Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On Mon, Jun 19, 2017 at 5:49 PM, Jacob Champion wrote: > On 06/19/2017 03:44 PM, William A Rowe Jr wrote: >> >> None at all, I have moderation and will push it on. > > They are on their way over to you. Thanks for the suggestion. ... and moderated. Thanks!
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On 06/19/2017 03:44 PM, William A Rowe Jr wrote: None at all, I have moderation and will push it on. They are on their way over to you. Thanks for the suggestion. --Jacob
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On Mon, Jun 19, 2017 at 5:41 PM, Jacob Champion wrote: > On 06/19/2017 03:35 PM, William A Rowe Jr wrote: >> >> Not to announce@httpd? users@ and dev@ aren't particularly >> broadcast channels. >> >> announce@a.o might be too wide an audience, but that's why >> we document the CVE's with short notes in the foundation-wide >> release announcement. At least, used to document them. > > > I was following Jim's lead on the first CVE announcement. I'm not opposed to > a [SECURITY] announcement for all five; just timid. :) > > Any opposed to me copying all five to announce@httpd? None at all, I have moderation and will push it on. Just FYI you must always send-from your @apache.org identity when pushing mail to any announce@ list, because all other posts are pre-filtered before moderation.
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On 06/19/2017 03:35 PM, William A Rowe Jr wrote: Not to announce@httpd? users@ and dev@ aren't particularly broadcast channels. announce@a.o might be too wide an audience, but that's why we document the CVE's with short notes in the foundation-wide release announcement. At least, used to document them. I was following Jim's lead on the first CVE announcement. I'm not opposed to a [SECURITY] announcement for all five; just timid. :) Any opposed to me copying all five to announce@httpd? --Jacob
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
Not to announce@httpd? users@ and dev@ aren't particularly broadcast channels. announce@a.o might be too wide an audience, but that's why we document the CVE's with short notes in the foundation-wide release announcement. At least, used to document them. On Mon, Jun 19, 2017 at 5:08 PM, Jacob Champion wrote: > CVE-2017-3167: ap_get_basic_auth_pw authentication bypass > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > httpd 2.2.0 to 2.2.32 > httpd 2.4.0 to 2.4.25 > > Description: > Use of the ap_get_basic_auth_pw() by third-party modules outside of the > authentication phase may lead to authentication requirements being > bypassed. > > Mitigation: > 2.2.x users should either apply the patch available at > https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch > or upgrade in the future to 2.2.33, which is currently unreleased. > > 2.4.x users should upgrade to 2.4.26. > > Third-party module writers SHOULD use ap_get_basic_auth_components(), > available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). > Modules which call the legacy ap_get_basic_auth_pw() during the > authentication phase MUST either immediately authenticate the user after > the call, or else stop the request immediately with an error response, > to avoid incorrectly authenticating the current request. > > Credit: > The Apache HTTP Server security team would like to thank Emmanuel > Dreyfus for reporting this issue. > > References: > https://httpd.apache.org/security_report.html
CVE-2017-3169: mod_ssl null pointer dereference
CVE-2017-3169: mod_ssl null pointer dereference Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.2.32 httpd 2.4.0 to 2.4.25 Description: mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. Mitigation: 2.2.x users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.x users should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank Vasileios Panopoulos and AdNovum Informatik AG for reporting this issue. References: https://httpd.apache.org/security_report.html
CVE-2017-7668: ap_find_token buffer overread
CVE-2017-7668: ap_find_token buffer overread Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.32 httpd 2.4.24 (unreleased) httpd 2.4.25 Description: The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. Mitigation: 2.2.32 users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.25 users should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank Javier Jiménez (javij...@gmail.com) for reporting this issue. References: https://httpd.apache.org/security_report.html
CVE-2017-7679: mod_mime buffer overread
CVE-2017-7679: mod_mime buffer overread Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.2.32 httpd 2.4.0 to 2.4.25 Description: mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. Mitigation: 2.2.x users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.x users should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank ChenQin and Hanno Böck for reporting this issue. References: https://httpd.apache.org/security_report.html
CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
CVE-2017-3167: ap_get_basic_auth_pw authentication bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.2.32 httpd 2.4.0 to 2.4.25 Description: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Mitigation: 2.2.x users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.x users should upgrade to 2.4.26. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request. Credit: The Apache HTTP Server security team would like to thank Emmanuel Dreyfus for reporting this issue. References: https://httpd.apache.org/security_report.html
Re: [PATCH 2.2] fix ap_get_scoreboard_*
