apache: Multiple vulnerabilities
說明
The Apache httpd reports:
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
(CVE-2017-15710)
mod_session: CGI-like applications that intend to read from mod_session’s
‘SessionEnv ON’ could be fooled into reading user-supplied data instead.
(CVE-2018-1283)
mod_cache_socache: Fix request headers parsing to avoid a possible crash with
specially crafted input data. (CVE-2018-1303)
core: Possible crash with excessively long HTTP request headers. Impractical
to exploit with a production build and production LogLevel. (CVE-2018-1301)
core: Configure the regular expression engine to match ‘$’ to the end of the
input string only, excluding matching the end of any embedded newline
characters. Behavior can be changed with new directive ‘RegexDefaultOptions’.
(CVE-2017-15715)
mod_auth_digest: Fix generation of nonce values to prevent replay attacks
across servers using a common Digest domain. This change may cause problems if
used with round robin load balancers. (CVE-2018-1312)
mod_http2: Potential crash w/ mod_http2. (CVE-2018-1302)
影響內容
Affected packages
apache24 < 2.4.30
處理方式
更新至版本 2.4.33
相關連結
https://www.auscert.org.au/bulletins/60042
