Ubuntu Security Notice USN-3937-2
April 10, 2019
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 12.04 ESM
Several security issues were fixed in Apache.
– apache2: Apache HTTP server
USN-3937-1 and USN-3627-1 fixed several vulnerabilities in Apache.
This update provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Simon Kappel discovered that the Apache HTTP Server mod_auth_digest
module incorrectly handled threads. A remote attacker with valid
credentials could possibly use this issue to authenticate using
another username, bypassing access control restrictions.
Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server
mod_authnz_ldap module incorrectly handled missing charset encoding
headers. A remote attacker could possibly use this issue to cause the
server to crash, resulting in a denial of service. (CVE-2017-15710)
Robert Swiecki discovered that the Apache HTTP Server incorrectly
handled certain requests. A remote attacker could possibly use this
issue to cause the server to crash, leading to a denial of service.
Nicolas Daniels discovered that the Apache HTTP Server incorrectly
generated the nonce when creating HTTP Digest authentication
challenges. A remote attacker could possibly use this issue to replay
HTTP requests across a cluster of servers.
The problem can be corrected by updating your system to the following
Ubuntu 12.04 ESM:
In general, a standard system update will make all the necessary
CVE-2017-15710, CVE-2018-1301, CVE-2018-1312, CVE-2019-0217