svn commit: r1003194 - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_24.html

[bu...@apache.org]

Author: buildbot
Date: Tue Dec 20 19:38:27 2016
New Revision: 1003194

Log:
Staging update by buildbot for httpd

Modified:
    websites/staging/httpd/trunk/content/   (props changed)
    websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml
    websites/staging/httpd/trunk/content/security/vulnerabilities_24.html

Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Dec 20 19:38:27 2016
@@ -1 +1 @@
-1774634
+1775342

Modified: websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml Tue Dec 20 19:38:27 2016
@@ -1,6 +1,104 @@
 <security updated="20160726">
 
-<issue fixed="2.4.24-dev" reported="20161122" public="20161204" released="20161204">
+<issue fixed="2.4.25" reported="20160511" public="20161220" released="20161220">
+<cve name="CVE-2016-8743"/>
+<severity level="0">TBD</severity>
+<title>Apache HTTP Request Parsing Whitespace Defects</title>
+<description><p>
+Apache HTTP Server, prior to release 2.4.25, accepted a broad pattern of 
+unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB 
+in parsing the request line and request header lines, as well as HTAB in 
+parsing the request line. Any bare CR present in request lines was treated
+as whitespace and remained in the request field member "the_request", while
+a bare CR in the request header field name would be honored as whitespace,
+and a bare CR in the request header field value was retained the input headers
+array. Implied additional whitespace was accepted in the request line and prior
+to the ':' delimiter of any request header lines.
+</p><p>
+RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section
+3.2.3 eliminated and clarified the role of implied whitespace in the grammer
+of this specification. Section 3.1.1 requires exactly one single SP between the
+method and request-target, and between the request-target and HTTP-version, 
+followed immediately by a CRLF sequence. None of these fields permit any
+(unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed 
+any whitespace from the request header field prior to the ':' character, while
+Section 3.2 disallows all CTL characters in the request header line other than
+the HTAB character as whitespace.
+</p><p>
+These defects represent a security concern when httpd is participating in any
+chain of proxies or interacting with back-end application servers, either
+through mod_proxy or using conventional CGI mechanisms. In each case where one
+agent accepts such CTL characters and does not treat them as whitespace, there
+is the possiblity in a proxy chain of generating two responses from a server
+behind the uncautious proxy agent. In a sequence of two requests, this results
+in request A to the first proxy being interpreted as requests A + A' by the
+backend server, and if requests A and B were submitted to the first proxy in
+a keepalive connection, the proxy may interpret response A' as the response
+to request B, polluting the cache or potentially serving the A' content to 
+a different downstream user-agent.
+</p><p>
+These defects are addressed with the release of Apache HTTP Server 2.4.25
+and coordinated by a new directive;<br />
+<ul><li>
+<a href="http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions"
+  >HttpProtocolOptions Strict</a></li></ul>
+which is the default behavior of 2.4.25 and later. By toggling from 'Strict'
+behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow
+some invalid HTTP/1.1 clients to communicate with the server, but this will
+reintroduce the possibility of the problems described in this assessment.
+Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs
+other than HTAB (where permitted), but will allow other RFC requirements to
+not be enforced, such as exactly two SP characters in the request line.
+</p></description>
+<acknowledgements>
+We would like to thank David Dennerline at IBM Security's X-Force Researchers
+as well as Sergey Bobrov for each reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+<affects prod="httpd" version="2.2.31"/>
+<affects prod="httpd" version="2.2.29"/>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.4.25" reported="20161122" public="20161204" released="20161220">
 <cve name="CVE-2016-8740"/>
 <severity level="0">n/a</severity>
 <title>HTTP/2 CONTINUATION denial of service</title>
@@ -22,7 +120,7 @@ and CDF/SEFCOM at Arizona State Universi
 <affects prod="httpd" version="2.4.17"/>
 </issue>
 
-<issue fixed="2.4.24-dev" reported="20160702" public="20160718" released="20160718">
+<issue fixed="2.4.25" reported="20160702" public="20160718" released="20161220">
 <cve name="CVE-2016-5387"/>
 <severity level="0">n/a</severity>
 <title>HTTP_PROXY environment variable "httpoxy" mitigation</title>
@@ -38,6 +136,7 @@ and CDF/SEFCOM at Arizona State Universi
   This workaround and patch are documented in the ASF Advisory at
   <a href="https://www.apache.org/security/asf-httpoxy-response.txt"
      >https://www.apache.org/security/asf-httpoxy-response.txt</a>
+  and incorporated in the 2.4.25 release.
 </p></description>
 <acknowledgements>
 We would like to thank Dominic Scheirlinck and Scott Geary of Vend 

Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_24.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_24.html Tue Dec 20 19:38:27 2016
@@ -100,8 +100,77 @@ in a "-dev" release then this means that
 the development source tree and will be part of an upcoming full release.</p><p> This page is created from a database of vulnerabilities originally
 populated by Apache Week.  Please send comments or corrections for
 these vulnerabilities to the <a href="/security_report.html">Security
-Team</a>.  </p><p><em>The initial GA release, Apache httpd 2.4.1, includes fixes for all vulnerabilities which have been resolved in Apache httpd 2.2.22 and all older releases.  Consult the <a href="vulnerabilities_22.html">Apache httpd 2.2 vulnerabilities list</a> for more information.</em></p><h1 id="2.4.24-dev">
-Fixed in Apache httpd 2.4.24-dev</h1><dl>
+Team</a>.  </p><p><em>The initial GA release, Apache httpd 2.4.1, includes fixes for all vulnerabilities which have been resolved in Apache httpd 2.2.22 and all older releases.  Consult the <a href="vulnerabilities_22.html">Apache httpd 2.2 vulnerabilities list</a> for more information.</em></p><h1 id="2.4.25">
+Fixed in Apache httpd 2.4.25</h1><dl>
+  <dd>
+    <b>TBD: </b>
+    <b>
+      <name name="CVE-2016-8743">Apache HTTP Request Parsing Whitespace Defects</name>
+    </b>
+    <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>
+    <p>
+Apache HTTP Server, prior to release 2.4.25, accepted a broad pattern of 
+unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB 
+in parsing the request line and request header lines, as well as HTAB in 
+parsing the request line. Any bare CR present in request lines was treated
+as whitespace and remained in the request field member "the_request", while
+a bare CR in the request header field name would be honored as whitespace,
+and a bare CR in the request header field value was retained the input headers
+array. Implied additional whitespace was accepted in the request line and prior
+to the ':' delimiter of any request header lines.
+</p>
+    <p>
+RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section
+3.2.3 eliminated and clarified the role of implied whitespace in the grammer
+of this specification. Section 3.1.1 requires exactly one single SP between the
+method and request-target, and between the request-target and HTTP-version, 
+followed immediately by a CRLF sequence. None of these fields permit any
+(unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed 
+any whitespace from the request header field prior to the ':' character, while
+Section 3.2 disallows all CTL characters in the request header line other than
+the HTAB character as whitespace.
+</p>
+    <p>
+These defects represent a security concern when httpd is participating in any
+chain of proxies or interacting with back-end application servers, either
+through mod_proxy or using conventional CGI mechanisms. In each case where one
+agent accepts such CTL characters and does not treat them as whitespace, there
+is the possiblity in a proxy chain of generating two responses from a server
+behind the uncautious proxy agent. In a sequence of two requests, this results
+in request A to the first proxy being interpreted as requests A + A' by the
+backend server, and if requests A and B were submitted to the first proxy in
+a keepalive connection, the proxy may interpret response A' as the response
+to request B, polluting the cache or potentially serving the A' content to 
+a different downstream user-agent.
+</p>
+    <p>
+These defects are addressed with the release of Apache HTTP Server 2.4.25
+and coordinated by a new directive;<br/>
+<ul><li>
+<a href="http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions">HttpProtocolOptions Strict</a></li></ul>
+which is the default behavior of 2.4.25 and later. By toggling from 'Strict'
+behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow
+some invalid HTTP/1.1 clients to communicate with the server, but this will
+reintroduce the possibility of the problems described in this assessment.
+Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs
+other than HTAB (where permitted), but will allow other RFC requirements to
+not be enforced, such as exactly two SP characters in the request line.
+</p>
+  </dd>
+  <dd>
+    <p>Acknowledgements: 
+We would like to thank David Dennerline at IBM Security's X-Force Researchers
+as well as Sergey Bobrov for each reporting this issue.
+</p>
+  </dd>
+  <dd>
+  Reported to security team: 11th May 2016<br/>
+  Issue public: 20th December 2016<br/></dd>
+  <dd>
+  Update Released: 20th December 2016<br/></dd>
+  <dd>
+      Affects: 
+    2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/></dd>
   <dd>
     <b>n/a: </b>
     <b>
@@ -127,7 +196,7 @@ and CDF/SEFCOM at Arizona State Universi
   Reported to security team: 22nd November 2016<br/>
   Issue public: 4th December 2016<br/></dd>
   <dd>
-  Update Released: 4th December 2016<br/></dd>
+  Update Released: 20th December 2016<br/></dd>
   <dd>
       Affects: 
     2.4.23, 2.4.20, 2.4.18, 2.4.17<p/></dd>
@@ -148,6 +217,7 @@ and CDF/SEFCOM at Arizona State Universi
     <p>
   This workaround and patch are documented in the ASF Advisory at
   <a href="https://www.apache.org/security/asf-httpoxy-response.txt">https://www.apache.org/security/asf-httpoxy-response.txt</a>
+  and incorporated in the 2.4.25 release.
 </p>
   </dd>
   <dd>
@@ -160,7 +230,7 @@ for reporting and proposing a fix for th
   Reported to security team: 2nd July 2016<br/>
   Issue public: 18th July 2016<br/></dd>
   <dd>
-  Update Released: 18th July 2016<br/></dd>
+  Update Released: 20th December 2016<br/></dd>
   <dd>
       Affects: 
     2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1<p/></dd>