[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-cvs
Subject: svn commit: r1073161 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2016-8743.json
From: buildbot () apache ! org
Date: 2021-03-30 14:23:37
Message-ID: 20210330142337.9659317A215 () svn01-us-east ! apache ! org
[Download RAW message or body]
Author: buildbot
Date: Tue Mar 30 14:23:37 2021
New Revision: 1073161
Log:
Staging update by buildbot for httpd
Modified:
websites/staging/httpd/trunk/content/ (props changed)
websites/staging/httpd/trunk/content/security/json/CVE-2016-8743.json
websites/staging/httpd/trunk/content/security/vulnerabilities_22.html
websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Mar 30 14:23:37 2021
@@ -1 +1 @@
-1888215
+1888217
Modified: websites/staging/httpd/trunk/content/security/json/CVE-2016-8743.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2016-8743.json (original)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2016-8743.json Tue Mar 30 \
14:23:37 2021 @@ -66,7 +66,7 @@
"description_data": [
{
"lang": "eng",
- "value": "Apache HTTP Server, prior to release 2.4.25 (2.2.32), accepted a \
broad pattern of unusual whitespace patterns from the user-agent, including bare CR, \
FF, VTAB in parsing the request line and request header lines, as well as HTAB in \
parsing the request line. Any bare CR present in request lines was treated as \
whitespace and remained in the request field member \"the_request\", while a bare CR \
in the request header field name would be honored as whitespace, and a bare CR in the \
request header field value was retained the input headers array. Implied additional \
whitespace was accepted in the request line and prior to the ':' delimiter of any \
request header lines. RFC7230 Section 3.5 calls out some of these whitespace \
exceptions, and section 3.2.3 eliminated and clarified the role of implied whitespace \
in the grammer of this specification. Section 3.1.1 requires exactly one single SP \
between the method and request-target, and between the request-target and \
HTTP-version , followed immediately by a CRLF sequence. None of these fields permit \
any (unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed any \
whitespace from the request header field prior to the ':' character, while Section \
3.2 disallows all CTL characters in the request header line other than the HTAB \
character as whitespace. These defects represent a security concern when httpd is \
participating in any chain of proxies or interacting with back-end application \
servers, either through mod_proxy or using conventional CGI mechanisms. In each case \
where one agent accepts such CTL characters and does not treat them as whitespace, \
there is the possiblity in a proxy chain of generating two responses from a server \
behind the uncautious proxy agent. In a sequence of two requests, this results in \
request A to the first proxy being interpreted as requests A + A' by the backend \
server, and if requests A and B were submitted to the first proxy in a keepalive \
connection, the proxy may interpret response A' as the response to request B, \
polluting the cache or potentially serving the A' content to a different downstream \
user-agent. These defects are addressed with the release of Apache HTTP Server 2.4.25 \
and coordinated by a new directive; HttpProtocolOptions Strict which is the default \
behavior of 2.4.25 and later. By toggling from 'Strict' behavior to 'Unsafe' \
behavior, some of the restrictions may be relaxed to allow some invalid HTTP/1.1 \
clients to communicate with the server, but this will reintroduce the possibility of \
the problems described in this assessment. Note that relaxing the behavior to \
'Unsafe' will still not permit raw CTLs other than HTAB (where permitted), but will \
allow other RFC requirements to not be enforced, such as exactly two SP characters in \
the request line." + "value": "Apache HTTP Server, prior to release 2.4.25 \
(2.2.32), accepted a broad pattern of unusual whitespace patterns from the \
user-agent, including bare CR, FF, VTAB in parsing the request line and request \
header lines, as well as HTAB in parsing the request line. Any bare CR present in \
request lines was treated as whitespace and remained in the request field member \
\"the_request\", while a bare CR in the request header field name would be honored as \
whitespace, and a bare CR in the request header field value was retained the input \
headers array. Implied additional whitespace was accepted in the request line and \
prior to the ':' delimiter of any request header lines.\nRFC7230 Section 3.5 calls \
out some of these whitespace exceptions, and section 3.2.3 eliminated and clarified \
the role of implied whitespace in the grammer of this specification. Section 3.1.1 \
requires exactly one single SP between the method and request-target, and between the \
