apache2 (2.4.18-2ubuntu4.1) yakkety-security; urgency=medium
* SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
- debian/patches/CVE-2016-0736.patch: authenticate the session
data/cookie with a MAC in modules/session/mod_session_crypto.c.
- CVE-2016-0736
* SECURITY UPDATE: denial of service via malicious mod_auth_digest input
- debian/patches/CVE-2016-2161.patch: improve memory handling in
modules/aaa/mod_auth_digest.c.
- CVE-2016-2161
* SECURITY UPDATE: response splitting and cache pollution issue via
incomplete RFC7230 HTTP request grammar enforcing
- debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
include/http_core.h, include/http_protocol.h, include/httpd.h,
modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
server/protocol.c, server/util.c, server/vhost.c.
- debian/patches/hostnames_with_underscores.diff: relax hostname
restrictions in server/vhost.c.
- CVE-2016-8743
* WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
may introduce compatibility issues with clients that do not strictly
follow specifications. A new configuration directive,
"HttpProtocolOptions Unsafe" can be used to re-enable some of the less
strict parsing restrictions, at the expense of security.
Date: 2017-05-05 21:01:13.325478+00:00
Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com>
Signed-By: Ubuntu Archive Robot
<cjwatson+ubuntu-archive-ro...@chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/apache2/2.4.18-2ubuntu4.1
Sorry, changesfile not available.
--
Yakkety-changes mailing list
Yakkety-changes@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/yakkety-changes
