Format: 1.8 Date: Fri, 05 May 2017 10:51:32 -0400 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg Architecture: i386 Version: 2.4.18-2ubuntu4.1 Distribution: yakkety Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: apache2 - Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Changes: apache2 (2.4.18-2ubuntu4.1) yakkety-security; urgency=medium . * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue - debian/patches/CVE-2016-0736.patch: authenticate the session data/cookie with a MAC in modules/session/mod_session_crypto.c. - CVE-2016-0736 * SECURITY UPDATE: denial of service via malicious mod_auth_digest input - debian/patches/CVE-2016-2161.patch: improve memory handling in modules/aaa/mod_auth_digest.c. - CVE-2016-2161 * SECURITY UPDATE: response splitting and cache pollution issue via incomplete RFC7230 HTTP request grammar enforcing - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in include/http_core.h, include/http_protocol.h, include/httpd.h, modules/http/http_filters.c, server/core.c, server/gen_test_char.c, server/protocol.c, server/util.c, server/vhost.c. - debian/patches/hostnames_with_underscores.diff: relax hostname restrictions in server/vhost.c. - CVE-2016-8743 * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and may introduce compatibility issues with clients that do not strictly follow specifications. A new configuration directive, "HttpProtocolOptions Unsafe" can be used to re-enable some of the less strict parsing restrictions, at the expense of security. Checksums-Sha1: 22f9073e0d7b79ed0a9c587a1aa83c090aa71867 986 apache2-bin-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 8c96d6471791ffada39444834f2a441ea10719c7 981112 apache2-bin_2.4.18-2ubuntu4.1_i386.deb b85ab45dac8c5062f6cdde9ca8fad48739790ad7 1911238 apache2-dbg_2.4.18-2ubuntu4.1_i386.deb 7be008624ceabab865d20fb2189aa0acfda14acf 968 apache2-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb ea9a1961ba13bb6d27cb0e3de4bd0089cee04c33 1106 apache2-dev-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 1e641c652f4288b14980326a454e5a174c29d02d 172440 apache2-dev_2.4.18-2ubuntu4.1_i386.deb 290a1387f2a9fc48ef497393359b64e813a47cb5 972 apache2-suexec-custom-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 11604aa0060f2f0d23ef1d11673f0c1addaab910 15022 apache2-suexec-custom_2.4.18-2ubuntu4.1_i386.deb 58324960f6bd7790da14aee63d4b037eab4911ea 916 apache2-suexec-pristine-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb f65af69167e0dd430ef9906d0c49e2a796276e6a 13522 apache2-suexec-pristine_2.4.18-2ubuntu4.1_i386.deb 2d70d790df107b188178cf321bc602c4ef984c28 1188 apache2-utils-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 7e9a479beb58fff6649971576e9ade0b09598df2 86050 apache2-utils_2.4.18-2ubuntu4.1_i386.deb 6a03d175df8d7e76ab3d6e746a0a62f700b6eace 86340 apache2_2.4.18-2ubuntu4.1_i386.deb Checksums-Sha256: 9f0912e328d4f8d0de62268b73a7a28bae4ab8df08b457135323ca6a3c188eb1 986 apache2-bin-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 07d56c2dc24cc55a61a141c914d08506224fbc02ecdb7bdde30b04f16cd6ed16 981112 apache2-bin_2.4.18-2ubuntu4.1_i386.deb c7b63d59a7a08fa0b706c3c9a891cb6c81662634a9bf6df264888081e2be0656 1911238 apache2-dbg_2.4.18-2ubuntu4.1_i386.deb 60a75c04dff7c05652f6bc81ab5344706c4c5aab7902f0ebc2b94f936e42f656 968 apache2-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 9be99fcf6944ad37cddac27c764ebd689c03e275e93c94b0d65ad57eee4268fa 1106 apache2-dev-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb d3fe8144c0a62d2f497544ccf6fdd8171e6bf3952878ad7a861afd5e08cc27bb 172440 apache2-dev_2.4.18-2ubuntu4.1_i386.deb 550e2c5d84e24f50a3325aaa67f30e06f6127bcc76a101ba4bfbb4833454778d 972 apache2-suexec-custom-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb a0031cb9cbee1adf2c0ffa1c85da4ae1ee1f62990403525f110de8c715b084ff 15022 apache2-suexec-custom_2.4.18-2ubuntu4.1_i386.deb d64bd93ec031cf62823fc36154d4f36d0110f29e010055e60fb1853fe45f46d3 916 apache2-suexec-pristine-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb f64c64e29447d21ab8c5ccc945182b95f74ef4fe61ab9b7e5f09a97692fd7466 13522 apache2-suexec-pristine_2.4.18-2ubuntu4.1_i386.deb c29095359ba0f9abc09d0f5d7994e0cbac37a6464e5835d14940fb6359502e82 1188 apache2-utils-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 0f936c6172be858fe57baec1544108be102b01d2dc595142201e128a67056098 86050 apache2-utils_2.4.18-2ubuntu4.1_i386.deb 627817534feba410bb959a1bbb66774ed7a659b7830b9d92cb69a5c5eb6ae468 86340 apache2_2.4.18-2ubuntu4.1_i386.deb Files: 7c87e439d586fea4c280fd6bc08c9d32 986 httpd extra apache2-bin-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 9804ffdbaa94e410c6f2649cebad3779 981112 httpd optional apache2-bin_2.4.18-2ubuntu4.1_i386.deb 453f81108d118af52a08c0fe7ac1fc6c 1911238 debug extra apache2-dbg_2.4.18-2ubuntu4.1_i386.deb 1b6ed758888321e4ef1a06712229bb3e 968 httpd extra apache2-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 0cced1c21b1002ed254f0f767e8a3639 1106 httpd extra apache2-dev-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 085add1546724b17987a700d4eb13e29 172440 httpd optional apache2-dev_2.4.18-2ubuntu4.1_i386.deb b7468b52b59e92bec0276c3ee1b694ec 972 httpd extra apache2-suexec-custom-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb e165d60a0bd8b1a2ad6d880167128ae9 15022 httpd extra apache2-suexec-custom_2.4.18-2ubuntu4.1_i386.deb aa8089f30279c9bd377be60bdc593c1e 916 httpd extra apache2-suexec-pristine-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 81da54ca30d795069290b69cbb211704 13522 httpd optional apache2-suexec-pristine_2.4.18-2ubuntu4.1_i386.deb 9379cf104944569de05e7c068d6540d1 1188 httpd extra apache2-utils-dbgsym_2.4.18-2ubuntu4.1_i386.ddeb 4caaf77d4c38a686ed829858658462e4 86050 httpd optional apache2-utils_2.4.18-2ubuntu4.1_i386.deb d2e282be6b7cd9d776b8efbc93813698 86340 httpd optional apache2_2.4.18-2ubuntu4.1_i386.deb Original-Maintainer: Debian Apache Maintainers