Your submission was sent successfully! Close

You have successfully unsubscribed! Close

USN-3937-2: Apache vulnerabilities

10 April 2019

Several security issues were fixed in Apache.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

USN-3937-1 and USN-3627-1 fixed several vulnerabilities in Apache.
This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Simon Kappel discovered that the Apache HTTP Server mod_auth_digest module
incorrectly handled threads. A remote attacker with valid credentials could
possibly use this issue to authenticate using another username, bypassing
access control restrictions. (CVE-2019-0217)

Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server mod_authnz_ldap
module incorrectly handled missing charset encoding headers. A remote attacker
could possibly use this issue to cause the server to crash, resulting in a denial of
service. (CVE-2017-15710)

Robert Swiecki discovered that the Apache HTTP Server incorrectly handled
certain requests. A remote attacker could possibly use this issue to cause
the server to crash, leading to a denial of service. (CVE-2018-1301)

Nicolas Daniels discovered that the Apache HTTP Server incorrectly generated
the nonce when creating HTTP Digest authentication challenges. A remote attacker
could possibly use this issue to replay HTTP requests across a cluster of servers.
(CVE-2018-1312)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04

In general, a standard system update will make all the necessary changes.

Related notices

  • USN-3627-1: apache2-mpm-event, apache2, libapache2-mod-proxy-html, apache2-dev, apache2-mpm-prefork, libapache2-mod-macro, apache2-suexec, apache2-data, apache2-bin, apache2-doc, apache2-mpm-itk, apache2-mpm-worker, apache2-suexec-custom, apache2.2-bin, apache2-suexec-pristine, apache2-utils
  • USN-3627-2: apache2, apache2-ssl-dev, apache2-dev, apache2-data, apache2-bin, apache2-doc, apache2-suexec-custom, apache2-suexec-pristine, apache2-utils
  • USN-3937-1: apache2-mpm-event, libapache2-mod-proxy-uwsgi, apache2, apache2-ssl-dev, libapache2-mod-proxy-html, apache2-dev, apache2-mpm-prefork, libapache2-mod-macro, apache2-suexec, apache2-data, apache2-bin, apache2-doc, apache2-mpm-itk, apache2-mpm-worker, apache2-suexec-custom, apache2.2-bin, apache2-suexec-pristine, apache2-utils