UbuntuUpdates.org

Package "apache2-data"

Name: apache2-data

Description:

Apache HTTP Server (common files)

Latest version: 2.4.18-2ubuntu3.17
Release: xenial (16.04)
Level: security
Repository: main
Head package: apache2
Homepage: http://httpd.apache.org/

Links


Download "apache2-data"


Other versions of "apache2-data" in Xenial

Repository Area Version
base main 2.4.18-2ubuntu3
updates main 2.4.18-2ubuntu3.17

Changelog

Version: 2.4.18-2ubuntu3.5 2017-09-19 18:07:02 UTC
No changelog available yet.
Source diff to previous version

Version: 2.4.18-2ubuntu3.4 2017-07-27 18:06:54 UTC

  apache2 (2.4.18-2ubuntu3.4) xenial-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
    - debian/patches/CVE-2017-9788.patch: correct string scope in
      modules/aaa/mod_auth_digest.c.
    - CVE-2017-9788

 -- Marc Deslauriers <email address hidden> Thu, 27 Jul 2017 10:34:01 -0400

Source diff to previous version
CVE-2017-9788 In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or

Version: 2.4.18-2ubuntu3.3 2017-06-26 18:06:47 UTC

  apache2 (2.4.18-2ubuntu3.3) xenial-security; urgency=medium

  * SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
    - debian/patches/CVE-2017-3167.patch: deprecate and replace
      ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
      server/protocol.c, server/request.c.
    - CVE-2017-3167
  * SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
    - debian/patches/CVE-2017-3169.patch: fix ctx passed to
      ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
    - CVE-2017-3169
  * SECURITY UPDATE: denial of service and possible incorrect value return
    in HTTP strict parsing changes
    - debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
      server/util.c.
    - CVE-2017-7668
  * SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
    - debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
      modules/http/mod_mime.c.
    - CVE-2017-7679

 -- Marc Deslauriers <email address hidden> Mon, 26 Jun 2017 07:58:04 -0400

Source diff to previous version
CVE-2017-3167 In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication p
CVE-2017-3169 In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_con
CVE-2017-7668 The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to searc
CVE-2017-7679 In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Typ

Version: 2.4.18-2ubuntu3.2 2017-05-09 15:07:11 UTC

  apache2 (2.4.18-2ubuntu3.2) xenial-security; urgency=medium

  * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
    - debian/patches/CVE-2016-0736.patch: authenticate the session
      data/cookie with a MAC in modules/session/mod_session_crypto.c.
    - CVE-2016-0736
  * SECURITY UPDATE: denial of service via malicious mod_auth_digest input
    - debian/patches/CVE-2016-2161.patch: improve memory handling in
      modules/aaa/mod_auth_digest.c.
    - CVE-2016-2161
  * SECURITY UPDATE: response splitting and cache pollution issue via
    incomplete RFC7230 HTTP request grammar enforcing
    - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
      include/http_core.h, include/http_protocol.h, include/httpd.h,
      modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
      server/protocol.c, server/util.c, server/vhost.c.
    - debian/patches/hostnames_with_underscores.diff: relax hostname
      restrictions in server/vhost.c.
    - CVE-2016-8743
  * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
    may introduce compatibility issues with clients that do not strictly
    follow specifications. A new configuration directive,
    "HttpProtocolOptions Unsafe" can be used to re-enable some of the less
    strict parsing restrictions, at the expense of security.

 -- Marc Deslauriers <email address hidden> Fri, 05 May 2017 12:32:00 -0400

Source diff to previous version
CVE-2016-0736 Padding Oracle in Apache mod_session_crypto
CVE-2016-2161 DoS vulnerability in mod_auth_digest
CVE-2016-8743 Apache HTTP Request Parsing Whitespace Defects

Version: 2.4.18-2ubuntu3.1 2016-07-18 19:06:54 UTC

  apache2 (2.4.18-2ubuntu3.1) xenial-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5387.patch: don't pass through HTTP_PROXY in
      server/util_script.c.
    - CVE-2016-5387

 -- Marc Deslauriers <email address hidden> Thu, 14 Jul 2016 08:32:26 -0400




About   -   Send Feedback to @ubuntu_updates