[3.2] apache2: Multiple vulnerabilities (CVE-2016-0736, CVE-2016-2161, CVE-2016-8743)
CVE-2016-0736: Padding Oracle in Apache mod_session_crypto
Affects: 2.4.1 to 2.4.23
Fixed in: 2.4.25
References:
https://httpd.apache.org/security/vulnerabilities\_24.html\#2.4.25
CVE-2016-2161: DoS vulnerability in mod_auth_digest
Malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests.
Affects: 2.4.1 to 2.4.23
Fixed in: 2.4.25
References:
https://httpd.apache.org/security/vulnerabilities\_24.html\#2.4.25
CVE-2016-8743: Apache HTTP Request Parsing Whitespace Defects
Affects: 2.2.0 to 2.4.23.
Fixed in 2.4.25.
References:
https://httpd.apache.org/security/vulnerabilities\_24.html\#2.4.25
(from redmine: issue id 6942, created on 2017-02-27, closed on 2017-03-07)
- Relations:
- parent #6938 (closed)
- Changesets:
- Revision 057227d5 by Andy Postnikov on 2017-03-06T12:06:47Z:
main/apache2: upgrade to 2.4.25
Security release http://www.apache.org/dist/httpd/CHANGES_2.4.25
Also it includes previous patch for httpoxy
fixes #6942