Jump to content
Compatible Support Forums
Sign in to follow this  
news

[gentoo-announce] [ GLSA 201706-25 ] Graphite: User-assisted execution of arbitrary code

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3896-1 security ( -at -) debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 22, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : apache2

CVE ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668

CVE-2017-7679

 

Several vulnerabilities have been found in the Apache HTTPD server.

 

CVE-2017-3167

 

Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by

third-party modules outside of the authentication phase may lead to

authentication requirements being bypassed.

 

CVE-2017-3169

 

Vasileios Panopoulos of AdNovum Informatik AG discovered that

mod_ssl may dereference a NULL pointer when third-party modules call

ap_hook_process_connection() during an HTTP request to an HTTPS port

leading to a denial of service.

 

CVE-2017-7659

 

Robert Swiecki reported that a specially crafted HTTP/2 request

could cause mod_http2 to dereference a NULL pointer and crash the

server process.

 

CVE-2017-7668

 

Javier Jimenez reported that the HTTP strict parsing contains a

flaw leading to a buffer overread in ap_find_token(). A remote

attacker can take advantage of this flaw by carefully crafting a

sequence of request headers to cause a segmentation fault, or to

force ap_find_token() to return an incorrect value.

 

CVE-2017-7679

 

ChenQin and Hanno Boeck reported that mod_mime can read one byte

past the end of a buffer when sending a malicious Content-Type

response header.

 

For the oldstable distribution (jessie), these problems have been fixed

in version 2.4.10-10+deb8u9. The oldstable distribution (jessie) is not

affected by CVE-2017-7659.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.4.25-3+deb9u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.4.25-4.

 

We recommend that you upgrade your apache2 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×