[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1389-1] apache2 security update



Package        : apache2
Version        : 2.2.22-13+deb7u13
CVE ID         : CVE-2017-15710 CVE-2018-1301 CVE-2018-1312
Debian Bug     : 


Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2017-15710

    Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if
    configured with AuthLDAPCharsetConfig, could cause an of bound write
    if supplied with a crafted Accept-Language header. This could
    potentially be used for a Denial of Service attack.

CVE-2018-1301

    Robert Swiecki reported that a specially crafted request could have
    crashed the Apache HTTP Server, due to an out of bound access after
    a size limit is reached by reading the HTTP header.
CVE-2018-1312

    Nicolas Daniels discovered that when generating an HTTP Digest
    authentication challenge, the nonce sent by mod_auth_digest to
    prevent reply attacks was not correctly generated using a
    pseudo-random seed. In a cluster of servers using a common Digest
    authentication configuration, HTTP requests could be replayed across
    servers by an attacker without detection.


For Debian 7 "Wheezy", these problems have been fixed in version
2.2.22-13+deb7u13.

We recommend that you upgrade your apache2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature


Reply to: