Updated Apache2 packages has been released for Debian GNU/Linux 7 LTS
Package : apache2Apache2 security update for Debian 7 LTS
Version : 2.2.22-13+deb7u13
CVE ID : CVE-2017-15710 CVE-2018-1301 CVE-2018-1312
Debian Bug :
Several vulnerabilities have been found in the Apache HTTPD server.
CVE-2017-15710
Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if
configured with AuthLDAPCharsetConfig, could cause an of bound write
if supplied with a crafted Accept-Language header. This could
potentially be used for a Denial of Service attack.
CVE-2018-1301
Robert Swiecki reported that a specially crafted request could have
crashed the Apache HTTP Server, due to an out of bound access after
a size limit is reached by reading the HTTP header.
CVE-2018-1312
Nicolas Daniels discovered that when generating an HTTP Digest
authentication challenge, the nonce sent by mod_auth_digest to
prevent reply attacks was not correctly generated using a
pseudo-random seed. In a cluster of servers using a common Digest
authentication configuration, HTTP requests could be replayed across
servers by an attacker without detection.
For Debian 7 "Wheezy", these problems have been fixed in version
2.2.22-13+deb7u13.
We recommend that you upgrade your apache2 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
