Opened 5 years ago

Closed 5 years ago

#8658 closed enhancement (fixed)

Apache httpd-2.4.25 (CVE-2016-0736 CVE-2016-2161 CVE-2016-5387 CVE-2016-8740 CVE-2016-8743)

Reported by: Pierre Labastie Owned by: bdubbs@…
Priority: high Milestone: 8.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Douglas R. Reno)

In dist directory, but not announced yet. The maintainer should be back tomorrow (https://lists.apache.org/list.html?dev@httpd.apache.org:2016-12)

    CVE-2016-0736 mod_session_crypto: Authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack.
    CVE-2016-2161 mod_auth_digest: Prevent segfaults during client entry allocation when the shared memory space is exhausted.
    CVE-2016-5387 core: Mitigate [f]cgi "httpoxy" issues.
    CVE-2016-8740 mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
    CVE-2016-8743 Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies.

Change History (3)

comment:1 by Douglas R. Reno, 5 years ago

Description: modified (diff)
Priority: normalhigh
Summary: Apache httpd-2.4.25Apache httpd-2.4.25 (CVE-2016-0736 CVE-2016-2161 CVE-2016-5387 CVE-2016-8740 CVE-2016-8743)

comment:2 by bdubbs@…, 5 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:3 by bdubbs@…, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 18105.

Note: See TracTickets for help on using tickets.