apache2: CVE-2016-8740: erver memory can be exhausted and service denied when HTTP/2 is used

Debian Bug report logs - #847124
apache2: CVE-2016-8740: erver memory can be exhausted and service denied when HTTP/2 is used

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apache2: CVE-2016-8740: erver memory can be exhausted and service denied when HTTP/2 is used

Date: Mon, 05 Dec 2016 21:13:04 +0100

Source: apache2
Version: 2.4.23-8
Severity: important
Tags: security upstream patch

Hi

CVE-2016-8740 was announced for apache, CVE-2016-8740, Server memory
can be exhausted and service denied when HTTP/2 is used.

Post to oss-security at:
http://www.openwall.com/lists/oss-security/2016/12/05/14

Patch: https://svn.apache.org/r1772576

Regards,
Salvatore

Message #10 received at 847124@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 847124@bugs.debian.org

Subject: Re: Bug#847124: apache2: CVE-2016-8740: erver memory can be exhausted and service denied when HTTP/2 is used

Date: Sun, 11 Dec 2016 08:58:21 +0100

On Monday, 5 December 2016 21:13:04 CET Salvatore Bonaccorso wrote:
> CVE-2016-8740 was announced for apache, CVE-2016-8740, Server memory
> can be exhausted and service denied when HTTP/2 is used.

There are a few more security issues fixed in the pending 2.4.24 release. I 
will wait a bit more in the hope that this is released soonish.

Stefan

Message #15 received at 847124-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 847124-close@bugs.debian.org

