USN-3627-2: Apache HTTP Server vulnerabilities
30 April 2018
Several security issues were fixed in the Apache HTTP Server.
Releases
Packages
- apache2 - Apache HTTP server
Details
USN-3627-1 fixed vulnerabilities in Apache HTTP Server. This update
provides the corresponding updates for Ubuntu 18.04 LTS.
Original advisory details:
Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server
mod_authnz_ldap module incorrectly handled missing charset encoding
headers. A remote attacker could possibly use this issue to cause the
server to crash, resulting in a denial of service. (CVE-2017-15710)
Elar Lang discovered that the Apache HTTP Server incorrectly handled
certain characters specified in
possibly use this issue to upload certain files, contrary to expectations.
(CVE-2017-15715)
It was discovered that the Apache HTTP Server mod_session module
incorrectly handled certain headers. A remote attacker could possibly use
this issue to influence session data. (CVE-2018-1283)
Robert Swiecki discovered that the Apache HTTP Server incorrectly handled
certain requests. A remote attacker could possibly use this issue to cause
the server to crash, leading to a denial of service. (CVE-2018-1301)
Robert Swiecki discovered that the Apache HTTP Server mod_cache_socache
module incorrectly handled certain headers. A remote attacker could
possibly use this issue to cause the server to crash, leading to a denial
of service. (CVE-2018-1303)
Nicolas Daniels discovered that the Apache HTTP Server incorrectly
generated the nonce when creating HTTP Digest authentication challenges.
A remote attacker could possibly use this issue to replay HTTP requests
across a cluster of servers. (CVE-2018-1312)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.04
In general, a standard system update will make all the necessary changes.
Related notices
- USN-3627-1: apache2-mpm-itk, apache2.2-bin, apache2-mpm-prefork, libapache2-mod-macro, apache2, apache2-mpm-event, apache2-utils, apache2-data, libapache2-mod-proxy-html, apache2-dev, apache2-suexec-pristine, apache2-doc, apache2-suexec, apache2-bin, apache2-suexec-custom, apache2-mpm-worker
- USN-3937-2: apache2.2-bin, apache2