+1 here... That gets you to 3. Good catch thanks. On Jun 19, 2017 07:09, "Joe Orton" wrote: > The limit checking is broken in 2.2's ap_get_scoreboard_*. This was > fixed in 2.4 in http://svn.apache.org/viewvc?view=revision&revision=417252 > > Patch below backports that, plus fixes the additional broken comparison > in ap_get_scoreboard_lb(), discovered by Hisanobu Okuda. > > Can I get +1s for this for 2.2? > > Submitted by: wrowe, jorton > > Index: server/scoreboard.c > === > --- server/scoreboard.c (revision 1799181) > +++ server/scoreboard.c (working copy) > @@ -503,8 +503,8 @@ > > AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y) > { > -if (((x < 0) || (server_limit < x)) || > -((y < 0) || (thread_limit < y))) { > +if (((x < 0) || (x >= server_limit)) || > +((y < 0) || (y >= thread_limit))) { > return(NULL); /* Out of range */ > } > return &ap_scoreboard_image->servers[x][y]; > @@ -527,7 +527,7 @@ > > AP_DECLARE(process_score *) ap_get_scoreboard_process(int x) > { > -if ((x < 0) || (server_limit < x)) { > +if ((x < 0) || (x >= server_limit)) { > return(NULL); /* Out of range */ > } > return &ap_scoreboard_image->parent[x]; > @@ -540,7 +540,7 @@ > > AP_DECLARE(lb_score *) ap_get_scoreboard_lb(int lb_num) > { > -if (((lb_num < 0) || (lb_limit < lb_num))) { > +if (lb_num < 0 || lb_num >= lb_limit) { > return(NULL); /* Out of range */ > } > return &ap_scoreboard_image->balancers[lb_num]; > >
CVE-2017-7659: mod_http2 null pointer dereference
CVE-2017-7659: mod_http2 null pointer dereference Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.24 (unreleased) httpd 2.4.25 Description: A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process. Mitigation: 2.4.25 users of mod_http2 should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html
Re: Apache 2.4.26 mpm_event_listener_wakeup_bug57399_V7
Hello Stefan, On Mon, Jun 19, 2017 at 3:23 PM, Stefan Priebe - Profihost AG wrote: > > is your wakeup patch (mpm_event_listener_wakeup_bug57399_V7) still > needed for 2.4.26? Unfortunately yes, I think I was too late to propose the backport for 2.4.26, and it didn't get enough review/vote (two on three) before the release. The final backport proposal is [1], with a small change with regard to your v7 above (removal of a duplicated code). Regards, Yann. [1] http://home.apache.org/~ylavic/patches/httpd-2.4.x-mpm_event-wakeup-v7.1.patch
Apache 2.4.26 mpm_event_listener_wakeup_bug57399_V7
Hello Yann, is your wakeup patch (mpm_event_listener_wakeup_bug57399_V7) still needed for 2.4.26? Greets, Stefan
Re: [PATCH 2.2] fix ap_get_scoreboard_*
On Mon, Jun 19, 2017 at 2:08 PM, Joe Orton wrote: > The limit checking is broken in 2.2's ap_get_scoreboard_*. This was > fixed in 2.4 in http://svn.apache.org/viewvc?view=revision&revision=417252 > > Patch below backports that, plus fixes the additional broken comparison > in ap_get_scoreboard_lb(), discovered by Hisanobu Okuda. > > Can I get +1s for this for 2.2? +1 by me (can't see the proposal in STATUS, though).
[ANNOUNCE] Apache HTTP Server 2.4.26 Released
Apache HTTP Server 2.4.26 Released June 19, 2017 The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.26 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is a security, feature, and bug fix release. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.4.26 is available for download from: http://httpd.apache.org/download.cgi Apache 2.4 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.4 please see: http://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.4 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.4.26 includes only those changes introduced since the prior 2.4 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_24.html This release requires the Apache Portable Runtime (APR), minimum version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may require the 1.6.x version of both APR and APR-Util. The APR libraries must be upgraded for all features of httpd to operate correctly. This release builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe. Please note that Apache Web Server Project will only provide maintenance releases of the 2.2.x flavor through June of 2017, and will provide some security patches beyond this date through at least December of 2017. Minimal maintenance patches of 2.2.x are expected throughout this period, and users are strongly encouraged to promptly complete their transitions to the the 2.4.x flavor of httpd to benefit from a much larger assortment of minor security and bug fixes as well as new features.
unsubscribe
[PATCH 2.2] fix ap_get_scoreboard_*
The limit checking is broken in 2.2's ap_get_scoreboard_*. This was fixed in 2.4 in http://svn.apache.org/viewvc?view=revision&revision=417252 Patch below backports that, plus fixes the additional broken comparison in ap_get_scoreboard_lb(), discovered by Hisanobu Okuda. Can I get +1s for this for 2.2? Submitted by: wrowe, jorton Index: server/scoreboard.c === --- server/scoreboard.c (revision 1799181) +++ server/scoreboard.c (working copy) @@ -503,8 +503,8 @@ AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y) { -if (((x < 0) || (server_limit < x)) || -((y < 0) || (thread_limit < y))) { +if (((x < 0) || (x >= server_limit)) || +((y < 0) || (y >= thread_limit))) { return(NULL); /* Out of range */ } return &ap_scoreboard_image->servers[x][y]; @@ -527,7 +527,7 @@ AP_DECLARE(process_score *) ap_get_scoreboard_process(int x) { -if ((x < 0) || (server_limit < x)) { +if ((x < 0) || (x >= server_limit)) { return(NULL); /* Out of range */ } return &ap_scoreboard_image->parent[x]; @@ -540,7 +540,7 @@ AP_DECLARE(lb_score *) ap_get_scoreboard_lb(int lb_num) { -if (((lb_num < 0) || (lb_limit < lb_num))) { +if (lb_num < 0 || lb_num >= lb_limit) { return(NULL); /* Out of range */ } return &ap_scoreboard_image->balancers[lb_num];
Re: [VOTE] Release Apache httpd 2.4.26 as GA
On Tue, 13 Jun 2017, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd version 2.4.26 can be found at the usual place: http://httpd.apache.org/dev/dist/ Late to the game and more of a nitpick for next release: http://httpd.apache.org/dev/dist/CHANGES_2.4.26 notably has links to the complete 2.2.x and 2.0.x release history, but NOT for the complete 2.4.x release history... Yes, it's available in CHANGES_2.4 but I think there should be a hint in CHANGES_2.4.26 as well to avoid confusing newcomers more than necessary :-) Also I suspect that the following note at the bottom of the CHANGES_ files has gone stale: [Apache 2.3.0-dev includes those bug fixes and changes with the Apache 2.2.xx tree as documented, and except as noted, below.] AFAIK the 2.2.xx tree isn't changing much nowadays... /Nikke -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Niklas Edmundsson, Admin @ {acc,hpc2n}.umu.se | ni...@acc.umu.se --- "Initiate warp shell." - Picard =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=