1 | | Currency check says that there is a new version, but I am unable to find it right now. |
| 1 | [https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2] |
| 2 | |
| 3 | [https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2.asc] |
| 4 | |
| 5 | [https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2.md5] |
| 6 | |
| 7 | 2b19cd338fd526dd5a63c57b1e9bfee2 |
| 8 | |
| 9 | [https://archive.apache.org/dist/httpd/CHANGES_2.4.16] |
| 10 | |
| 11 | {{{ |
| 12 | ... |
| 13 | }}} |
| 14 | |
| 15 | [https://httpd.apache.org/security/vulnerabilities_24.html] |
| 16 | |
| 17 | {{{ |
| 18 | Fixed in Apache httpd 2.4.16 |
| 19 | |
| 20 | low: mod_lua: Crash in websockets PING handling CVE-2015-0228 |
| 21 | |
| 22 | A stack recursion crash in the mod_lua module was found. A Lua |
| 23 | script executing the r:wsupgrade() function could crash the process |
| 24 | if a malicious client sent a carefully crafted PING request. This |
| 25 | issue affected releases 2.4.7 through 2.4.12 inclusive. |
| 26 | |
| 27 | Acknowledgements: This issue was reported by Guido Vranken. |
| 28 | Reported to security team: 28th January 2015 |
| 29 | Issue public: 4th February 2015 |
| 30 | Update Released: 15th July 2015 |
| 31 | Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7 |
| 32 | |
| 33 | low: Crash in ErrorDocument 400 handling CVE-2015-0253 |
| 34 | |
| 35 | A crash in ErrorDocument handling was found. If ErrorDocument 400 |
| 36 | was configured pointing to a local URL-path with the INCLUDES filter |
| 37 | active, a NULL dereference would occur when handling the error, |
| 38 | causing the child process to crash. This issue affected the 2.4.12 |
| 39 | release only. Reported to security team: 3rd February 2015 Issue |
| 40 | public: 5th March 2015 Update Released: 15th July 2015 Affects: |
| 41 | 2.4.12 |
| 42 | |
| 43 | low: HTTP request smuggling attack against chunked request parser |
| 44 | CVE-2015-3183 |
| 45 | |
| 46 | An HTTP request smuggling attack was possible due to a bug in |
| 47 | parsing of chunked requests. A malicious client could force the |
| 48 | server to misinterpret the request length, allowing cache poisoning |
| 49 | or credential hijacking if an intermediary proxy is in use. |
| 50 | |
| 51 | Acknowledgements: This issue was reported by Régis Leroy. |
| 52 | Reported to security team: 4th April 2015 |
| 53 | Issue public: 9th June 2015 |
| 54 | Update Released: 15th July 2015 |
| 55 | Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.4, 2.4.3, |
| 56 | 2.4.2, 2.4.1 |
| 57 | |
| 58 | low: ap_some_auth_required API unusable CVE-2015-3185 |
| 59 | |
| 60 | A design error in the "ap_some_auth_required" function renders the |
| 61 | API unusuable in httpd 2.4.x. In particular the API is documented to |
| 62 | answering if the request required authentication but only answers if |
| 63 | there are Require lines in the applicable configuration. Since 2.4.x |
| 64 | Require lines are used for authorization as well and can appear in |
| 65 | configurations even when no authentication is required and the |
| 66 | request is entirely unrestricted. This could lead to modules using |
| 67 | this API to allow access when they should otherwise not do so. API |
| 68 | users should use the new ap_some_authn_required API added in 2.4.16 |
| 69 | instead. |
| 70 | |
| 71 | Acknowledgements: This issue was reported by Ben Reser. |
| 72 | Reported to security team: 5th August 2013 |
| 73 | Issue public: 9th June 2015 |
| 74 | Update Released: 15th July 2015 |
| 75 | Affects: 2.4.12, 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.5, 2.4.4, |
| 76 | 2.4.3, 2.4.2, 2.4.1, 2.4.0 |
| 77 | }}} |