PublicDateAtUSN: 2017-06-19
Candidate: CVE-2017-7668
PublicDate: 2017-06-20 01:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668
 https://lists.apache.org/thread.html/55a068b6a5eec0b3198ae7d96a7cb412352d0ffa7716612c5af3745b@%3Cdev.httpd.apache.org%3E
 https://ubuntu.com/security/notices/USN-3340-1
 https://ubuntu.com/security/notices/USN-3373-1
Description:
 The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24
 introduced a bug in token list parsing, which allows ap_find_token() to
 search past the end of its input string. By maliciously crafting a sequence
 of request headers, an attacker may be able to cause a segmentation fault,
 or to force ap_find_token() to return an incorrect value.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Javier Jiménez
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_apache2:
 upstream: https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch
 upstream: https://github.com/apache/httpd/commit/a585e36e06a53170be6d2d462ceb5b30b8382988 (2.4)
 upstream: https://github.com/apache/httpd/commit/ad581ced12363ce82ffcb16133f236b2e31563e1 (2.2)
upstream_apache2: pending (2.2.33, 2.4.26)
precise/esm_apache2: released (2.2.22-1ubuntu1.12)
trusty_apache2: released (2.4.7-1ubuntu4.16)
trusty/esm_apache2: released (2.4.7-1ubuntu4.16)
vivid/ubuntu-core_apache2: DNE
xenial_apache2: released (2.4.18-2ubuntu3.3)
esm-infra/xenial_apache2: released (2.4.18-2ubuntu3.3)
yakkety_apache2: released (2.4.18-2ubuntu4.2)
zesty_apache2: released (2.4.25-3ubuntu2.1)
devel_apache2: released (2.4.27-2ubuntu2)