Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On Mon, Jun 19, 2017 at 5:49 PM, Jacob Championwrote: > On 06/19/2017 03:44 PM, William A Rowe Jr wrote: >> >> None at all, I have moderation and will push it on. > > They are on their way over to you. Thanks for the suggestion. ... and moderated. Thanks!
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On 06/19/2017 03:44 PM, William A Rowe Jr wrote: None at all, I have moderation and will push it on. They are on their way over to you. Thanks for the suggestion. --Jacob
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On Mon, Jun 19, 2017 at 5:41 PM, Jacob Championwrote: > On 06/19/2017 03:35 PM, William A Rowe Jr wrote: >> >> Not to announce@httpd? users@ and dev@ aren't particularly >> broadcast channels. >> >> announce@a.o might be too wide an audience, but that's why >> we document the CVE's with short notes in the foundation-wide >> release announcement. At least, used to document them. > > > I was following Jim's lead on the first CVE announcement. I'm not opposed to > a [SECURITY] announcement for all five; just timid. :) > > Any opposed to me copying all five to announce@httpd? None at all, I have moderation and will push it on. Just FYI you must always send-from your @apache.org identity when pushing mail to any announce@ list, because all other posts are pre-filtered before moderation.
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
On 06/19/2017 03:35 PM, William A Rowe Jr wrote: Not to announce@httpd? users@ and dev@ aren't particularly broadcast channels. announce@a.o might be too wide an audience, but that's why we document the CVE's with short notes in the foundation-wide release announcement. At least, used to document them. I was following Jim's lead on the first CVE announcement. I'm not opposed to a [SECURITY] announcement for all five; just timid. :) Any opposed to me copying all five to announce@httpd? --Jacob
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
Not to announce@httpd? users@ and dev@ aren't particularly broadcast channels. announce@a.o might be too wide an audience, but that's why we document the CVE's with short notes in the foundation-wide release announcement. At least, used to document them. On Mon, Jun 19, 2017 at 5:08 PM, Jacob Champion <jchamp...@apache.org> wrote: > CVE-2017-3167: ap_get_basic_auth_pw authentication bypass > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > httpd 2.2.0 to 2.2.32 > httpd 2.4.0 to 2.4.25 > > Description: > Use of the ap_get_basic_auth_pw() by third-party modules outside of the > authentication phase may lead to authentication requirements being > bypassed. > > Mitigation: > 2.2.x users should either apply the patch available at > https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch > or upgrade in the future to 2.2.33, which is currently unreleased. > > 2.4.x users should upgrade to 2.4.26. > > Third-party module writers SHOULD use ap_get_basic_auth_components(), > available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). > Modules which call the legacy ap_get_basic_auth_pw() during the > authentication phase MUST either immediately authenticate the user after > the call, or else stop the request immediately with an error response, > to avoid incorrectly authenticating the current request. > > Credit: > The Apache HTTP Server security team would like to thank Emmanuel > Dreyfus for reporting this issue. > > References: > https://httpd.apache.org/security_report.html
CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
CVE-2017-3167: ap_get_basic_auth_pw authentication bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.2.32 httpd 2.4.0 to 2.4.25 Description: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Mitigation: 2.2.x users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.x users should upgrade to 2.4.26. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request. Credit: The Apache HTTP Server security team would like to thank Emmanuel Dreyfus for reporting this issue. References: https://httpd.apache.org/security_report.html