CVE-2016-8743

Priority
Medium
Description
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies.
References
Bugs
Notes
 ratliff> Notes from Debian "The fix is not fully backwards compatible so
 ratliff> upstream have created a new option to control this behaviour.
 ratliff> Affects: 2.2.0 to 2.4.23."
 mdeslaur>
 mdeslaur> This fix no longer allows underscores in host names. Debian
 mdeslaur> added a patch to restore the behaviour:
 mdeslaur> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851357
 mdeslaur> http://mail-archives.apache.org/mod_mbox/httpd-dev/201702.mbox/%3C20170202125319.GA15948%40redhat.com%3E
 mdeslaur>
 mdeslaur> The new configuration option doesn't entirely preserve
 mdeslaur> backwards compatibility:
 mdeslaur> https://bz.apache.org/bugzilla/show_bug.cgi?id=60783
Assigned-to
mdeslaur
Package
Upstream:released (2.4.25-1)
Ubuntu 17.10 (Artful Aardvark):not-affected (2.4.25-3ubuntu2)
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):released (2.4.7-1ubuntu4.14)
Ubuntu Touch 15.04:DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (2.4.18-2ubuntu3.2)
Ubuntu 16.10 (Yakkety Yak):released (2.4.18-2ubuntu4.1)
Ubuntu 17.04 (Zesty Zapus):not-affected (2.4.25-3ubuntu2)
Patches:
Upstream:https://svn.apache.org/r1668879 (2.4 bp, trusty)
Upstream:https://svn.apache.org/r1743516 (2.4 bp)
Upstream:https://svn.apache.org/r1773801 (2.4 bp)
Upstream:https://svn.apache.org/r1772678 (2.4)
Upstream:https://svn.apache.org/r1773802 (2.4)
Upstream:https://svn.apache.org/r1773803 (2.4)
Upstream:https://svn.apache.org/r1773995 (2.4)
Upstream:https://svn.apache.org/r1774429 (2.4)
Upstream:https://svn.apache.org/r1778052 (2.4)
More Information

Updated: 2017-05-10 22:28:16 UTC (commit 12521)