Arch Linux Security Advisory ASA-201507-15
=========================================
Severity: Medium
Date    : 2015-07-17
CVE-ID  : CVE-2015-0228 CVE-2015-0253 CVE-2015-3183 CVE-2015-3185
Package : apache
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package apache before version 2.4.16-1 is vulnerable to multiple
issues including remote denial of service and authentication bypass.

Resolution
=========
Upgrade to 2.4.16-1.

# pacman -Syu "apache>=2.4.16-1"

The problem has been fixed upstream in version 2.4.16.

Workaround
=========
None.

Description
==========
- CVE-2015-0228 (denial of service):

mod_lua: A maliciously crafted websockets PING after a script calls
r:wsupgrade() can cause a child process crash.

- CVE-2015-0253 (denial of service):

Fix a crash with ErrorDocument 400 pointing to a local URL-path with the
INCLUDES filter active, introduced in 2.4.11. PR 57531.

- CVE-2015-3183 (denial of service):

core: Fix chunk header parsing defect. Remove apr_brigade_flatten(),
buffering and duplicated code from the HTTP_IN filter, parse chunks in a
single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be
strict about chunk-ext authorized characters.

- CVE-2015-3185 (authentication bypass):

Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with
new ap_some_authn_required and ap_force_authn hook.

Impact
=====
A remote attacker might be able to bypass authentication required by a
module incorrectly updated for 2.4.x, or crash the apache httpd server.

References
=========
https://access.redhat.com/security/cve/CVE-2015-0228
https://access.redhat.com/security/cve/CVE-2015-0253
https://access.redhat.com/security/cve/CVE-2015-3183
https://access.redhat.com/security/cve/CVE-2015-3185
https://bz.apache.org/bugzilla/show_bug.cgi?id=57531

ArchLinux: 201507-15: apache: multiple issues

July 17, 2015

Summary

- CVE-2015-0228 (denial of service): mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash.
- CVE-2015-0253 (denial of service):
Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
- CVE-2015-3183 (denial of service):
core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters.
- CVE-2015-3185 (authentication bypass):
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook.

Resolution

Upgrade to 2.4.16-1. # pacman -Syu "apache>=2.4.16-1"
The problem has been fixed upstream in version 2.4.16.

References

https://access.redhat.com/security/cve/CVE-2015-0228 https://access.redhat.com/security/cve/CVE-2015-0253 https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/cve/CVE-2015-3185 https://bz.apache.org/bugzilla/show_bug.cgi?id=57531


Severity
Package : apache
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved