Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On Mon, Jun 19, 2017 at 5:49 PM, Jacob Champion wrote: > On 06/19/2017 03:44 PM, William A Rowe Jr wrote: >> >> None at all, I have moderation and will push it on. > > They are on their way over to you. Thanks for the suggestion. ... and moderated. Thanks!
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On 06/19/2017 03:44 PM, William A Rowe Jr wrote: None at all, I have moderation and will push it on. They are on their way over to you. Thanks for the suggestion. --Jacob
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On Mon, Jun 19, 2017 at 5:41 PM, Jacob Champion wrote: > On 06/19/2017 03:35 PM, William A Rowe Jr wrote: >> >> Not to announce@httpd? users@ and dev@ aren't particularly >> broadcast channels. >> >> announce@a.o might be too wide an audience, but that's why >> we document the CVE's with short notes in the foundation-wide >> release announcement. At least, used to document them. > > > I was following Jim's lead on the first CVE announcement. I'm not opposed to > a [SECURITY] announcement for all five; just timid. :) > > Any opposed to me copying all five to announce@httpd? None at all, I have moderation and will push it on. Just FYI you must always send-from your @apache.org identity when pushing mail to any announce@ list, because all other posts are pre-filtered before moderation.
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On 06/19/2017 03:35 PM, William A Rowe Jr wrote: Not to announce@httpd? users@ and dev@ aren't particularly broadcast channels. announce@a.o might be too wide an audience, but that's why we document the CVE's with short notes in the foundation-wide release announcement. At least, used to document them. I was following Jim's lead on the first CVE announcement. I'm not opposed to a [SECURITY] announcement for all five; just timid. :) Any opposed to me copying all five to announce@httpd? --Jacob
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
Not to announce@httpd? users@ and dev@ aren't particularly broadcast channels. announce@a.o might be too wide an audience, but that's why we document the CVE's with short notes in the foundation-wide release announcement. At least, used to document them. On Mon, Jun 19, 2017 at 5:08 PM, Jacob Champion wrote: > CVE-2017-3167: ap_get_basic_auth_pw authentication bypass > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > httpd 2.2.0 to 2.2.32 > httpd 2.4.0 to 2.4.25 > > Description: > Use of the ap_get_basic_auth_pw() by third-party modules outside of the > authentication phase may lead to authentication requirements being > bypassed. > > Mitigation: > 2.2.x users should either apply the patch available at > https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch > or upgrade in the future to 2.2.33, which is currently unreleased. > > 2.4.x users should upgrade to 2.4.26. > > Third-party module writers SHOULD use ap_get_basic_auth_components(), > available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). > Modules which call the legacy ap_get_basic_auth_pw() during the > authentication phase MUST either immediately authenticate the user after > the call, or else stop the request immediately with an error response, > to avoid incorrectly authenticating the current request. > > Credit: > The Apache HTTP Server security team would like to thank Emmanuel > Dreyfus for reporting this issue. > > References: > https://httpd.apache.org/security_report.html
CVE-2017-3169: mod_ssl null pointer dereference
CVE-2017-3169: mod_ssl null pointer dereference Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.2.32 httpd 2.4.0 to 2.4.25 Description: mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. Mitigation: 2.2.x users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.x users should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank Vasileios Panopoulos and AdNovum Informatik AG for reporting this issue. References: https://httpd.apache.org/security_report.html
CVE-2017-7668: ap_find_token buffer overread
CVE-2017-7668: ap_find_token buffer overread Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.32 httpd 2.4.24 (unreleased) httpd 2.4.25 Description: The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. Mitigation: 2.2.32 users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.25 users should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank Javier Jiménez (javij...@gmail.com) for reporting this issue. References: https://httpd.apache.org/security_report.html
CVE-2017-7679: mod_mime buffer overread
CVE-2017-7679: mod_mime buffer overread Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.2.32 httpd 2.4.0 to 2.4.25 Description: mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. Mitigation: 2.2.x users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.x users should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank ChenQin and Hanno Böck for reporting this issue. References: https://httpd.apache.org/security_report.html
CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
CVE-2017-3167: ap_get_basic_auth_pw authentication bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.2.32 httpd 2.4.0 to 2.4.25 Description: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Mitigation: 2.2.x users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.x users should upgrade to 2.4.26. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request. Credit: The Apache HTTP Server security team would like to thank Emmanuel Dreyfus for reporting this issue. References: https://httpd.apache.org/security_report.html
Re: [PATCH 2.2] fix ap_get_scoreboard_*
+1 here... That gets you to 3. Good catch thanks.
