httpd24-httpd-2.4.25-9.AXS4.1

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and
extensible web server.

Security Fix(es):

* It was discovered that the httpd's mod_auth_digest module did not properly
initialize memory before using it when processing certain headers related to
digest authentication. A remote attacker could possibly use this flaw to
disclose potentially sensitive information or cause httpd child process to crash
by sending specially crafted requests to a server. (CVE-2017-9788)

* It was discovered that the use of httpd's ap_get_basic_auth_pw() API
function outside of the authentication phase could lead to authentication
bypass. A remote attacker could possibly use this flaw to bypass required
authentication if the API was used incorrectly by one of the modules used by
httpd. (CVE-2017-3167)

* A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A
remote attacker could use this flaw to cause an httpd child process to crash if
another module used by httpd called a certain API function during the processing
of an HTTPS request. (CVE-2017-3169)

* A NULL pointer dereference flaw was found in the mod_http2 module of httpd.
A remote attacker could use this flaw to cause httpd child process to crash via
a specially crafted HTTP/2 request. (CVE-2017-7659)

* A buffer over-read flaw was found in the httpd's ap_find_token() function. A
remote attacker could use this flaw to cause httpd child process to crash via a
specially crafted HTTP request. (CVE-2017-7668)

* A buffer over-read flaw was found in the httpd's mod_mime module. A user
permitted to modify httpd's MIME configuration could use this flaw to cause
httpd child process to crash. (CVE-2017-7679)

CVE-2017-3167
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of
the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
CVE-2017-3169
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl
may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
CVE-2017-7659
A maliciously constructed HTTP/2 request could cause mod_http2 2.4.24,
2.4.25 to dereference a NULL pointer and crash the server process.
CVE-2017-7668
The HTTP strict parsing changes added in Apache httpd 2.2.32 and
2.4.24 introduced a bug in token list parsing, which allows
ap_find_token() to search past the end of its input string. By
maliciously crafting a sequence of request headers, an attacker may be
able to cause a segmentation fault, or to force ap_find_token() to
return an incorrect value.
CVE-2017-7679
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime
can read one byte past the end of a buffer when sending a malicious
Content-Type response header.
CVE-2017-9788
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value
placeholder in [Proxy-]Authorization headers of type 'Digest' was not
initialized or reset before or between successive key=value
assignments by mod_auth_digest. Providing an initial key with no '='
assignment could reflect the stale value of uninitialized pool memory
used by the prior request, leading to leakage of potentially
confidential information, and a segfault in other cases resulting in
denial of service.