Changes between Initial Version and Version 4 of Ticket #6723


Ignore:
Timestamp:
10/13/2015 10:52:27 AM (9 years ago)
Author:
Fernando de Oliveira
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #6723

    • Property Owner changed from blfs-book@… to bdubbs@…
    • Property Status newclosed
    • Property Resolutionfixed
    • Property Priority normalhigh
  • Ticket #6723 – Description

    initial v4  
    1 Currency check says that there is a new version, but I am unable to find it right now.
     1[https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2]
     2
     3[https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2.asc]
     4
     5[https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2.md5]
     6
     72b19cd338fd526dd5a63c57b1e9bfee2
     8
     9[https://archive.apache.org/dist/httpd/CHANGES_2.4.16]
     10
     11{{{
     12...
     13}}}
     14
     15[https://httpd.apache.org/security/vulnerabilities_24.html]
     16
     17{{{
     18Fixed in Apache httpd 2.4.16
     19
     20    low: mod_lua: Crash in websockets PING handling CVE-2015-0228
     21
     22    A stack recursion crash in the mod_lua module was found. A Lua
     23    script executing the r:wsupgrade() function could crash the process
     24    if a malicious client sent a carefully crafted PING request. This
     25    issue affected releases 2.4.7 through 2.4.12 inclusive.
     26
     27    Acknowledgements: This issue was reported by Guido Vranken.
     28    Reported to security team: 28th January 2015
     29    Issue public: 4th February 2015
     30    Update Released: 15th July 2015
     31    Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7
     32
     33    low: Crash in ErrorDocument 400 handling CVE-2015-0253
     34
     35    A crash in ErrorDocument handling was found. If ErrorDocument 400
     36    was configured pointing to a local URL-path with the INCLUDES filter
     37    active, a NULL dereference would occur when handling the error,
     38    causing the child process to crash. This issue affected the 2.4.12
     39    release only.  Reported to security team: 3rd February 2015 Issue
     40    public: 5th March 2015 Update Released: 15th July 2015 Affects:
     41    2.4.12
     42
     43    low: HTTP request smuggling attack against chunked request parser
     44    CVE-2015-3183
     45
     46    An HTTP request smuggling attack was possible due to a bug in
     47    parsing of chunked requests. A malicious client could force the
     48    server to misinterpret the request length, allowing cache poisoning
     49    or credential hijacking if an intermediary proxy is in use.
     50
     51    Acknowledgements: This issue was reported by Régis Leroy.
     52    Reported to security team: 4th April 2015
     53    Issue public: 9th June 2015
     54    Update Released: 15th July 2015
     55    Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.4, 2.4.3,
     56    2.4.2, 2.4.1
     57
     58    low: ap_some_auth_required API unusable CVE-2015-3185
     59
     60    A design error in the "ap_some_auth_required" function renders the
     61    API unusuable in httpd 2.4.x. In particular the API is documented to
     62    answering if the request required authentication but only answers if
     63    there are Require lines in the applicable configuration. Since 2.4.x
     64    Require lines are used for authorization as well and can appear in
     65    configurations even when no authentication is required and the
     66    request is entirely unrestricted. This could lead to modules using
     67    this API to allow access when they should otherwise not do so. API
     68    users should use the new ap_some_authn_required API added in 2.4.16
     69    instead.
     70
     71    Acknowledgements: This issue was reported by Ben Reser.
     72    Reported to security team: 5th August 2013
     73    Issue public: 9th June 2015
     74    Update Released: 15th July 2015
     75    Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.5, 2.4.4,
     76    2.4.3, 2.4.2, 2.4.1, 2.4.0
     77}}}