On Jun 19, 2017 07:09, "Joe Orton" wrote:
> The limit checking is broken in 2.2's ap_get_scoreboard_*. This was
> fixed in 2.4 in http://svn.apache.org/viewvc?view=revision&revision=417252
>
> Patch below backports that, plus fixes the additional broken comparison
> in ap_get_scoreboard_lb(), discovered by Hisanobu Okuda.
>
> Can I get +1s for this for 2.2?
>
> Submitted by: wrowe, jorton
>
> Index: server/scoreboard.c
> ===
> --- server/scoreboard.c (revision 1799181)
> +++ server/scoreboard.c (working copy)
> @@ -503,8 +503,8 @@
>
> AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y)
> {
> -if (((x < 0) || (server_limit < x)) ||
> -((y < 0) || (thread_limit < y))) {
> +if (((x < 0) || (x >= server_limit)) ||
> +((y < 0) || (y >= thread_limit))) {
> return(NULL); /* Out of range */
> }
> return &ap_scoreboard_image->servers[x][y];
> @@ -527,7 +527,7 @@
>
> AP_DECLARE(process_score *) ap_get_scoreboard_process(int x)
> {
> -if ((x < 0) || (server_limit < x)) {
> +if ((x < 0) || (x >= server_limit)) {
> return(NULL); /* Out of range */
> }
> return &ap_scoreboard_image->parent[x];
> @@ -540,7 +540,7 @@
>
> AP_DECLARE(lb_score *) ap_get_scoreboard_lb(int lb_num)
> {
> -if (((lb_num < 0) || (lb_limit < lb_num))) {
> +if (lb_num < 0 || lb_num >= lb_limit) {
> return(NULL); /* Out of range */
> }
> return &ap_scoreboard_image->balancers[lb_num];
>
>
CVE-2017-7659: mod_http2 null pointer dereference
CVE-2017-7659: mod_http2 null pointer dereference Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.24 (unreleased) httpd 2.4.25 Description: A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process. Mitigation: 2.4.25 users of mod_http2 should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html
Re: Apache 2.4.26 mpm_event_listener_wakeup_bug57399_V7
Hello Stefan, On Mon, Jun 19, 2017 at 3:23 PM, Stefan Priebe - Profihost AG wrote: > > is your wakeup patch (mpm_event_listener_wakeup_bug57399_V7) still > needed for 2.4.26? Unfortunately yes, I think I was too late to propose the backport for 2.4.26, and it didn't get enough review/vote (two on three) before the release. The final backport proposal is [1], with a small change with regard to your v7 above (removal of a duplicated code). Regards, Yann. [1] http://home.apache.org/~ylavic/patches/httpd-2.4.x-mpm_event-wakeup-v7.1.patch
Apache 2.4.26 mpm_event_listener_wakeup_bug57399_V7
Hello Yann, is your wakeup patch (mpm_event_listener_wakeup_bug57399_V7) still needed for 2.4.26? Greets, Stefan
Re: [PATCH 2.2] fix ap_get_scoreboard_*
On Mon, Jun 19, 2017 at 2:08 PM, Joe Orton wrote: > The limit checking is broken in 2.2's ap_get_scoreboard_*. This was > fixed in 2.4 in http://svn.apache.org/viewvc?view=revision&revision=417252 > > Patch below backports that, plus fixes the additional broken comparison > in ap_get_scoreboard_lb(), discovered by Hisanobu Okuda. > > Can I get +1s for this for 2.2? +1 by me (can't see the proposal in STATUS, though).
