, where mod_mime can read one byte past the end of a buffer when a malicious Content-Type response header is sent. Impact ====== A remote attacker can crash an apache server or obtain sensitive information from the host by performing a maliciously-crafted HTTP request. In addition, a malicious attacker can bypass a server's authentication requirements via maliciously-crafted request headers. References ========== https://httpd.apache.org/security/vulnerabilities_24.html https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch https://security.archlinux.org/CVE-2017-3167 https://security.archlinux.org/CVE-2017-3169 https://security.archlinux.org/CVE-2017-7659 https://security.archlinux.org/CVE-2017-7668 https://security.archlinux.org/CVE-2017-7679