Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 603130 (CVE-2016-2161, CVE-2016-8743)

Summary: <www-servers/apache-2.4.25: Multiple vulnerabilities (CVE-2016-{2161,8743})
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: polynomial-c
Priority: Normal Flags: kensington: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
=app-admin/apache-tools-2.4.25 =www-servers/apache-2.4.25
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 601736    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-19 19:13:01 UTC
Changes with Apache 2.4.25

  *) Fix some build issues related to various modules.
     [Rainer Jung]

Changes with Apache 2.4.24

  *) SECURITY: CVE-2016-8740 (
     mod_http2: Mitigate DoS memory exhaustion via endless
     CONTINUATION frames.
     [Naveen Tiwari <> and CDF/SEFCOM at Arizona State
     University, Stefan Eissing]

  *) SECURITY: CVE-2016-5387 (
     core: Mitigate [f]cgi "httpoxy" issues.
     [Dominic Scheirlinck <dominic>, Yann Ylavic]

  *) SECURITY: CVE-2016-2161 (
     mod_auth_digest: Prevent segfaults during client entry allocation when
     the shared memory space is exhausted.
     [Maksim Malyutin <m.malyutin>, Eric Covener, Jacob Champion]

  *) SECURITY: CVE-2016-0736 (
     mod_session_crypto: Authenticate the session data/cookie with a
     MAC (SipHash) to prevent deciphering or tampering with a padding
     oracle attack.  [Yann Ylavic, Colm MacCarthaigh]

  *) SECURITY: CVE-2016-8743 (
     Enforce HTTP request grammar corresponding to RFC7230 for request lines
     and request headers, to prevent response splitting and cache pollution by
     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]

  *) Validate HTTP response header grammar defined by RFC7230, resulting
     in a 500 error in the event that invalid response header contents are
     detected when serving the response, to avoid response splitting and cache
     pollution by malicious clients, upstream servers or faulty modules.
     [Stefan Fritsch, Eric Covener, Yann Ylavic]

  *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
     looping RewriteRules when the local path significantly exceeds 
     LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache>]

  *) mod_ratelimit: Allow for initial "burst" amount at full speed before
     throttling: PR 60145 [Andy Valencia <ajv-etradanalhos>,
     Jim Jagielski]

  *) mod_socache_memcache: Provide memcache stats to mod_status.
     [Jim Jagielski]

  *) http_filters: Fix potential looping in new check_headers() due to new
     pattern of ap_die() from http header filter. Explicitly clear the
     previous headers and body.

  *) core: Drop Content-Length header and message-body from HTTP 204 responses.
     PR 51350 [Luca Toscano]

  *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
     configured in <Location>, like in 2.2. PR 60458.
     [Eric Covener]

  *) mod_lua: Fix default value of LuaInherit directive. It should be 
     'parent-first' instead of 'none', as per documentation.  PR 60419
     [Christophe Jaillet]

  *) core: New directive HttpProtocolOptions to control httpd enforcement
     of various RFC7230 requirements. [Stefan Fritsch, William Rowe]

  *) core: Permit unencoded ';' characters to appear in proxy requests and
     Location: response headers. Corresponds to modern browser behavior.
     [William Rowe]

  *) core: ap_rgetline_core now pulls from r->proto_input_filters.

  *) core: Correctly parse an IPv6 literal host specification in an absolute
     URL in the request line. [Stefan Fritsch]

  *) core: New directive RegisterHttpMethod for registering non-standard
     HTTP methods. [Stefan Fritsch]

  *) mod_socache_memcache: Pass expiration time through to memcached.
     [Faidon Liambotis <paravoid>, Joe Orton]

  *) mod_cache: Use the actual URI path and query-string for identifying the
     cached entity (key), such that rewrites are taken into account when
     running afterwards (CacheQuickHandler off).  PR 21935.  [Yann Ylavic]

  *) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status
     103 interim responses. Disabled by default. [Stefan Eissing]
  *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
     in the client certificate chain.  PR 55786.  [Yann Ylavic]

  *) event: Allow to use the whole allocated scoreboard (up to ServerLimit
     slots) to avoid scoreboard full errors when some processes are finishing
     gracefully. Also, make gracefully finishing processes close all
     keep-alive connections. PR 53555. [Stefan Fritsch]