[ANNOUNCE] Apache HTTP Server 2.4.26 Released
Apache HTTP Server 2.4.26 Released
June 19, 2017
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.26 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
a security, feature, and bug fix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.4.26 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.4 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.26 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
This release requires the Apache Portable Runtime (APR), minimum
version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
require the 1.6.x version of both APR and APR-Util. The APR libraries
must be upgraded for all features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
Please note that Apache Web Server Project will only provide maintenance
releases of the 2.2.x flavor through June of 2017, and will provide some
security patches beyond this date through at least December of 2017.
Minimal maintenance patches of 2.2.x are expected throughout this period,
and users are strongly encouraged to promptly complete their transitions
to the the 2.4.x flavor of httpd to benefit from a much larger assortment
of minor security and bug fixes as well as new features.
unsubscribe
[PATCH 2.2] fix ap_get_scoreboard_*
The limit checking is broken in 2.2's ap_get_scoreboard_*. This was
fixed in 2.4 in http://svn.apache.org/viewvc?view=revision&revision=417252
Patch below backports that, plus fixes the additional broken comparison
in ap_get_scoreboard_lb(), discovered by Hisanobu Okuda.
Can I get +1s for this for 2.2?
Submitted by: wrowe, jorton
Index: server/scoreboard.c
===
--- server/scoreboard.c (revision 1799181)
+++ server/scoreboard.c (working copy)
@@ -503,8 +503,8 @@
AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y)
{
-if (((x < 0) || (server_limit < x)) ||
-((y < 0) || (thread_limit < y))) {
+if (((x < 0) || (x >= server_limit)) ||
+((y < 0) || (y >= thread_limit))) {
return(NULL); /* Out of range */
}
return &ap_scoreboard_image->servers[x][y];
@@ -527,7 +527,7 @@
AP_DECLARE(process_score *) ap_get_scoreboard_process(int x)
{
-if ((x < 0) || (server_limit < x)) {
+if ((x < 0) || (x >= server_limit)) {
return(NULL); /* Out of range */
}
return &ap_scoreboard_image->parent[x];
@@ -540,7 +540,7 @@
AP_DECLARE(lb_score *) ap_get_scoreboard_lb(int lb_num)
{
-if (((lb_num < 0) || (lb_limit < lb_num))) {
+if (lb_num < 0 || lb_num >= lb_limit) {
return(NULL); /* Out of range */
}
return &ap_scoreboard_image->balancers[lb_num];
Re: [VOTE] Release Apache httpd 2.4.26 as GA
On Tue, 13 Jun 2017, Jim Jagielski wrote:
The pre-release test tarballs for Apache httpd
version 2.4.26 can be found at the usual place:
http://httpd.apache.org/dev/dist/
Late to the game and more of a nitpick for next release:
http://httpd.apache.org/dev/dist/CHANGES_2.4.26 notably has links to
the complete 2.2.x and 2.0.x release history, but NOT for the complete
2.4.x release history...
Yes, it's available in CHANGES_2.4 but I think there should be a hint
in CHANGES_2.4.26 as well to avoid confusing newcomers more than
necessary :-)
Also I suspect that the following note at the bottom of the CHANGES_
files has gone stale:
[Apache 2.3.0-dev includes those bug fixes and changes with the
Apache 2.2.xx tree as documented, and except as noted, below.]
AFAIK the 2.2.xx tree isn't changing much nowadays...
/Nikke
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Niklas Edmundsson, Admin @ {acc,hpc2n}.umu.se | ni...@acc.umu.se
---
"Initiate warp shell." - Picard
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
