Debian 10225 Published by

Updated Apache2 packages has been released for Debian GNU/Linux 7 LTS



Package : apache2
Version : 2.2.22-13+deb7u13
CVE ID : CVE-2017-15710 CVE-2018-1301 CVE-2018-1312
Debian Bug :


Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2017-15710

Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if
configured with AuthLDAPCharsetConfig, could cause an of bound write
if supplied with a crafted Accept-Language header. This could
potentially be used for a Denial of Service attack.

CVE-2018-1301

Robert Swiecki reported that a specially crafted request could have
crashed the Apache HTTP Server, due to an out of bound access after
a size limit is reached by reading the HTTP header.
CVE-2018-1312

Nicolas Daniels discovered that when generating an HTTP Digest
authentication challenge, the nonce sent by mod_auth_digest to
prevent reply attacks was not correctly generated using a
pseudo-random seed. In a cluster of servers using a common Digest
authentication configuration, HTTP requests could be replayed across
servers by an attacker without detection.


For Debian 7 "Wheezy", these problems have been fixed in version
2.2.22-13+deb7u13.

We recommend that you upgrade your apache2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

  Apache2 security update for Debian 7 LTS