request-target and HTTP-versio n, followed immediately by a CRLF sequence. None of \
these fields permit any (unencoded) CTL character whatsoever. Section 3.2.4 \
explicitly disallowed any whitespace from the request header field prior to the ':' \
character, while Section 3.2 disallows all CTL characters in the request header line \
other than the HTAB character as whitespace.\nThese defects represent a security \
concern when httpd is participating in any chain of proxies or interacting with \
back-end application servers, either through mod_proxy or using conventional CGI \
mechanisms. In each case where one agent accepts such CTL characters and does not \
treat them as whitespace, there is the possiblity in a proxy chain of generating two \
responses from a server behind the uncautious proxy agent. In a sequence of two \
requests, this results in request A to the first proxy being interpreted as requests \
A + A' by the backend server, and if requests A and B were submitted to the first \
proxy in a keepalive connection, the proxy m ay interpret response A' as the \
response to request B, polluting the cache or potentially serving the A' content to a \
different downstream user-agent.\nThese defects are addressed with the release of \
Apache HTTP Server 2.4.25 and coordinated by a new directive; HttpProtocolOptions \
Strict which is the default behavior of 2.4.25 and later.\nBy toggling from 'Strict' \
behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow some \
invalid HTTP/1.1 clients to communicate with the server, but this will reintroduce \
the possibility of the problems described in this assessment. Note that relaxing the \
behavior to 'Unsafe' will still not permit raw CTLs other than HTAB (where \
permitted), but will allow other RFC requirements to not be enforced, such as exactly \
two SP characters in the request line." }
]
},
@@ -305,4 +305,4 @@
]
}
}
-}
\ No newline at end of file
+}
Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_22.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_22.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_22.html Tue Mar 30 \
14:23:37 2021 @@ -197,7 +197,11 @@ h2:hover > .headerlink, h3:hover > .head
</table></dd>
<dt><h3 id="CVE-2016-8743">important: <name name="CVE-2016-8743">Apache HTTP Request \
Parsing Whitespace Defects</name> (<a \
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>)</h3></dt>
-<dd><p>Apache HTTP Server, prior to release 2.4.25 (2.2.32), accepted a broad \
pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, \
VTAB in parsing the request line and request header lines, as well as HTAB in parsing \
the request line. Any bare CR present in request lines was treated as whitespace and \
remained in the request field member "the_request", while a bare CR in the request \
header field name would be honored as whitespace, and a bare CR in the request header \
field value was retained the input headers array. Implied additional whitespace was \
accepted in the request line and prior to the ':' delimiter of any request header \
lines. RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section \
3.2.3 eliminated and clarified the role of implied whitespace in the grammer of this \
specification. Section 3.1.1 requires exactly one single SP between the method and \
request-target, and between the request-target and HTTP-version, followed im \
mediately by a CRLF sequence. None of these fields permit any (unencoded) CTL \
character whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the \
request header field prior to the ':' character, while Section 3.2 disallows all CTL \
characters in the request header line other than the HTAB character as whitespace. \
These defects represent a security concern when httpd is participating in any chain \
of proxies or interacting with back-end application servers, either through mod_proxy \
or using conventional CGI mechanisms. In each case where one agent accepts such CTL \
characters and does not treat them as whitespace, there is the possiblity in a proxy \
chain of generating two responses from a server behind the uncautious proxy agent. In \
a sequence of two requests, this results in request A to the first proxy being \
interpreted as requests A + A' by the backend server, and if requests A and B were \
submitted to the first proxy in a keepalive connection, the proxy may interpret re \
sponse A' as the response to request B, polluting the cache or potentially serving \
the A' content to a different downstream user-agent. These defects are addressed with \
the release of Apache HTTP Server 2.4.25 and coordinated by a new directive; \
HttpProtocolOptions Strict which is the default behavior of 2.4.25 and later. By \
toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be \
relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but \
