Apache 2.4 multiple vulnerabilities

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,100
Location
Switzerland
https://mail-archives.apache.org/[email protected]>

CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters.

CVE-2015-3185 (cve.mitre.org)
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
with new ap_some_authn_required and ap_force_authn hook.

CVE-2015-0253 (cve.mitre.org)
core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
with the INCLUDES filter active, introduced in 2.4.11. PR 57531.

CVE-2015-0228 (cve.mitre.org)
mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.


Apache HTTP Server 2.4.16 is available for download from:

http://httpd.apache.org/download.cgi
 
Apache 2.4.16 is now available in custombuild. Also APR version 1.5.2 has been added to custombuild.
 
Update issues

Hi, about an hour ago I installed this Apache 2.4.16 update on my VPS (CB2.0, nginx_apache setup). After that my sites weren't loading. I tried a reboot but without success. The problem appeared to be Nginx wasn't running anymore. The trick that solved my issue was a rebuild of Nginx (DA admin level - CustomBuild 2.0 - Build Software - build Nginx). Maybe there is a better way, but this worked for a server newbie like me.
If someone can tell me what I should check, I would be glad to hear it! Previous updates didn't have any issues the last months. My system was up2date before this update.
 
Back
Top