Subject: Bug#847124: fixed in apache2 2.4.25-1

Date: Wed, 21 Dec 2016 23:18:50 +0000

Source: apache2
Source-Version: 2.4.25-1

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 847124@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 21 Dec 2016 23:46:06 +0100
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg
Architecture: source amd64 all
Version: 2.4.25-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
Closes: 834708 847124
Changes:
 apache2 (2.4.25-1) unstable; urgency=medium
 .
   [ New upstream release ]
   * Security: CVE-2016-0736:
     mod_session_crypto: Authenticate the session data/cookie with a MAC to
     prevent deciphering or tampering with a padding oracle attack.
   * Security: CVE-2016-2161:
     mod_auth_digest: Prevent segfaults during client entry allocation when the
     shared memory space is exhausted.
   * Security: CVE-2016-5387:
     Mitigate [f]cgi "httpoxy" issues.
   * Security: CVE-2016-8740:
     mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
     Closes: #847124
   * Security: CVE-2016-8743:
     Enforce HTTP request grammar corresponding to RFC7230 for request lines
     and request headers, to prevent response splitting and cache pollution by
     malicious clients or downstream proxies.
   * The stricter HTTP enforcement may cause compatibility problems with
     non-conforming clients. Fine-tuning is possible with the new
     HttpProtocolOptions directive.
   * mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
   * mod_http2: Many fixes and support for early pushes using the new
     H2PushResource directive.
 .
   [ Stefan Fritsch ]
   * Switch to debhelper compatibility level 9.
Checksums-Sha1:
 1e287e10f71bf372ebe0576e34e7fbcfc2981202 2832 apache2_2.4.25-1.dsc
 bd6d138c31c109297da2346c6e7b93b9283993d2 6398218 apache2_2.4.25.orig.tar.bz2
 267b82b033a4e1ccdfbdebcab41dc8ae6b4c3c26 352968 apache2_2.4.25-1.debian.tar.xz
 78b91dcfabead6c54cccfa16fd49238c9e2f537f 1176860 apache2-bin_2.4.25-1_amd64.deb
 f976e2faa4e0ce794952134a7e3b90864da9179a 162036 apache2-data_2.4.25-1_all.deb
 052d8df1f0dd1df400ad00a8a767e6e1410e4d62 3968200 apache2-dbg_2.4.25-1_amd64.deb
 6573dd2b4322ebdcec64a77f7218e559d8d653e5 312208 apache2-dev_2.4.25-1_amd64.deb
 7e64982ed99d91dd0db22fdb99c99cdce5800e38 3769488 apache2-doc_2.4.25-1_all.deb
 b78dac42d8ae2baeabe915523ef8841e89d0933c 2258 apache2-ssl-dev_2.4.25-1_amd64.deb
 835ffa8bf497698dfc0c803911f75085e177bc29 153964 apache2-suexec-custom_2.4.25-1_amd64.deb
 85c2abbaa48e25810d9f0f885daeaa486df6f859 152512 apache2-suexec-pristine_2.4.25-1_amd64.deb
 406d43f4b234fcd454f27d82259cd5871e92d804 215796 apache2-utils_2.4.25-1_amd64.deb
 af1206aca2dedbeeb8785053f4aab098343c5ffe 8742 apache2_2.4.25-1_amd64.buildinfo
 0f20768a2f8584e46bcc2c68bfa388fc524cc0fc 234062 apache2_2.4.25-1_amd64.deb
Checksums-Sha256:
 60d20309067f066e206939858a792721218367cbfc020bbef18c2f80edc07854 2832 apache2_2.4.25-1.dsc
 f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2 6398218 apache2_2.4.25.orig.tar.bz2
 53f8e5ad9bc8764abcd80a671df9bd5fc3fcad150c57c6a176ca48ba5e7c58d7 352968 apache2_2.4.25-1.debian.tar.xz
 52bcfdfbad294c3dd3e91be17d35cbdff9afc479163e1a7d663cb4350fd54b49 1176860 apache2-bin_2.4.25-1_amd64.deb
 ee3e88c8e48db991b649b0a3ba8beb564f62cb577bb97823f080cd28355e61bb 162036 apache2-data_2.4.25-1_all.deb
 ef63b03024b0d69315c5c0f49fead13c9fcc1a1bd3172f34527c34c01871c182 3968200 apache2-dbg_2.4.25-1_amd64.deb
 143df9ba7925c349be47cf907648154cf549910a3034fbcb5ba84c7532eeaf5b 312208 apache2-dev_2.4.25-1_amd64.deb
 304a8050b6e234de38b7216e4830da0cceadda34bb41aecffc183827ca0ee390 3769488 apache2-doc_2.4.25-1_all.deb
 9cebd3b51778b88173cf77123ed3a23aac46adca7034de23dca891ac9bb5e550 2258 apache2-ssl-dev_2.4.25-1_amd64.deb
 1e3329ecdc01d3705fee07a44aa91b90dcf07bddc7d61153009d8ff2b87b2fa0 153964 apache2-suexec-custom_2.4.25-1_amd64.deb
 bb87c1c06c2e0e6e6dea1bcfa64b72d0c10a76fce80d6bd78be1a25e780ce89f 152512 apache2-suexec-pristine_2.4.25-1_amd64.deb
 d5b62f96555f4a4e0358bd33f77d58e802f3f313c9ae3faed5c38f14fad4e12c 215796 apache2-utils_2.4.25-1_amd64.deb
 52a791a5e652646bc09f105a759668b945c3fd07837669fb76b5f2030041c846 8742 apache2_2.4.25-1_amd64.buildinfo
 641d571f92878ac71c99009ee038431ae9de9120cb65838ef5cc203d90434c44 234062 apache2_2.4.25-1_amd64.deb
Files:
 3067e4672e039a9e0d0a65e72f698b96 2832 httpd optional apache2_2.4.25-1.dsc
 2826f49619112ad5813c0be5afcc7ddb 6398218 httpd optional apache2_2.4.25.orig.tar.bz2
 0b7704b3ed8d5e41c55778d8bc336e5d 352968 httpd optional apache2_2.4.25-1.debian.tar.xz
 7fa01546dff187a703735a3f478b19e8 1176860 httpd optional apache2-bin_2.4.25-1_amd64.deb
 52d581b39e92874403032e90df0c0837 162036 httpd optional apache2-data_2.4.25-1_all.deb
 98fe280dabf7217cad53d9e399ad7a55 3968200 debug extra apache2-dbg_2.4.25-1_amd64.deb
 654b773de54590be71d5e84a13b01f5d 312208 httpd optional apache2-dev_2.4.25-1_amd64.deb
 f202754da5c80ba4f6329c6768a0afd2 3769488 doc optional apache2-doc_2.4.25-1_all.deb
 cbde1c7020b9b71a172bf91b7830be8f 2258 httpd optional apache2-ssl-dev_2.4.25-1_amd64.deb
 fe3b50ff04c7e40a26cd24077e4955a5 153964 httpd extra apache2-suexec-custom_2.4.25-1_amd64.deb
 b42b3994df54fe19f9999295a3d43283 152512 httpd optional apache2-suexec-pristine_2.4.25-1_amd64.deb
 46f61a8045d7d306d1804e1caa1d5a8b 215796 httpd optional apache2-utils_2.4.25-1_amd64.deb
 4593fa8425971565fd647a1862718910 8742 httpd optional apache2_2.4.25-1_amd64.buildinfo
 061abd0cbaf1fe9c2823ea3592289c14 234062 httpd optional apache2_2.4.25-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlhbC0MACgkQxodfNUHO
/eBIrQ/+KA+/NfRlLAICgFbBJq4PUad/9xD6TdXFgqLlKFEb0wWIHm8HiJbKKwMd
tS0Wy6N/zIZ7oz93MPRdnlewTTneIEBvf6N0m9MXJEopQNOeaVkQAA3/FXl9VcQW
Q200OqboPIQhfruLSc/IXl+YNZ+Bz9InLh6ldwYvpLKmCSmde4g3/f9/JhCRqKlF
90stlj17eM3XFqHgKlhmA7hU9C5AkqIuPlvpeJSjcSNQnI5jx1kvnhBgiTySHy5p
EeZRCp91qa6fdgUzbWOe2/hXcmO4vNllDNmGMK9mfvRQhvt8Fe8E2xUXFZCRy8Nk
QFYt8XwVasw976dbDh7boc65E/e828rlgMZ0zdbYAn31Kj5KOg4yfCtk1Y+tgNYW
roEUW9OkSZI7QMIh4Q5zqDE7c0f8xYt+15howQcERATdAA11ABArAZOOoJXtEShj
QFrkEHuRwwnMxMMaE6CImHWL1QhnlywWsDyOep9QcsTrSM0Z5Ml5mIkXERaqH96B
ojI8wDZpXGCBvV5KDXAM/DkfNyv/PVfVMAx+w7T/UArSyfALwWHE7nsXYMgDurNB
SFplg+N+N92RvigM6DgffYjAQ8/27JKCwiFr4O7HaQwRuAUiajLPpT0NcRrPKrUc
MkgRY2YpWhi6NzULouIZmIX/7p1cFz0OkGLh4/vuQq/fGNc1aaE=
=Focz
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.