#6723 closed enhancement (fixed)
httpd-2.4.16
Reported by: | Douglas R. Reno | Owned by: | |
---|---|---|---|
Priority: | high | Milestone: | 7.8 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description (last modified by )
https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2
https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2.asc
https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2.md5
2b19cd338fd526dd5a63c57b1e9bfee2
https://archive.apache.org/dist/httpd/CHANGES_2.4.16
...
https://httpd.apache.org/security/vulnerabilities_24.html
Fixed in Apache httpd 2.4.16 low: mod_lua: Crash in websockets PING handling CVE-2015-0228 A stack recursion crash in the mod_lua module was found. A Lua script executing the r:wsupgrade() function could crash the process if a malicious client sent a carefully crafted PING request. This issue affected releases 2.4.7 through 2.4.12 inclusive. Acknowledgements: This issue was reported by Guido Vranken. Reported to security team: 28th January 2015 Issue public: 4th February 2015 Update Released: 15th July 2015 Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7 low: Crash in ErrorDocument 400 handling CVE-2015-0253 A crash in ErrorDocument handling was found. If ErrorDocument 400 was configured pointing to a local URL-path with the INCLUDES filter active, a NULL dereference would occur when handling the error, causing the child process to crash. This issue affected the 2.4.12 release only. Reported to security team: 3rd February 2015 Issue public: 5th March 2015 Update Released: 15th July 2015 Affects: 2.4.12 low: HTTP request smuggling attack against chunked request parser CVE-2015-3183 An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use. Acknowledgements: This issue was reported by Régis Leroy. Reported to security team: 4th April 2015 Issue public: 9th June 2015 Update Released: 15th July 2015 Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1 low: ap_some_auth_required API unusable CVE-2015-3185 A design error in the "ap_some_auth_required" function renders the API unusuable in httpd 2.4.x. In particular the API is documented to answering if the request required authentication but only answers if there are Require lines in the applicable configuration. Since 2.4.x Require lines are used for authorization as well and can appear in configurations even when no authentication is required and the request is entirely unrestricted. This could lead to modules using this API to allow access when they should otherwise not do so. API users should use the new ap_some_authn_required API added in 2.4.16 instead. Acknowledgements: This issue was reported by Ben Reser. Reported to security team: 5th August 2013 Issue public: 9th June 2015 Update Released: 15th July 2015 Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.5, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0
Change History (4)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:4 by , 9 years ago
Description: | modified (diff) |
---|---|
Priority: | normal → high |
Note:
See TracTickets
for help on using tickets.
https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2