Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#6723 closed enhancement (fixed)

httpd-2.4.16

Reported by: Douglas R. Reno Owned by: bdubbs@…
Priority: high Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Fernando de Oliveira)

https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2

https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2.asc

https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2.md5

2b19cd338fd526dd5a63c57b1e9bfee2

https://archive.apache.org/dist/httpd/CHANGES_2.4.16

...

https://httpd.apache.org/security/vulnerabilities_24.html

Fixed in Apache httpd 2.4.16

    low: mod_lua: Crash in websockets PING handling CVE-2015-0228

    A stack recursion crash in the mod_lua module was found. A Lua
    script executing the r:wsupgrade() function could crash the process
    if a malicious client sent a carefully crafted PING request. This
    issue affected releases 2.4.7 through 2.4.12 inclusive.

    Acknowledgements: This issue was reported by Guido Vranken.
    Reported to security team: 28th January 2015
    Issue public: 4th February 2015
    Update Released: 15th July 2015
    Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7

    low: Crash in ErrorDocument 400 handling CVE-2015-0253

    A crash in ErrorDocument handling was found. If ErrorDocument 400
    was configured pointing to a local URL-path with the INCLUDES filter
    active, a NULL dereference would occur when handling the error,
    causing the child process to crash. This issue affected the 2.4.12
    release only.  Reported to security team: 3rd February 2015 Issue
    public: 5th March 2015 Update Released: 15th July 2015 Affects:
    2.4.12

    low: HTTP request smuggling attack against chunked request parser
    CVE-2015-3183

    An HTTP request smuggling attack was possible due to a bug in
    parsing of chunked requests. A malicious client could force the
    server to misinterpret the request length, allowing cache poisoning
    or credential hijacking if an intermediary proxy is in use.

    Acknowledgements: This issue was reported by Régis Leroy.
    Reported to security team: 4th April 2015
    Issue public: 9th June 2015
    Update Released: 15th July 2015
    Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.4, 2.4.3,
    2.4.2, 2.4.1

    low: ap_some_auth_required API unusable CVE-2015-3185

    A design error in the "ap_some_auth_required" function renders the
    API unusuable in httpd 2.4.x. In particular the API is documented to
    answering if the request required authentication but only answers if
    there are Require lines in the applicable configuration. Since 2.4.x
    Require lines are used for authorization as well and can appear in
    configurations even when no authentication is required and the
    request is entirely unrestricted. This could lead to modules using
    this API to allow access when they should otherwise not do so. API
    users should use the new ap_some_authn_required API added in 2.4.16
    instead.

    Acknowledgements: This issue was reported by Ben Reser.
    Reported to security team: 5th August 2013
    Issue public: 9th June 2015
    Update Released: 15th July 2015
    Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.5, 2.4.4,
    2.4.3, 2.4.2, 2.4.1, 2.4.0

Change History (4)

comment:2 by bdubbs@…, 9 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:3 by bdubbs@…, 9 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 16251.

comment:4 by Fernando de Oliveira, 8 years ago

Description: modified (diff)
Priority: normalhigh
Note: See TracTickets for help on using tickets.