Bugzilla – Bug 1016714
VUL-1: CVE-2016-2161: apache2: DoS vulnerability in mod_auth_digest
Last modified: 2017-07-13 14:39:54 UTC
https://httpd.apache.org/security/vulnerabilities_24.html low: DoS vulnerability in mod_auth_digest CVE-2016-2161 Malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests. Acknowledgements: We would like to thank Maksim Malyutin for reporting this issue. Reported to security team: 11th July 2016 Issue public: 20th December 2016 Update Released: 20th December 2016 Affects: 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1
https://svn.apache.org/viewvc?view=revision&sortby=date&revision=1772919 mod_auth_digest: fix segfaults during shared memory exhaustion The apr_rmm_addr_get/apr_rmm_malloc() combination did not correctly check for a malloc failure, leading to crashes when we ran out of the limited space provided by AuthDigestShmemSize. This patch replaces all these calls with a helper function that performs this check. Additionally, fix a NULL-check bug during entry garbage collection.
bugbot adjusting priority
2.4 commit http://svn.apache.org/viewvc?view=revision&revision=1773069
No testcase found.
Packages submitted. I believe all fixed.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-03-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63474
SUSE-SU-2017:0729-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1016714,1016715 CVE References: CVE-2016-2161,CVE-2016-8743 Sources used: SUSE Studio Onsite 1.3 (src): apache2-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): apache2-2.2.12-69.1 SUSE Linux Enterprise Server 11-SP4 (src): apache2-2.2.12-69.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): apache2-2.2.12-69.1
SUSE-SU-2017:0797-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1016712,1016714,1016715,1019380 CVE References: CVE-2016-0736,CVE-2016-2161,CVE-2016-8743 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): apache2-2.4.23-21.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): apache2-2.4.23-21.1 SUSE Linux Enterprise Server 12-SP2 (src): apache2-2.4.23-21.1
SUSE-SU-2017:0801-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1016712,1016714,1016715,980663 CVE References: CVE-2016-0736,CVE-2016-2161,CVE-2016-8743 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): apache2-2.4.16-19.1 SUSE Linux Enterprise Server 12-SP1 (src): apache2-2.4.16-19.1
openSUSE-SU-2017:0897-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1016712,1016714,1016715,1019380 CVE References: CVE-2016-0736,CVE-2016-2161,CVE-2016-8743 Sources used: openSUSE Leap 42.2 (src): apache2-2.4.23-8.3.1
openSUSE-SU-2017:0903-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1016712,1016714,1016715,980663 CVE References: CVE-2016-0736,CVE-2016-2161,CVE-2016-8743 Sources used: openSUSE Leap 42.1 (src): apache2-2.4.16-18.1
fixed