{ "Definition": [ { "ID": "oval:org.altlinux.errata:def:20171783", "Version": "oval:org.altlinux.errata:def:20171783", "Class": "patch", "Metadata": { "Title": "ALT-PU-2017-1783: package `apache2` update to version 2.4.26-alt1.S1", "AffectedList": [ { "Family": "unix", "Platforms": [ "ALT Linux branch p11" ], "Products": [ "ALT Container" ] } ], "References": [ { "RefID": "ALT-PU-2017-1783", "RefURL": "https://errata.altlinux.org/ALT-PU-2017-1783", "Source": "ALTPU" }, { "RefID": "BDU:2017-02149", "RefURL": "https://bdu.fstec.ru/vul/2017-02149", "Source": "BDU" }, { "RefID": "BDU:2017-02150", "RefURL": "https://bdu.fstec.ru/vul/2017-02150", "Source": "BDU" }, { "RefID": "BDU:2017-02152", "RefURL": "https://bdu.fstec.ru/vul/2017-02152", "Source": "BDU" }, { "RefID": "BDU:2017-02153", "RefURL": "https://bdu.fstec.ru/vul/2017-02153", "Source": "BDU" }, { "RefID": "BDU:2021-01393", "RefURL": "https://bdu.fstec.ru/vul/2021-01393", "Source": "BDU" }, { "RefID": "CVE-2017-3167", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-3167", "Source": "CVE" }, { "RefID": "CVE-2017-3169", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-3169", "Source": "CVE" }, { "RefID": "CVE-2017-7659", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7659", "Source": "CVE" }, { "RefID": "CVE-2017-7668", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7668", "Source": "CVE" }, { "RefID": "CVE-2017-7679", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7679", "Source": "CVE" } ], "Description": "This update upgrades apache2 to version 2.4.26-alt1.S1. \nSecurity Fix(es):\n\n * BDU:2017-02149: Уязвимость модуля mod_mime веб-сервера Apache HTTP Server (HTTPD), позволяющая нарушителю вызвать сбой дочернего процесса HTTPD\n\n * BDU:2017-02150: Уязвимость функции ap_find_token веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать ошибку сегментации\n\n * BDU:2017-02152: Уязвимость модуля mod_ssl веб-сервера Apache HTTP Server, позволяющая нарушителю получить доступ к локальным файлам\n\n * BDU:2017-02153: Уязвимость функции ap_get_basic_auth_pw() веб-сервера Apache HTTP Server, позволяющая нарушителю обойти требования аутентификации\n\n * BDU:2021-01393: Уязвимость модуля mod_http2 веб-сервера Apache HTTP Server, связанная с разыменованием нулевого указателя, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2017-3167: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.\n\n * CVE-2017-3169: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.\n\n * CVE-2017-7659: A maliciously constructed HTTP/2 request could cause mod_http2 in Apache HTTP Server 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process.\n\n * CVE-2017-7668: The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.\n\n * CVE-2017-7679: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.", "Advisory": { "From": "errata.altlinux.org", "Severity": "Critical", "Rights": "Copyright 2024 BaseALT Ltd.", "Issued": { "Date": "2017-06-26" }, "Updated": { "Date": "2017-06-26" }, "BDUs": [ { "ID": "BDU:2017-02149", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-119", "Href": "https://bdu.fstec.ru/vul/2017-02149", "Impact": "Critical", "Public": "20170411" }, { "ID": "BDU:2017-02150", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-20", "Href": "https://bdu.fstec.ru/vul/2017-02150", "Impact": "Critical", "Public": "20170411" }, { "ID": "BDU:2017-02152", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-476", "Href": "https://bdu.fstec.ru/vul/2017-02152", "Impact": "Critical", "Public": "20161205" }, { "ID": "BDU:2017-02153", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-287", "Href": "https://bdu.fstec.ru/vul/2017-02153", "Impact": "Critical", "Public": "20161205" }, { "ID": "BDU:2021-01393", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-476", "Href": "https://bdu.fstec.ru/vul/2021-01393", "Impact": "High", "Public": "20161118" } ], "CVEs": [ { "ID": "CVE-2017-3167", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-287", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-3167", "Impact": "Critical", "Public": "20170620" }, { "ID": "CVE-2017-3169", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-476", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-3169", "Impact": "Critical", "Public": "20170620" }, { "ID": "CVE-2017-7659", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-476", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7659", "Impact": "High", "Public": "20170726" }, { "ID": "CVE-2017-7668", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-125", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7668", "Impact": "High", "Public": "20170620" }, { "ID": "CVE-2017-7679", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-119", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7679", "Impact": "Critical", "Public": "20170620" } ], "AffectedCPEs": { "CPEs": [ "cpe:/o:alt:container:11" ] } } }, "Criteria": { "Operator": "AND", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:3001", "Comment": "ALT Linux must be installed" } ], "Criterias": [ { "Operator": "OR", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:20171783001", "Comment": "apache2 is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783002", "Comment": "apache2-ab is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783003", "Comment": "apache2-base is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783004", "Comment": "apache2-cgi-bin is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783005", "Comment": "apache2-cgi-bin-printenv is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783006", "Comment": "apache2-cgi-bin-test-cgi is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783007", "Comment": "apache2-compat is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783008", "Comment": "apache2-configs-A1PROXIED is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783009", "Comment": "apache2-datadirs is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783010", "Comment": "apache2-devel is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783011", "Comment": "apache2-docs is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783012", "Comment": "apache2-full is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783013", "Comment": "apache2-htcacheclean is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783014", "Comment": "apache2-htcacheclean-control is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783015", "Comment": "apache2-html is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783016", "Comment": "apache2-htpasswd is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783017", "Comment": "apache2-httpd-event is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783018", "Comment": "apache2-httpd-prefork is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783019", "Comment": "apache2-httpd-worker is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783020", "Comment": "apache2-icons is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783021", "Comment": "apache2-manual is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783022", "Comment": "apache2-manual-addons is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783023", "Comment": "apache2-mod_cache_disk is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783024", "Comment": "apache2-mod_ldap is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783025", "Comment": "apache2-mod_ssl is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783026", "Comment": "apache2-mod_ssl-compat is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783027", "Comment": "apache2-mods is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783028", "Comment": "apache2-suexec is earlier than 1:2.4.26-alt1.S1" }, { "TestRef": "oval:org.altlinux.errata:tst:20171783029", "Comment": "rpm-build-apache2 is earlier than 1:2.4.26-alt1.S1" } ] } ] } } ] }