[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1389-1] apache2 security update

Package        : apache2
Version        : 2.2.22-13+deb7u13
CVE ID         : CVE-2017-15710 CVE-2018-1301 CVE-2018-1312
Debian Bug     : 

Several vulnerabilities have been found in the Apache HTTPD server.


    Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if
    configured with AuthLDAPCharsetConfig, could cause an of bound write
    if supplied with a crafted Accept-Language header. This could
    potentially be used for a Denial of Service attack.


    Robert Swiecki reported that a specially crafted request could have
    crashed the Apache HTTP Server, due to an out of bound access after
    a size limit is reached by reading the HTTP header.

    Nicolas Daniels discovered that when generating an HTTP Digest
    authentication challenge, the nonce sent by mod_auth_digest to
    prevent reply attacks was not correctly generated using a
    pseudo-random seed. In a cluster of servers using a common Digest
    authentication configuration, HTTP requests could be replayed across
    servers by an attacker without detection.

For Debian 7 "Wheezy", these problems have been fixed in version

We recommend that you upgrade your apache2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: