[3.5] apache2: Multiple vulnerabilities (CVE-2016-0736, CVE-2016-2161, CVE-2016-8740, CVE-2016-8743)
CVE-2016-0736: Padding Oracle in Apache mod_session_crypto
Affects: 2.4.1 to 2.4.23
Fixed in: 2.4.25
References:
https://httpd.apache.org/security/vulnerabilities\_24.html\#2.4.25
CVE-2016-2161: DoS vulnerability in mod_auth_digest
Malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests.
Affects: 2.4.1 to 2.4.23
Fixed in: 2.4.25
References:
https://httpd.apache.org/security/vulnerabilities\_24.html\#2.4.25
CVE-2016-8740: HTTP/2 CONTINUATION denial of service
Affects: 2.4.17, 2.4.18, 2.4.20, 2.4.23
Fixed in: 2.4.25
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
http://seclists.org/bugtraq/2016/Dec/3
CVE-2016-8743: Apache HTTP Request Parsing Whitespace Defects
Affects: 2.2.0 to 2.4.23.
Fixed in 2.4.25.
References:
https://httpd.apache.org/security/vulnerabilities\_24.html\#2.4.25
(from redmine: issue id 6939, created on 2017-02-27, closed on 2017-03-07)
- Relations:
- parent #6938 (closed)
- Changesets:
- Revision 6e87afc1 by Andy Postnikov on 2017-02-28T14:25:23Z:
main/apache2: upgrade to 2.4.25
Security release http://www.apache.org/dist/httpd/CHANGES_2.4.25
Also it includes previous patch for httpoxy
fixes #6939
(cherry picked from commit 57ba71e0786da6d5383c4785fb65be50a2cad693)