EasyApache

cPanel, Inc. has released EasyApache 3.34.12 with Apache version 2.2.32. This release addresses vulnerabilities related to CVE-2016-8743 and CVE-2016-5387. We strongly encourage all Apache 2.2 users to upgrade to version 2.2.32.

AFFECTED VERSIONS

All versions of Apache 2.2 through version 2.2.31

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2016-8743 – MEDIUM

Apache 2.2.32
Fixed bug related to CVE-2016-8743

CVE-2016-5387 – MEDIUM

Apache 2.2.32
Additional HTTPOXY mitigation related to CVE-2016-5387

SOLUTION

cPanel, Inc. has released EasyApache 3.34.12 with an updated version of Apache 2.2.32. Unless you have disabled EasyApache updates, the EasyApache application updates to the latest version when launched. Run EasyApache to rebuild your profile with the latest version of Apache.

Changes with Apache 2.2.32

  • SECURITY: CVE-2016-8743 (cve.mitre.org) Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
  • Validate HTTP response header grammar defined by RFC7230, resulting in a 500 error in the event that invalid response header contents are detected when serving the response, to avoid response splitting and cache pollution by malicious clients, upstream servers or faulty modules. [Stefan Fritsch, Eric Covener, Yann Ylavic]
  • core: Mitigate [f]cgi CVE-2016-5387 “httpoxy” issues. [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
  • core: Avoid a possible truncation of the faulty header included in the HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
  • core: Enforce LimitRequestFieldSize after multiple headers with the same name have been merged. [Stefan Fritsch]
  • core: Drop Content-Length header and message-body from HTTP 204 responses. PR 51350 [Luca Toscano]
  • core: Permit unencoded ‘;’ characters to appear in proxy requests and Location: response headers. Corresponds to modern browser behavior. [William Rowe]
  • core: ap_rgetline_core now pulls from r->proto_input_filters.
  • core: Correctly parse an IPv6 literal host specification in an absolute URL in the request line. [Stefan Fritsch]
  • core: New directive RegisterHttpMethod for registering non-standard HTTP methods. [Stefan Fritsch]
  • core: Limit to ten the number of tolerated empty lines between request. [Yann Ylavic]
  • core: reject NULLs in request line or request headers. PR 43039 [Nick Kew]
  • mod_proxy: Use the correct server name for SNI in case the backend SSL connection itself is established via a proxy server. PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
  • Fix potential rejection of valid MaxMemFree and ThreadStackSize directives. [Mike Rumph <mike.rumph oracle.com>]
  • mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3. [Kaspar Brand]
  • mod_proxy: Correctly consider error response codes by the backend when processing failonstatus. PR 59869 [Ruediger Pluem]
  • mod_proxy: Play/restore the TLS-SNI on new backend connections which had to be issued because the remote closed the previous/reusable one during idle (keep-alive) time. [Yann Ylavic]
  • mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params. [Jan Kaluza, Yann Ylavic]
  • mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to use a different scoreboard slot then the original one. PR 58267. [Ruediger Pluem]
  • mod_proxy: Fix a race condition that caused a failed worker to be retried before the retry period is over. [Ruediger Pluem]
  • mod_proxy: don’t recyle backend announced “Connection: close” connections to avoid reusing it should the close be effective after some new request is ready to be sent. [Yann Ylavic]
  • mod_mem_cache: Fix concurrent removal of stale entries which could lead to a crash. PR 43724. [Yann Ylavic]
  • mime.types: add common extension “m4a” for MPEG 4 Audio. PR 57895 [Dylan Millikin <dylan.millikin gmail.com>]
  • mod_substitute: Allow to configure the patterns merge order with the new SubstituteInheritBefore on|off directive. PR 57641 [Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]
  • mod_mem_cache: Don’t cache incomplete responses when the client connection is aborted before the body is fully read. PR 45049.
    [Nick Pace <nick simplylogic.net>, Edward Lu, Yann Ylavic]
  • abs: Include OPENSSL_Applink when compiling on Windows, to resolve failures under Visual Studio 2015 and other mismatched MSVCRT flavors. PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]
  • core: Support custom ErrorDocuments for HTTP 501 and 414 status codes. PR 57167 [Edward Lu ]

 

REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8743
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5387
http://www.apache.org/dist/httpd/CHANGES_2.2.32

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of