Format: 1.8 Date: Fri, 05 May 2017 10:51:32 -0400 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg Architecture: arm64 Version: 2.4.18-2ubuntu4.1 Distribution: yakkety Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: apache2 - Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Changes: apache2 (2.4.18-2ubuntu4.1) yakkety-security; urgency=medium . * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue - debian/patches/CVE-2016-0736.patch: authenticate the session data/cookie with a MAC in modules/session/mod_session_crypto.c. - CVE-2016-0736 * SECURITY UPDATE: denial of service via malicious mod_auth_digest input - debian/patches/CVE-2016-2161.patch: improve memory handling in modules/aaa/mod_auth_digest.c. - CVE-2016-2161 * SECURITY UPDATE: response splitting and cache pollution issue via incomplete RFC7230 HTTP request grammar enforcing - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in include/http_core.h, include/http_protocol.h, include/httpd.h, modules/http/http_filters.c, server/core.c, server/gen_test_char.c, server/protocol.c, server/util.c, server/vhost.c. - debian/patches/hostnames_with_underscores.diff: relax hostname restrictions in server/vhost.c. - CVE-2016-8743 * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and may introduce compatibility issues with clients that do not strictly follow specifications. A new configuration directive, "HttpProtocolOptions Unsafe" can be used to re-enable some of the less strict parsing restrictions, at the expense of security. Checksums-Sha1: 5661ea87d74e9fbb0cabecf527b5ae18ec39763c 986 apache2-bin-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb b8204f49c9b72887edcb8bb77abc583b41559698 770468 apache2-bin_2.4.18-2ubuntu4.1_arm64.deb 5dcb6f9d9df407a31b27d5d62c62bdcec3601969 2186740 apache2-dbg_2.4.18-2ubuntu4.1_arm64.deb 8d7f26cb9225fa0f420d19d4e6cbe9cdefbf751f 968 apache2-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb 83991ed822f51848528128f9f159c8e890745e56 1104 apache2-dev-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb fc15fcf83faaeb2d1a7f85755cf862910219863d 172428 apache2-dev_2.4.18-2ubuntu4.1_arm64.deb da05480396f9ec844a9d372c0c97d794a23ddf48 970 apache2-suexec-custom-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb cfa7184ee24ee6c68367a68c1ecff881ddc6da6b 14834 apache2-suexec-custom_2.4.18-2ubuntu4.1_arm64.deb 98ea534b96540013f956c47ed7c525f2910dc22d 916 apache2-suexec-pristine-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb 8a27743548fe2ecfa83c157904319c66bdb6ae06 13390 apache2-suexec-pristine_2.4.18-2ubuntu4.1_arm64.deb eca2ddcd2049ded16e2b02d14e63d2f9e134fd0a 1188 apache2-utils-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb f1ab597944cb888cd2e149124b56bd294acaf670 77260 apache2-utils_2.4.18-2ubuntu4.1_arm64.deb 1db03650427c7f95b0a692d717300889f6ba9a63 86338 apache2_2.4.18-2ubuntu4.1_arm64.deb Checksums-Sha256: a8426628bcb548e7f1cbfff884ab08bd1a4c784bc4fa3d61f872f8910c5bc978 986 apache2-bin-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb 046316cca6828eede5433d9f03c86c78b54c41ee6f7de83226edb08e91af532a 770468 apache2-bin_2.4.18-2ubuntu4.1_arm64.deb 6801e3ebcb5117fa110e7512186d8ff9aae55f5ded41c2238c6a7533753b7a49 2186740 apache2-dbg_2.4.18-2ubuntu4.1_arm64.deb a7bf1084895677dde699ea79e6d4f96742aa91a906ea8f9d802ae7c6ccd05ea4 968 apache2-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb 435358043aa466d98c9a84994f77e65876d5e04d2dd92a3060be291d389d4645 1104 apache2-dev-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb 460efef06bbd35e51b5fef1d37b72f60d919d8a1e39c0d15f05e5e1d2af01220 172428 apache2-dev_2.4.18-2ubuntu4.1_arm64.deb 43dcfeeaf99af6247457133c61a14b8303af3cac0fab1c7909e5f76ff4c89eef 970 apache2-suexec-custom-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb 3cc65eaddb718719ab2451768687aed5de20dde8441be4a5fca7e1715dec1f12 14834 apache2-suexec-custom_2.4.18-2ubuntu4.1_arm64.deb f1018a0cdeef06419f2f2b912d2e437ad69ae03f967adf532453285d6b3ee2a3 916 apache2-suexec-pristine-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb dcaacc7ec1f454baa8df5f93e93b27a2a5b981a1c4066aa7aaf6c6ff0542f208 13390 apache2-suexec-pristine_2.4.18-2ubuntu4.1_arm64.deb ace54b59c5c5fb7de97211036613bfaf7d467074f3b908a4e57058abcd932a2b 1188 apache2-utils-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb ba00afa7ddf0317fc42acb07a7e274f7432c3881de969b8dd6087bc0d556d7a6 77260 apache2-utils_2.4.18-2ubuntu4.1_arm64.deb 8c7bfb104e66cb9167f47062125b928adbe048ec1f52bd799af7356c9a8c5d77 86338 apache2_2.4.18-2ubuntu4.1_arm64.deb Files: 34b8240aae2f6d84563e89ab5fabd757 986 httpd extra apache2-bin-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb 31c617f89c1c500cde53db5b96359107 770468 httpd optional apache2-bin_2.4.18-2ubuntu4.1_arm64.deb 9ca1ba678416dc387aaa4489cce7c887 2186740 debug extra apache2-dbg_2.4.18-2ubuntu4.1_arm64.deb a34a51ce7c3a12a1848b0fc249a6d9d4 968 httpd extra apache2-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb fccc0740cfca9d8690816c9bb2c2e89d 1104 httpd extra apache2-dev-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb 8dccd890a93b6ab56943bacdeb7c21e7 172428 httpd optional apache2-dev_2.4.18-2ubuntu4.1_arm64.deb 24590118e4a3d04eb7522072bc023d3f 970 httpd extra apache2-suexec-custom-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb f8f9153bb92134effb7c96ec98322430 14834 httpd extra apache2-suexec-custom_2.4.18-2ubuntu4.1_arm64.deb e13e71a7c095c1458d20a1ed62023e45 916 httpd extra apache2-suexec-pristine-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb 4ab0a86f3d09e674d7985e63eee64395 13390 httpd optional apache2-suexec-pristine_2.4.18-2ubuntu4.1_arm64.deb 288ff053af8ff3527e0140df3189a5fd 1188 httpd extra apache2-utils-dbgsym_2.4.18-2ubuntu4.1_arm64.ddeb c88d88c68d1f8435c47c68e3a255ea48 77260 httpd optional apache2-utils_2.4.18-2ubuntu4.1_arm64.deb e78aacaf6673511fd9ba9ab68f5788a8 86338 httpd optional apache2_2.4.18-2ubuntu4.1_arm64.deb Original-Maintainer: Debian Apache Maintainers