Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 622240 (CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668, CVE-2017-7679)

Summary: <www-servers/apache-{2.2.34,2.4.26}: multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://httpd.apache.org/security/vulnerabilities_24.html
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 622374, 624868, 631308    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-06-19 18:32:58 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-19 18:37:46 UTC
CVE-2017-7659: mod_http2 null pointer dereference 

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.24 (unreleased)
httpd 2.4.25

Description:
A maliciously constructed HTTP/2 request could cause mod_http2 to
dereference a NULL pointer and crash the server process.

Mitigation:
2.4.25 users of mod_http2 should upgrade to 2.4.26.

Credit:
The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.

References:
https://httpd.apache.org/security_report.html
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-20 07:41:49 UTC
CVE-2017-7679: mod_mime buffer overread

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

Description:
mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.

Mitigation:
2.2.x users should either apply the patch available at
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.x users should upgrade to 2.4.26.

Credit:
The Apache HTTP Server security team would like to thank ChenQin and
Hanno Böck for reporting this issue.



CVE-2017-7668: ap_find_token buffer overread

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.32
httpd 2.4.24 (unreleased)
httpd 2.4.25

Description:
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.

Mitigation:
2.2.32 users should either apply the patch available at
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.25 users should upgrade to 2.4.26.

Credit:
The Apache HTTP Server security team would like to thank Javier Jiménez
(javijmor@gmail.com) for reporting this issue.



CVE-2017-3169: mod_ssl null pointer dereference

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

Description:
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.

Mitigation:
2.2.x users should either apply the patch available at
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.x users should upgrade to 2.4.26.

Credit:
The Apache HTTP Server security team would like to thank Vasileios
Panopoulos and AdNovum Informatik AG for reporting this issue.



CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

Description:
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.

Mitigation:
2.2.x users should either apply the patch available at
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.x users should upgrade to 2.4.26.

Third-party module writers SHOULD use ap_get_basic_auth_components(),
available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
Modules which call the legacy ap_get_basic_auth_pw() during the
authentication phase MUST either immediately authenticate the user after
the call, or else stop the request immediately with an error response,
to avoid incorrectly authenticating the current request.

Credit:
The Apache HTTP Server security team would like to thank Emmanuel
Dreyfus for reporting this issue.
Comment 3 Hanno Böck gentoo-dev 2017-06-21 10:08:27 UTC
There's a major regression in 2.4.26 that breaks important web applications (wordpress), see #622374
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-01 18:34:23 UTC
Ping:

Upstream commit:

2.4: https://github.com/apache/httpd/commit/78f0f0b6585f13ec1175c7020ee01cd0237fc1ba
2.2: https://github.com/apache/httpd/commit/7103baa2e70e37eeaf7847abaa6f3567ef2cdf73

Gentoo Security Padawan
ChrisADR
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-18 13:15:52 UTC
www-servers/apache-2.2.34 which contains patches for the named vulnerabilities was added as part of bug 631308.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-10-29 23:05:09 UTC
This issue was resolved and addressed in
 GLSA 201710-32 at https://security.gentoo.org/glsa/201710-32
by GLSA coordinator Aaron Bauman (b-man).