this will reintroduce the possibility of the problems described in this assessment. \
Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than \
HTAB (where permitted), but will allow other RFC requirements to not be enforced, \
such as exactly two SP characters in the request line.</p> +<dd><p>Apache HTTP \
Server, prior to release 2.4.25 (2.2.32), accepted a broad pattern of unusual \
whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the \
request line and request header lines, as well as HTAB in parsing the request line. \
Any bare CR present in request lines was treated as whitespace and remained in the \
request field member "the_request", while a bare CR in the request header field name \
would be honored as whitespace, and a bare CR in the request header field value was \
retained the input headers array. Implied additional whitespace was accepted in the \
request line and prior to the ':' delimiter of any request header lines. +RFC7230 \
Section 3.5 calls out some of these whitespace exceptions, and section 3.2.3 \
eliminated and clarified the role of implied whitespace in the grammer of this \
specification. Section 3.1.1 requires exactly one single SP between the method and \
request-target, and between the request-target and HTTP-version, followed immediately \
by a CRLF sequence. None of these fields permit any (unencoded) CTL character \
whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the request \
header field prior to the ':' character, while Section 3.2 disallows all CTL \
characters in the request header line other than the HTAB character as whitespace. \
+These defects represent a security concern when httpd is participating in any chain \
of proxies or interacting with back-end application servers, either through mod_proxy \
or using conventional CGI mechanisms. In each case where one agent accepts such CTL \
characters and does not treat them as whitespace, there is the possiblity in a proxy \
chain of generating two responses from a server behind the uncautious proxy agent. In \
a sequence of two requests, this results in request A to the first proxy being \
interpreted as requests A + A' by the backend server, and if requests A and B were \
submitted to the first proxy in a keepalive connection, the proxy may interpret \
response A' as the response to request B, polluting the cache or potentially serving \
the A' content to a different downstream user-agent. +These defects are addressed \
with the release of Apache HTTP Server 2.4.25 and coordinated by a new directive; \
HttpProtocolOptions Strict which is the default behavior of 2.4.25 and later. +By \
toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be \
relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but \
this will reintroduce the possibility of the problems described in this assessment. \
Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than \
HTAB (where permitted), but will allow other RFC requirements to not be enforced, \
such as exactly two SP characters in the request line.</p> <p>Acknowledgements: We \
would like to thank David Dennerline at IBM Security's X-Force Researchers as well as \
RÃ ©gis Leroy for each reporting this issue.</p> <table class="cve"><tr><td \
class="cve-header">Reported to security team</td><td \
class="cve-value">2016-02-10</td></tr> <tr><td class="cve-header">Issue \
public</td><td class="cve-value">2016-12-20</td></tr>
Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_24.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_24.html Tue Mar 30 \
14:23:37 2021 @@ -548,7 +548,11 @@ h2:hover > .headerlink, h3:hover > .head
</table></dd>
<dt><h3 id="CVE-2016-8743">important: <name name="CVE-2016-8743">Apache HTTP Request \
Parsing Whitespace Defects</name> (<a \
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>)</h3></dt>
-<dd><p>Apache HTTP Server, prior to release 2.4.25 (2.2.32), accepted a broad \
pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, \
VTAB in parsing the request line and request header lines, as well as HTAB in parsing \
the request line. Any bare CR present in request lines was treated as whitespace and \
remained in the request field member "the_request", while a bare CR in the request \
header field name would be honored as whitespace, and a bare CR in the request header \
field value was retained the input headers array. Implied additional whitespace was \
accepted in the request line and prior to the ':' delimiter of any request header \
lines. RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section \
3.2.3 eliminated and clarified the role of implied whitespace in the grammer of this \
specification. Section 3.1.1 requires exactly one single SP between the method and \
request-target, and between the request-target and HTTP-version, followed im \
mediately by a CRLF sequence. None of these fields permit any (unencoded) CTL \
character whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the \
request header field prior to the ':' character, while Section 3.2 disallows all CTL \
characters in the request header line other than the HTAB character as whitespace. \
These defects represent a security concern when httpd is participating in any chain \
of proxies or interacting with back-end application servers, either through mod_proxy \
or using conventional CGI mechanisms. In each case where one agent accepts such CTL \
characters and does not treat them as whitespace, there is the possiblity in a proxy \
chain of generating two responses from a server behind the uncautious proxy agent. In \
a sequence of two requests, this results in request A to the first proxy being \
interpreted as requests A + A' by the backend server, and if requests A and B were \
submitted to the first proxy in a keepalive connection, the proxy may interpret re \
sponse A' as the response to request B, polluting the cache or potentially serving \
the A' content to a different downstream user-agent. These defects are addressed with \
the release of Apache HTTP Server 2.4.25 and coordinated by a new directive; \
HttpProtocolOptions Strict which is the default behavior of 2.4.25 and later. By \
toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be \
relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but \
this will reintroduce the possibility of the problems described in this assessment. \
Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than \
HTAB (where permitted), but will allow other RFC requirements to not be enforced, \
such as exactly two SP characters in the request line.</p> +<dd><p>Apache HTTP \
Server, prior to release 2.4.25 (2.2.32), accepted a broad pattern of unusual \
whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the \
request line and request header lines, as well as HTAB in parsing the request line. \
Any bare CR present in request lines was treated as whitespace and remained in the \
request field member "the_request", while a bare CR in the request header field name \
would be honored as whitespace, and a bare CR in the request header field value was \
retained the input headers array. Implied additional whitespace was accepted in the \
request line and prior to the ':' delimiter of any request header lines. +RFC7230 \
Section 3.5 calls out some of these whitespace exceptions, and section 3.2.3 \
eliminated and clarified the role of implied whitespace in the grammer of this \
specification. Section 3.1.1 requires exactly one single SP between the method and \
request-target, and between the request-target and HTTP-version, followed immediately \
by a CRLF sequence. None of these fields permit any (unencoded) CTL character \
whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the request \
header field prior to the ':' character, while Section 3.2 disallows all CTL \
characters in the request header line other than the HTAB character as whitespace. \
+These defects represent a security concern when httpd is participating in any chain \
of proxies or interacting with back-end application servers, either through mod_proxy \
or using conventional CGI mechanisms. In each case where one agent accepts such CTL \
characters and does not treat them as whitespace, there is the possiblity in a proxy \
chain of generating two responses from a server behind the uncautious proxy agent. In \
a sequence of two requests, this results in request A to the first proxy being \
interpreted as requests A + A' by the backend server, and if requests A and B were \
submitted to the first proxy in a keepalive connection, the proxy may interpret \
response A' as the response to request B, polluting the cache or potentially serving \
the A' content to a different downstream user-agent. +These defects are addressed \
with the release of Apache HTTP Server 2.4.25 and coordinated by a new directive; \
HttpProtocolOptions Strict which is the default behavior of 2.4.25 and later. +By \
toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be \
relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but \
this will reintroduce the possibility of the problems described in this assessment. \
Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than \
HTAB (where permitted), but will allow other RFC requirements to not be enforced, \
such as exactly two SP characters in the request line.</p> <p>Acknowledgements: We \
would like to thank David Dennerline at IBM Security's X-Force Researchers as well as \
RÃ ©gis Leroy for each reporting this issue.</p> <table class="cve"><tr><td \
class="cve-header">Reported to security team</td><td \
class="cve-value">2016-02-10</td></tr> <tr><td class="cve-header">Issue \
public</td><td class="cve-value">2016-12-20</td></tr>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic