Date: Wed, 21 Dec 2016 10:35:21 +0000 (UTC) From: Olli Hauer <ohauer@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r429061 - head/security/vuxml Message-ID: <201612211035.uBLAZLri095314@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ohauer Date: Wed Dec 21 10:35:20 2016 New Revision: 429061 URL: https://svnweb.freebsd.org/changeset/ports/429061 Log: - document Apache httpd-2.4.x defects Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Dec 21 10:32:24 2016 (r429060) +++ head/security/vuxml/vuln.xml Wed Dec 21 10:35:20 2016 (r429061) @@ -58,6 +58,110 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="862d6ab3-c75e-11e6-9f98-20cf30e32f6d"> + <topic>Apache httpd -- several vulnerabilities</topic> + <affects> + <package> + <name>apache24</name> + <range><lt>2.4.25</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Apache Software Foundation reports:</p> + <blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html"> + <ul> + <li>TBD: Apache HTTP Request Parsing Whitespace Defects CVE-2016-8743<br/> + Apache HTTP Server, prior to release 2.4.25, accepted a broad + pattern of unusual whitespace patterns from the user-agent, + including bare CR, FF, VTAB in parsing the request line and + request header lines, as well as HTAB in parsing the request line. + Any bare CR present in request lines was treated as whitespace and + remained in the request field member "the_request", while a bare + CR in the request header field name would be honored as + whitespace, and a bare CR in the request header field value was + retained the input headers array. Implied additional whitespace + was accepted in the request line and prior to the + ':' delimiter of any request header lines.<br/><br/> + RFC7230 Section 3.5 calls out some of these whitespace exceptions, + and section 3.2.3 eliminated and clarified the role of implied + whitespace in the grammer of this specification. Section 3.1.1 + requires exactly one single SP between the method and + request-target, and between the request-target and HTTP-version, + followed immediately by a CRLF sequence. None of these + fields permit any (unencoded) CTL character whatsoever. Section + 3.2.4 explicitly disallowed any whitespace from the request header + field prior to the ':' character, while Section 3.2 disallows all + CTL characters in the request header line other than the HTAB + character as whitespace.<br/><br/> + These defects represent a security concern when httpd is + participating in any chain of proxies or interacting with back-end + application servers, either through mod_proxy or using conventional + CGI mechanisms. In each case where one agent accepts such CTL + characters and does not treat them as whitespace, there is the + possiblity in a proxy chain of generating two responses from a + server behind the uncautious proxy agent. In a sequence of two + requests, this results in request A to the first proxy being + interpreted as requests A + A' by the backend server, and if + requests A and B were submitted to the first proxy in a keepalive + connection, the proxy may interpret response A' as the response to + request B, polluting the cache or potentially serving the A' content + to a different downstream user-agent.<br/><br/> + These defects are addressed with the release of Apache HTTP Server + 2.4.25 and coordinated by a new directive<br/> + HttpProtocolOptions Strict<br/> + </li> + </ul><ul> + <li>low: DoS vulnerability in mod_auth_digest CVE-2016-2161<br/> + Malicious input to mod_auth_digest will cause the server to crash, + and each instance continues to crash even for subsequently valid + requests.<br/> + </li> + </ul><ul> + <li>low: Padding Oracle in Apache mod_session_crypto CVE-2016-0736<br/> + Authenticate the session data/cookie presented to mod_session_crypto + with a MAC (SipHash) to prevent deciphering or tampering with a + padding oracle attack.<br/> + </li> + </ul><ul> + <li>low: Padding Oracle in Apache mod_session_crypto CVE-2016-0736<br/> + Authenticate the session data/cookie presented to mod_session_crypto + with a MAC (SipHash) to prevent deciphering or tampering with a + padding oracle attack.<br/> + </li> + </ul><ul> + <li>n/a: HTTP/2 CONTINUATION denial of service CVE-2016-8740<br/> + The HTTP/2 protocol implementation (mod_http2) had an incomplete + handling of the LimitRequestFields directive. This allowed an + attacker to inject unlimited request headers into the server, + leading to eventual memory exhaustion.<br/> + </li> + </ul><ul> + <li>n/a: HTTP_PROXY environment variable "httpoxy" mitigation CVE-2016-5387<br/> + HTTP_PROXY is a well-defined environment variable in a CGI process, + which collided with a number of libraries which failed to avoid + colliding with this CGI namespace. A mitigation is provided for the + httpd CGI environment to avoid populating the "HTTP_PROXY" variable + from a "Proxy:" header, which has never been registered by IANA. + </li> + </ul> + </blockquote> + </body> + </description> + <references> + <url>http://httpd.apache.org/security/vulnerabilities_24.html</url> + <cvename>CVE-2016-8743</cvename> + <cvename>CVE-2016-2161</cvename> + <cvename>CVE-2016-0736</cvename> + <cvename>CVE-2016-8740</cvename> + <cvename>CVE-2016-5387</cvename> + </references> + <dates> + <discovery>2016-12-20</discovery> + <entry>2016-12-21</entry> + </dates> + </vuln> + <vuln vid="942433db-c661-11e6-ae1b-002590263bf5"> <topic>xen-kernel -- x86: Mishandling of SYSCALL singlestep during emulation</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612211035.uBLAZLri095314>