You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2016/12/20 19:38:20 UTC
svn commit: r1775342 -
/httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Author: wrowe
Date: Tue Dec 20 19:38:19 2016
New Revision: 1775342
URL: http://svn.apache.org/viewvc?rev=1775342&view=rev
Log:
Disclose for Announcement
Modified:
httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1775342&r1=1775341&r2=1775342&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Tue Dec 20 19:38:19 2016
@@ -1,6 +1,104 @@
<security updated="20160726">
-<issue fixed="2.4.24-dev" reported="20161122" public="20161204" released="20161204">
+<issue fixed="2.4.25" reported="20160511" public="20161220" released="20161220">
+<cve name="CVE-2016-8743"/>
+<severity level="0">TBD</severity>
+<title>Apache HTTP Request Parsing Whitespace Defects</title>
+<description><p>
+Apache HTTP Server, prior to release 2.4.25, accepted a broad pattern of
+unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB
+in parsing the request line and request header lines, as well as HTAB in
+parsing the request line. Any bare CR present in request lines was treated
+as whitespace and remained in the request field member "the_request", while
+a bare CR in the request header field name would be honored as whitespace,
+and a bare CR in the request header field value was retained the input headers
+array. Implied additional whitespace was accepted in the request line and prior
+to the ':' delimiter of any request header lines.
+</p><p>
+RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section
+3.2.3 eliminated and clarified the role of implied whitespace in the grammer
+of this specification. Section 3.1.1 requires exactly one single SP between the
+method and request-target, and between the request-target and HTTP-version,
+followed immediately by a CRLF sequence. None of these fields permit any
+(unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed
+any whitespace from the request header field prior to the ':' character, while
+Section 3.2 disallows all CTL characters in the request header line other than
+the HTAB character as whitespace.
+</p><p>
+These defects represent a security concern when httpd is participating in any
+chain of proxies or interacting with back-end application servers, either
+through mod_proxy or using conventional CGI mechanisms. In each case where one
+agent accepts such CTL characters and does not treat them as whitespace, there
+is the possiblity in a proxy chain of generating two responses from a server
+behind the uncautious proxy agent. In a sequence of two requests, this results
+in request A to the first proxy being interpreted as requests A + A' by the
+backend server, and if requests A and B were submitted to the first proxy in
+a keepalive connection, the proxy may interpret response A' as the response
+to request B, polluting the cache or potentially serving the A' content to
+a different downstream user-agent.
+</p><p>
+These defects are addressed with the release of Apache HTTP Server 2.4.25
+and coordinated by a new directive;<br />
+<ul><li>
+<a href="http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions"
+ >HttpProtocolOptions Strict</a></li></ul>
+which is the default behavior of 2.4.25 and later. By toggling from 'Strict'
+behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow
+some invalid HTTP/1.1 clients to communicate with the server, but this will
+reintroduce the possibility of the problems described in this assessment.
+Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs
+other than HTAB (where permitted), but will allow other RFC requirements to
+not be enforced, such as exactly two SP characters in the request line.
+</p></description>
+<acknowledgements>
+We would like to thank David Dennerline at IBM Security's X-Force Researchers
+as well as Sergey Bobrov for each reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+<affects prod="httpd" version="2.2.31"/>
+<affects prod="httpd" version="2.2.29"/>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.4.25" reported="20161122" public="20161204" released="20161220">
<cve name="CVE-2016-8740"/>
<severity level="0">n/a</severity>
<title>HTTP/2 CONTINUATION denial of service</title>
@@ -22,7 +120,7 @@ and CDF/SEFCOM at Arizona State Universi
<affects prod="httpd" version="2.4.17"/>
</issue>
-<issue fixed="2.4.24-dev" reported="20160702" public="20160718" released="20160718">
+<issue fixed="2.4.25" reported="20160702" public="20160718" released="20161220">
<cve name="CVE-2016-5387"/>
<severity level="0">n/a</severity>
<title>HTTP_PROXY environment variable "httpoxy" mitigation</title>
@@ -38,6 +136,7 @@ and CDF/SEFCOM at Arizona State Universi
This workaround and patch are documented in the ASF Advisory at
<a href="https://www.apache.org/security/asf-httpoxy-response.txt"
>https://www.apache.org/security/asf-httpoxy-response.txt</a>
+ and incorporated in the 2.4.25 release.
</p></description>
<acknowledgements>
We would like to thank Dominic Scheirlinck and Scott Geary of Vend