Project

General

Profile

Bug #6939

Bug #6938: apache2: Multiple vulnerabilities (CVE-2016-0736, CVE-2016-2161, CVE-2016-8740, CVE-2016-8743)

[3.5] apache2: Multiple vulnerabilities (CVE-2016-0736, CVE-2016-2161, CVE-2016-8740, CVE-2016-8743)

Added by Alicha CH almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
Start date:
02/27/2017
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:

Description

CVE-2016-0736: Padding Oracle in Apache mod_session_crypto

Affects: 2.4.1 to 2.4.23

Fixed in: 2.4.25

References:

https://httpd.apache.org/security/vulnerabilities_24.html#2.4.25

CVE-2016-2161: DoS vulnerability in mod_auth_digest

Malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests.

Affects: 2.4.1 to 2.4.23

Fixed in: 2.4.25

References:

https://httpd.apache.org/security/vulnerabilities_24.html#2.4.25

CVE-2016-8740: HTTP/2 CONTINUATION denial of service

Affects: 2.4.17, 2.4.18, 2.4.20, 2.4.23

Fixed in: 2.4.25

References:

https://httpd.apache.org/security/vulnerabilities_24.html
http://seclists.org/bugtraq/2016/Dec/3

CVE-2016-8743: Apache HTTP Request Parsing Whitespace Defects

Affects: 2.2.0 to 2.4.23.

Fixed in 2.4.25.

References:

https://httpd.apache.org/security/vulnerabilities_24.html#2.4.25

Associated revisions

Revision 6e87afc1 (diff)
Added by Andy Postnikov almost 2 years ago

main/apache2: upgrade to 2.4.25

Security release http://www.apache.org/dist/httpd/CHANGES_2.4.25
Also it includes previous patch for httpoxy

fixes #6939

(cherry picked from commit 57ba71e0786da6d5383c4785fb65be50a2cad693)

History

#1 Updated by Andy Postnikov almost 2 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Alicha CH almost 2 years ago

  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF