You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/07/11 16:19:48 UTC
svn commit: r1801632 -
/httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Author: wrowe
Date: Tue Jul 11 16:19:48 2017
New Revision: 1801632
URL: http://svn.apache.org/viewvc?rev=1801632&view=rev
Log:
Split another entry that has long been missing from the website for 2.2
Modified:
httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1801632&r1=1801631&r2=1801632&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Tue Jul 11 16:19:48 2017
@@ -281,8 +281,8 @@ We would like to thank ChenQin and Hanno
<severity level="2">important</severity>
<title>Apache HTTP Request Parsing Whitespace Defects</title>
<description><p>
-Apache HTTP Server, prior to release 2.4.25, accepted a broad pattern of
-unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB
+Apache HTTP Server, prior to release 2.4.25 (2.2.32), accepted a broad pattern
+of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB
in parsing the request line and request header lines, as well as HTAB in
parsing the request line. Any bare CR present in request lines was treated
as whitespace and remained in the request field member "the_request", while
@@ -344,6 +344,62 @@ as well as Régis Leroy for each repor
<affects prod="httpd" version="2.4.3"/>
<affects prod="httpd" version="2.4.2"/>
<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.2.32" reported="20160210" public="20161220" released="20170113">
+<cve name="CVE-2016-8743"/>
+<severity level="2">important</severity>
+<title>Apache HTTP Request Parsing Whitespace Defects</title>
+<description><p>
+Apache HTTP Server, prior to release 2.4.25 (2.2.32), accepted a broad pattern
+of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB
+in parsing the request line and request header lines, as well as HTAB in
+parsing the request line. Any bare CR present in request lines was treated
+as whitespace and remained in the request field member "the_request", while
+a bare CR in the request header field name would be honored as whitespace,
+and a bare CR in the request header field value was retained the input headers
+array. Implied additional whitespace was accepted in the request line and prior
+to the ':' delimiter of any request header lines.
+</p><p>
+RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section
+3.2.3 eliminated and clarified the role of implied whitespace in the grammer
+of this specification. Section 3.1.1 requires exactly one single SP between the
+method and request-target, and between the request-target and HTTP-version,
+followed immediately by a CRLF sequence. None of these fields permit any
+(unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed
+any whitespace from the request header field prior to the ':' character, while
+Section 3.2 disallows all CTL characters in the request header line other than
+the HTAB character as whitespace.
+</p><p>
+These defects represent a security concern when httpd is participating in any
+chain of proxies or interacting with back-end application servers, either
+through mod_proxy or using conventional CGI mechanisms. In each case where one
+agent accepts such CTL characters and does not treat them as whitespace, there
+is the possiblity in a proxy chain of generating two responses from a server
+behind the uncautious proxy agent. In a sequence of two requests, this results
+in request A to the first proxy being interpreted as requests A + A' by the
+backend server, and if requests A and B were submitted to the first proxy in
+a keepalive connection, the proxy may interpret response A' as the response
+to request B, polluting the cache or potentially serving the A' content to
+a different downstream user-agent.
+</p><p>
+These defects are addressed with the release of Apache HTTP Server 2.4.25
+and coordinated by a new directive;<br />
+<ul><li>
+<a href="http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions"
+ >HttpProtocolOptions Strict</a></li></ul>
+which is the default behavior of 2.4.25 and later. By toggling from 'Strict'
+behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow
+some invalid HTTP/1.1 clients to communicate with the server, but this will
+reintroduce the possibility of the problems described in this assessment.
+Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs
+other than HTAB (where permitted), but will allow other RFC requirements to
+not be enforced, such as exactly two SP characters in the request line.
+</p></description>
+<acknowledgements>
+We would like to thank David Dennerline at IBM Security's X-Force Researchers
+as well as Régis Leroy for each reporting this issue.
+</acknowledgements>
<affects prod="httpd" version="2.2.31"/>
<affects prod="httpd" version="2.2.29"/>
<affects prod="httpd" version="2.2.27"/>