RedHat Update for httpd RHSA-2017:2478-01

The remote host is missing an update for the SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

The vulnerability of the Apache HTTP Server web server allows attackers to carry out network attacks.

The vulnerability of the Apache HTTP Server is related to improper data processing. The web server was open in the acceptable free space when accepting requests and sent strings and headers as responses. Adopting such behavior posed a security issue, especially when httpd participated in any prox...

The vulnerability of the mod_session_crypto module in the Apache HTTP Server allows attackers to perform attacks like Padding Oracle.

The vulnerability of the modsessioncrypto module in the Apache HTTP Server is related to encryption algorithm errors. The modsessioncrypto module encrypts its data/cookies using configured encryption algorithms with CBC or ECB modes AES256-CBC by default. Therefore, there is no optional or built-...

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with commonly adhered to security standards and regulations. Qualys provides a wide range of policies, including many that have been certified by CIS as well as ones based on security guidelines from vendors such as Microsoft and VMware...

USN-3370-2: Apache HTTP Server vulnerability

USN-3370-1 fixed a vulnerability in Apache HTTP Server. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Robert Święcki discovered that the Apache HTTP Server modauthdigest module incorrectly cleared values when processing certain requests. A remote...

Ubuntu 14.04 LTS / 16.04 LTS : Apache HTTP Server vulnerability (USN-3370-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3370-1 advisory. Robert wicki discovered that the Apache HTTP Server modauthdigest module incorrectly cleared values when processing certain requests. A remote attacke...

Code injection

In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle...

Design/Logic Flaw

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-en...

Input validation

In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to modauthdigest can cause the server to crash, and each instance continues to crash even for subsequently valid requests...

CVE-2016-0736

In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle...

CVE-2016-8743

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-en...

CVE-2016-8743

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-en...

CVE-2016-0736

In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle...

CVE-2016-2161

In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to modauthdigest can cause the server to crash, and each instance continues to crash even for subsequently valid requests...

CVE-2016-8743

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-en...

CVE-2016-0736

In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle...

CVE-2016-2161

In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to modauthdigest can cause the server to crash, and each instance continues to crash even for subsequently valid requests...

CVE-2016-0736

CVE-2016-0736 affects Apache HTTP Server’s mod_session_crypto (2.4.0–2.4.23). It used CBC/ECB modes (AES256-CBC by default) without authenticated encryption, enabling padding oracle-style attacks. The fix is to upgrade to Apache HTTPD 2.4.25 (or later) where mod_session_crypto is updated to authe...

CVE-2016-8743

The CVE-2016-8743 issue affects Apache HTTP Server. It concerns how whitespace is accepted in requests and sent in response lines and headers in all releases before 2.2.32 and 2.4.25. The root problem is liberal whitespace handling, which can enable request smuggling, response splitting, and cach...

USN-3370-1: Apache HTTP Server vulnerability

Robert Święcki discovered that the Apache HTTP Server modauthdigest module incorrectly cleared values when processing certain requests. A remote attacker could use this issue to cause the server to crash, resulting in a denial or service, or possibly obtain sensitive information...