The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: out-of-bounds memory reading via mod_mime

Synthesis of the vulnerability 

An attacker can force a read at an invalid address via mod_mime of Apache httpd, in order to trigger a denial of service, or to obtain sensitive information.
Vulnerable products: SES, Apache httpd, Mac OS X, Debian, NetWorker, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, Junos Space, ePO, openSUSE Leap, Solaris, VirtualBox, RHEL, Slackware, Ubuntu.
Severity of this weakness: 2/4.
Creation date: 20/06/2017.
Références of this bulletin: APPLE-SA-2017-09-25-1, bulletinjul2017, cpuoct2017, CVE-2017-7679, DLA-1009-1, DSA-2019-131, DSA-2019-197, DSA-3896-1, FEDORA-2017-9ded7c5670, FEDORA-2017-cf9599a306, HT208144, HT208221, JSA10838, K75429050, openSUSE-SU-2017:1803-1, RHSA-2017:2478-01, RHSA-2017:2479-01, RHSA-2017:2483-01, RHSA-2017:3193-01, RHSA-2017:3194-01, RHSA-2017:3195-01, SB10206, SSA:2017-180-03, STORM-2017-003, USN-3340-1, USN-3373-1, VIGILANCE-VUL-23004.

Description of the vulnerability 

An attacker can force a read at an invalid address via mod_mime of Apache httpd, in order to trigger a denial of service, or to obtain sensitive information.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as SES, Apache httpd, Mac OS X, Debian, NetWorker, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, Junos Space, ePO, openSUSE Leap, Solaris, VirtualBox, RHEL, Slackware, Ubuntu.

Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat 

Apache httpd: version 2.4.26.
The version 2.4.26 is fixed:
  https://httpd.apache.org/

Apache httpd: version 2.2.34.
The version 2.2.34 is fixed:
  http://httpd.apache.org/

Apache httpd 2.2: patch for mod_mime.
A patch is available:
  https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch

Apple macOS 10.12: version Security Update 2017-001.
The version Security Update 2017-001 is fixed:
  https://support.apple.com/

Apple macOS: version 10.13.
The version 10.13 is fixed:
  https://www.apple.com/support/downloads/

Apple macOS: version 10.13.1.
The version 10.13.1 is fixed:
  https://support.apple.com/

Apple MacOS X 10.11: version Security Update 2017-004.
The version Security Update 2017-004 is fixed:
  https://support.apple.com/

Debian: new apache2 packages.
New packages are available:
  Debian 7: apache2 2.2.22-13+deb7u9
  Debian 8: apache2 2.4.10-10+deb8u9
  Debian 9: apache2 2.4.25-3+deb9u1

Dell EMC VNXe3200: version 3.1.10.9946299.
The version 3.1.10.9946299 is fixed:
  https://www.dell.com/

Dell EMC VNXe: version MR4 Service Pack 5.
The version MR4 Service Pack 5 is fixed:
  https://www.dell.com/support/

EMC NetWorker: patch for Apache httpd.
A patch is available:
  https://support.emc.com/kb/517396

F5 BIG-IP: solution for Apache HTTPD CVE-2017-7679.
The solution is indicated in information sources.

Fedora: new httpd packages.
New packages are available:
  Fedora 24: httpd 2.4.26-1.fc24
  Fedora 25: httpd 2.4.27-2.fc25

Junos Space: fixed versions.
Fixed versions are indicated in information sources.

McAfee ePO: solution for Apache httpd.
The solution is indicated in information sources.

openSUSE Leap 42.2: new apache2 packages.
New packages are available:
  openSUSE Leap 42.2: apache2 2.4.23-8.6.1

Oracle Solaris: patch for third party software of July 2017 v3.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Oracle VM VirtualBox: version 5.1.30.
The version 5.1.30 is fixed:
  https://www.virtualbox.org/

RHEL 6.9: new httpd packages.
New packages are available:
  RHEL 6: httpd 2.2.15-60.el6_9.5

RHEL 7.4: new httpd packages.
New packages are available:
  RHEL 7: httpd 2.4.6-67.el7_4.2

RHEL: new httpd24-httpd packages.
New packages are available:
  RHEL 6: httpd24-httpd 2.4.25-9.el6.1
  RHEL 7: httpd24-httpd 2.4.25-9.el7.1

Slackware: new httpd packages.
New packages are available:
  Slackware 13.0: httpd 2.2.32-*-1_slack13.0
  Slackware 13.1: httpd 2.2.32-*-1_slack13.1
  Slackware 13.37: httpd 2.2.32-*-1_slack13.37
  Slackware 14.0: httpd 2.4.26-*-1_slack14.0
  Slackware 14.1: httpd 2.4.26-*-1_slack14.1
  Slackware 14.2: httpd 2.4.26-*-1_slack14.2

Stormshield Endpoint Security: versions 6.0.29 and 7.2.18.
Versions 6.0.29 and 7.2.18 are fixed.

Ubuntu 12.04: new apache2.2-bin packages.
New packages are available:
  Ubuntu 12.04 ESM: apache2.2-bin 2.2.22-1ubuntu1.12

Ubuntu: new apache2-bin packages.
New packages are available:
  Ubuntu 17.04: apache2-bin 2.4.25-3ubuntu2.1
  Ubuntu 16.10: apache2-bin 2.4.18-2ubuntu4.2
  Ubuntu 16.04 LTS: apache2-bin 2.4.18-2ubuntu3.3
  Ubuntu 14.04 LTS: apache2-bin 2.4.7-1ubuntu4.16

Wind River Linux: solution of Mid-August 2017.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides application vulnerability analysis. The Vigil@nce vulnerability database contains several thousand vulnerabilities.