|
|
Log in / Subscribe / Register

Arch Linux alert ASA-201507-15 (apache)



From:
    	      Remi Gacogne <rgacogne@archlinux.org> 


To:
    	      arch-security@archlinux.org 


Subject:
    	      [arch-security] [ASA-201507-15] apache: multiple issues 


Date:
    	      Fri, 17 Jul 2015 17:09:12 +0200


Message-ID:
    	      <55A91A98.7040303@archlinux.org>


Arch Linux Security Advisory ASA-201507-15
==========================================

Severity: Medium
Date    : 2015-07-17
CVE-ID  : CVE-2015-0228 CVE-2015-0253 CVE-2015-3183 CVE-2015-3185
Package : apache
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package apache before version 2.4.16-1 is vulnerable to multiple
issues including remote denial of service and authentication bypass.

Resolution
==========

Upgrade to 2.4.16-1.

# pacman -Syu "apache>=2.4.16-1"

The problem has been fixed upstream in version 2.4.16.

Workaround
==========

None.

Description
===========

- CVE-2015-0228 (denial of service):

mod_lua: A maliciously crafted websockets PING after a script calls
r:wsupgrade() can cause a child process crash.

- CVE-2015-0253 (denial of service):

Fix a crash with ErrorDocument 400 pointing to a local URL-path with the
INCLUDES filter active, introduced in 2.4.11. PR 57531.

- CVE-2015-3183 (denial of service):

core: Fix chunk header parsing defect. Remove apr_brigade_flatten(),
buffering and duplicated code from the HTTP_IN filter, parse chunks in a
single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be
strict about chunk-ext authorized characters.

- CVE-2015-3185 (authentication bypass):

Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with
new ap_some_authn_required and ap_force_authn hook.

Impact
======

A remote attacker might be able to bypass authentication required by a
module incorrectly updated for 2.4.x, or crash the apache httpd server.

References
==========

https://access.redhat.com/security/cve/CVE-2015-0228
https://access.redhat.com/security/cve/CVE-2015-0253
https://access.redhat.com/security/cve/CVE-2015-3183
https://access.redhat.com/security/cve/CVE-2015-3185
http://www.apache.org/dist/httpd/CHANGES_2.4.16
https://bz.apache.org/bugzilla/show_bug.cgi?id=57531
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds