Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0845 apache -- multiple vulnerabilities 26 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: apache Publisher: FreeBSD Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-1312 CVE-2018-1303 CVE-2018-1302 CVE-2018-1301 CVE-2018-1283 CVE-2017-15715 CVE-2017-15710 Original Bulletin: http://www.vuxml.org/freebsd/f38187e7-2f6e-11e8-8f07-b499baebfeaf.html Comment: This advisory references vulnerabilities in products which run on platforms other than FreeBSD. It is recommended that administrators running apache check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- apache -- multiple vulnerabilities Affected packages apache24 < 2.4.30 Details VuXML ID f38187e7-2f6e-11e8-8f07-b499baebfeaf Discovery 2018-03-23 Entry 2018-03-24 The Apache httpd reports: Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled (CVE-2017-15710) mod_session: CGI-like applications that intend to read from mod_session's 'SessionEnv ON' could be fooled into reading user-supplied data instead. (CVE-2018-1283) mod_cache_socache: Fix request headers parsing to avoid a possible crash with specially crafted input data. (CVE-2018-1303) core: Possible crash with excessively long HTTP request headers. Impractical to exploit with a production build and production LogLevel. (CVE-2018-1301) core: Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of any embedded newline characters. Behavior can be changed with new directive 'RegexDefaultOptions'. (CVE-2017-15715) mod_auth_digest: Fix generation of nonce values to prevent replay attacks across servers using a common Digest domain. This change may cause problems if used with round robin load balancers. (CVE-2018-1312) mod_http2: Potential crash w/ mod_http2. (CVE-2018-1302) References CVE Name CVE-2017-15710 CVE Name CVE-2017-15715 CVE Name CVE-2018-1283 CVE Name CVE-2018-1301 CVE Name CVE-2018-1302 CVE Name CVE-2018-1303 CVE Name CVE-2018-1312 URL https://www.apache.org/dist/httpd/CHANGES_2.4.33 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWrhPvYx+lLeg9Ub1AQhkZw/9EoZB8jBiQNGkZM9rpoypPpsRNZWJ+PgK acEcKZ3+7hjMDyPyijlQEL86beGYa7bgRT+ovL4ITj7T8/eqqdZjz07Tc/CJvdg/ fFcscAgLFZnQiGncDIqWEQ+rHd8pcA3QUJWByNkKC633Dq9Sb6mn+HdBXpTSq5N1 8dkfeYbW3Lfa0aqvydoZCWtw98Aax/RA6zN/QjJnD5EVpsCA6w/tdEgUgM/Y6aCn WSOBGaSDmWcbiQ9UrsMHi7WDaF8+ZyNTguOioCQ/cWRDrIjC7DjcxgMMBEtlL29H LcyK4PKumQrm6b0Xrce0/a0glMR7GWaWMo9aJMCRvXsXFo1ipMeJVq0JooT4R1KH vEmUanJfYT4I2AfQ7UqhkWGUqR61RfTSNQBKRsi3lfAtH/kRHqQb4RfDVCADqqeT RknqK/Ykc89FQyRbnFbKjzeAThgzvLn9llrCxfSTsE2Fs8ZhrOTWWtC0tkH9Ru6H mkaHKeZ7XCv/F16KhjZZykk5Yd7z2+FFOBi2rAR1xKOYMNcvRxJmrX1K78TDy3/b Oh1Cz04pbSj5pcKFRvR6dlTCPRaK/gonBJFlGtD5WBizhRXGvgxMebI3brKq+lz9 seQr24dFWVd3ZGn9QNP8XzPi3TRA7d3RBgNuQk+ZZgEayuLL80qI1HYP109iw/7n tnWrvafxehc= =kFEY -----END PGP SIGNATURE-----