Bug 1045060 - (CVE-2017-7679) VUL-0: CVE-2017-7679: apache2: httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can buffer over-read
(CVE-2017-7679)
VUL-0: CVE-2017-7679: apache2: httpd 2.2.x before 2.2.33 and 2.4.x before 2....
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Marcus Meissner
Security Team bot
https://smash.suse.de/issue/187083/
CVSSv3:RedHat:CVE-2017-7679:6.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-20 06:25 UTC by Victor Pereira
Modified: 2017-10-30 18:22 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-06-20 06:25:49 UTC
CVE-2017-7679

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mimecan read one byte past the end of a buffer when sending a maliciousContent-Type response header.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7679
http://seclists.org/oss-sec/2017/q2/509
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch
Comment 2 Petr Gajdos 2017-06-26 15:20:01 UTC
According to upstream info page, affected are all versions we maintain, that means:
12sp2/apache2: fixed
11sp1/apache2: fixed by version update to 2.2.33
10sp3/apache2: fixed
Comment 3 Petr Gajdos 2017-06-27 11:35:05 UTC
Testsuites in home:pgajdos:apache-test:after succeded.

Packages submitted.
Comment 5 Swamp Workflow Management 2017-06-27 14:56:45 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-07-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63713
Comment 6 Swamp Workflow Management 2017-06-29 01:11:26 UTC
SUSE-SU-2017:1714-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1035829,1041830,1045060,1045062,1045065
CVE References: CVE-2017-3167,CVE-2017-3169,CVE-2017-7679
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    apache2-2.4.23-28.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    apache2-2.4.23-28.1
SUSE Linux Enterprise Server 12-SP2 (src):    apache2-2.4.23-28.1
Comment 7 Swamp Workflow Management 2017-07-06 22:11:43 UTC
openSUSE-SU-2017:1803-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1035829,1041830,1045060,1045062,1045065
CVE References: CVE-2017-3167,CVE-2017-3169,CVE-2017-7679
Sources used:
openSUSE Leap 42.2 (src):    apache2-2.4.23-8.6.1
Comment 8 Johannes Segitz 2017-07-13 14:53:20 UTC
fixed
Comment 10 Petr Gajdos 2017-08-16 13:11:09 UTC
Packages submitted.
Comment 12 Swamp Workflow Management 2017-09-13 15:29:14 UTC
SUSE-SU-2017:2449-1: An update that solves four vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1035829,1041830,1043484,1043607,1045060,1045062,1045065,1048576
CVE References: CVE-2017-3167,CVE-2017-3169,CVE-2017-7679,CVE-2017-9788
Sources used:
SUSE OpenStack Cloud 6 (src):    apache2-2.4.16-20.10.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    apache2-2.4.16-20.10.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    apache2-2.4.16-20.10.1
Comment 15 Swamp Workflow Management 2017-10-18 16:10:10 UTC
SUSE-SU-2017:2756-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1035829,1041830,1045060,1045062,1045065,1048576,1058058,980663
CVE References: CVE-2017-3167,CVE-2017-3169,CVE-2017-7679,CVE-2017-9788,CVE-2017-9798
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    apache2-2.4.10-14.28.1
Comment 16 Swamp Workflow Management 2017-10-30 18:22:02 UTC
SUSE-SU-2017:2907-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1045060,1045061,1045062,1045065,1052830,1058058,1064561
CVE References: CVE-2009-2699,CVE-2010-0425,CVE-2012-0021,CVE-2014-0118,CVE-2017-3167,CVE-2017-3169,CVE-2017-7668,CVE-2017-7679,CVE-2017-9798
Sources used:
SUSE Studio Onsite 1.3 (src):    apache2-2.2.34-70.12.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    apache2-2.2.34-70.12.1
SUSE Linux Enterprise Server 11-SP4 (src):    apache2-2.2.34-70.12.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    apache2-2.2.34-70.12.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    apache2-2.2.34-70.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    apache2-2.2.34-70.12.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    apache2-2.2.34-70.12.1