Synopsis: Important: httpd security update
Advisory ID: SLSA-2017:2478-1
Issue Date: 2017-08-15
CVE Numbers: CVE-2017-3167
CVE-2017-3169
CVE-2017-7679
CVE-2017-9788
—
Security Fix(es):
* It was discovered that the httpd’s mod_auth_digest module did not
properly initialize memory before using it when processing certain headers
related to digest authentication. A remote attacker could possibly use
this flaw to disclose potentially sensitive information or cause httpd
child process to crash by sending specially crafted requests to a server.
(CVE-2017-9788)
* It was discovered that the use of httpd’s ap_get_basic_auth_pw() API
function outside of the authentication phase could lead to authentication
bypass. A remote attacker could possibly use this flaw to bypass required
authentication if the API was used incorrectly by one of the modules used
by httpd. (CVE-2017-3167)
* A NULL pointer dereference flaw was found in the httpd’s mod_ssl module.
A remote attacker could use this flaw to cause an httpd child process to
crash if another module used by httpd called a certain API function during
the processing of an HTTPS request. (CVE-2017-3169)
* A buffer over-read flaw was found in the httpd’s mod_mime module. A user
permitted to modify httpd’s MIME configuration could use this flaw to
cause httpd child process to crash. (CVE-2017-7679)
—
SL6
x86_64
httpd-2.2.15-60.el6_9.5.x86_64.rpm
httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm
httpd-tools-2.2.15-60.el6_9.5.x86_64.rpm
httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm
httpd-devel-2.2.15-60.el6_9.5.i686.rpm
httpd-devel-2.2.15-60.el6_9.5.x86_64.rpm
mod_ssl-2.2.15-60.el6_9.5.x86_64.rpm
i386
httpd-2.2.15-60.el6_9.5.i686.rpm
httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm
httpd-tools-2.2.15-60.el6_9.5.i686.rpm
httpd-devel-2.2.15-60.el6_9.5.i686.rpm
mod_ssl-2.2.15-60.el6_9.5.i686.rpm
noarch
httpd-manual-2.2.15-60.el6_9.5.noarch.rpm
– Scientific Linux Development Team