  *) mpm_event: Don't take over scoreboard slots from gracefully finishing
     threads. [Stefan Fritsch]

  *) mpm_event: Free memory earlier when shutting down processes.
     [Stefan Fritsch]

  *) mod_status: Display the process slot number in the async connection
     overview. [Stefan Fritsch]

  *) mod_dir: Responses that go through "FallbackResource" might appear to
     hang due to unterminated chunked encoding. PR58292. [Eric Covener]

  *) mod_dav: Fix a potential cause of unbounded memory usage or incorrect
     behavior in a routine that sends <DAV:response>'s to the output filters.
     [Evgeny Kotkov]

  *) mod_http2: new directive 'H2PushResource' to enable early pushes before 
     processing of the main request starts. Resources are announced to the 
     client in Link headers on a 103 early hint response. 
     All responses with status code <400 are inspected for Link header and
     trigger pushes accordingly. 304 still does prevent pushes.
     'H2PushResource' can mark resources as 'critical' which gives them higher
     priority than the main resource. This leads to preferred scheduling for
     processing and, when content is available, will send it first. 'critical'
     is also recognized on Link headers. [Stefan Eissing]
  *) mod_proxy_http2: uris in Link headers are now mapped back to a suitable
     local url when available. Relative uris with an absolute path are mapped
     as well. This makes reverse proxy mapping available for resources
     announced in this header. 
     With 103 interim responses being forwarded to the main client connection,
     this effectively allows early pushing of resources by a reverse proxied
     backend server. [Stefan Eissing]
  *) mod_proxy_http2: adding support for newly proposed 103 status code.
     [Stefan Eissing]
  *) mpm_unix: Apache fails to start if previously crashed then restarted with
     the same PID (e.g. in container).  PR 60261.
     [Val <valentin.bremond>, Yann Ylavic]

  *) mod_http2: unannounced and multiple interim responses (status code < 200)
     are parsed and forwarded to client until a final response arrives.
     [Stefan Eissing]
  *) mod_proxy_http2: improved robustness when main connection is closed early
     by resetting all ongoing streams against the backend.
     [Stefan Eissing]
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-19 19:16:36 UTC
CVE-2016-8740 is handled via bug 601736.

CVE-2016-5387 was handled via bug 589226.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-12-19 22:57:55 UTC
commit 8b43dcbc13a294300bfdfeaa6e41721db42576fe
Author: Lars Wendler <>
Date:   Mon Dec 19 23:54:24 2016

    www-servers/apache: Security bump to version 2.4.25 (bug #603130).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

commit 6d9dc083415a0065da55f0816b5f187790828529
Author: Lars Wendler <>
Date:   Mon Dec 19 23:48:36 2016

    app-admin/apache-tools: Security bump to version 2.4.25 (bug #603130).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

Arches please test and mark stable the following two packages:


Target KEYWORDS are:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-21 18:56:32 UTC
Stable on amd64.
Comment 4 Agostino Sarubbo gentoo-dev 2016-12-22 08:58:20 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-22 09:43:58 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-24 10:29:59 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-25 10:11:44 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-25 10:15:56 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-25 10:25:07 UTC
ppc stable
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-01-01 10:30:15 UTC
Adding alpha as it is still pending...
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-05 12:36:34 UTC
Stable on alpha.
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 23:34:00 UTC
Stable for HPPA.
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-15 00:14:21 UTC
@ Maintainer(s): Please cleanup www-servers/apache and app-admin/apache-tools.
Comment 14 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-01-15 01:39:00 UTC
commit 4f45ecb82321ba88f26ea9c82cb5952b0ae3874d
Author: Lars Wendler <>
Date:   Sun Jan 15 02:38:10 2017

    app-admin/apache-tools: Security cleanup (bug #603130).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

commit 8c0256f247080f7c423e500cf4adc936792562b2
Author: Lars Wendler <>
Date:   Sun Jan 15 02:37:30 2017

    www-servers/apache: Security cleanup (bug #603130).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-15 08:21:58 UTC
This issue was resolved and addressed in
 GLSA 201701-36 at
by GLSA coordinator Aaron Bauman (b-man).