You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2017/06/19 16:36:08 UTC
svn commit: r1799225 - /httpd/httpd/branches/2.4.x/CHANGES
Author: jim
Date: Mon Jun 19 16:36:07 2017
New Revision: 1799225
URL: http://svn.apache.org/viewvc?rev=1799225&view=rev
Log:
NOTE CVEs
Modified:
httpd/httpd/branches/2.4.x/CHANGES
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1799225&r1=1799224&r2=1799225&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Jun 19 16:36:07 2017
@@ -5,6 +5,30 @@ Changes with Apache 2.4.27
Changes with Apache 2.4.26
+ *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+ mod_mime can read one byte past the end of a buffer when sending a
+ malicious Content-Type response header.
+
+ *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+ The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+ bug in token list parsing, which allows ap_find_token() to search past
+ the end of its input string. By maliciously crafting a sequence of
+ request headers, an attacker may be able to cause a segmentation fault,
+ or to force ap_find_token() to return an incorrect value.
+
+ *) SECURITY: CVE-2017-7659 (cve.mitre.org)
+ A maliciously constructed HTTP/2 request could cause mod_http2 to
+ dereference a NULL pointer and crash the server process.
+
+ *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+ mod_ssl may dereference a NULL pointer when third-party modules call
+ ap_hook_process_connection() during an HTTP request to an HTTPS port.
+
+ *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+ Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+ authentication phase may lead to authentication requirements being
+ bypassed.
+
*) HTTP/2 support no longer tagged as "experimental" but is instead considered
fully production ready.