Apple Security Advisory 2017-10-31-8 - Additional information for the APPLE-SA-2017-09-25-1 macOS High Sierra 10.13 advisory has been provided that relates to Apache and various other software.
dd6b5b4eac263ebc5404ceffc22559c55c0e9ecea353a5fb6bd44a6814913f91
Apple Security Advisory 2017-10-31-2 - macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, Security Update 2017-004 El Capitan are now available and address TLS weaknesses, issues in Apache, and many more vulnerabilities.
ac256e54648493ce415cbcd2306f79310dc0a2baeca5b8e57161504c227231ff
HPE Security Bulletin HPESBMU03753 1 - Several potential security vulnerabilities have been identified in HPE System Management Homepage (SMH) on Windows and Linux. The vulnerabilities could be exploited remotely resulting in Cross-site scripting, local and remote Denial of Service, local and remote execution of arbitrary code, local elevation of privilege and local unqualified configuration change. Revision 1 of this advisory.
8aebece5aa468ae51cd352fc00bf4f6f2e1373b2a2a9227a4a8e9385983057cb
Ubuntu Security Notice 3373-1 - Emmanuel Dreyfus discovered that third-party modules using the ap_get_basic_auth_pw function outside of the authentication phase may lead to authentication requirements being bypassed. This update adds a new ap_get_basic_auth_components function for use by third-party modules. Vasileios Panopoulos discovered that the Apache mod_ssl module may crash when third-party modules call ap_hook_process_connection during an HTTP request to an HTTPS port. Various other issues were also addressed.
4a9a5dea68311374e8d780883cdb344eae2007b3b5ebe311aa079e3e743f2f21
Red Hat Security Advisory 2017-1721-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning.
501f1a9e83c4d2a57f85a6319ff08f4cb39c3fe24d17c131138eb29c3b23deb5
Red Hat Security Advisory 2017-1414-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.
e31cbbf43e6335aa07238e1960a554f893a663a6add6b13476337524256e651a
Red Hat Security Advisory 2017-1413-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.
fc5d578ab608d805766f010632eaa528562b46809479d52a698f7d9a3c64dc63
Red Hat Security Advisory 2017-1415-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.
24687afd6a4178ce7a6bea57d07ffe21c8d73aff655ff9ce66ec2a3fe153139e
Ubuntu Security Notice 3279-1 - It was discovered that the Apache mod_session_crypto module was encrypting data and cookies using either CBC or ECB modes. A remote attacker could possibly use this issue to perform padding oracle attacks. Maksim Malyutin discovered that the Apache mod_auth_digest module incorrectly handled malicious input. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service. Various other issues were also addressed.
bbdfa79eba72bc753893522747a5eb3bf4a031465d01c2e221814594c43835ba
Red Hat Security Advisory 2017-1161-01 - The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module. The httpd24 Software Collection has been upgraded to version 2.4.25, which provides a number of bug fixes and enhancements over the previous version.
710ab5969c463a1c7526a5fa70f4c55c2c4077082b7622e31e2ba0c00acae88f
Red Hat Security Advisory 2017-0906-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication.
7c210a8b37d4cd2e91b8ab709f2b9b1b488e62df7478fbcbd90bdcf5da29873e
HPE Security Bulletin HPESBUX03725 1 - Potential security vulnerabilities have been identified with HP-UX Web Server Suite running Apache on HP-UX 11iv3. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS), Unauthorized Read Access to Data and other impacts including: * Padding Oracle attack in Apache mod_session_crypto * Apache HTTP Request Parsing Whitespace Defects. Revision 1 of this advisory.
5df1b537a3a2899886f0263d940c4193b758bfc583dd96021c5e940a90f029a8
Gentoo Linux Security Advisory 201701-36 - Multiple vulnerabilities have been found in Apache, the worst of which could lead to a Denial of Service condition. Versions less than 2.4.25 are affected.
1292b9a5dc4a22a3a1e118a36945f470a06cc815f7880cb1f257c44072e7af03
Slackware Security Advisory - New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
22fc1355a7f37d12eb2d8b8c12a36a28a6c7a5fff687e63fde903035e36acf96