Fixed in Apache httpd 2.2.1-dev

Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 83444 invoked from network); 1 May 2006 01:32:46 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 1 May 2006 01:32:46 -0000 Received: (qmail 28401 invoked by uid 500); 1 May 2006 01:32:44 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 28346 invoked by uid 500); 1 May 2006 01:32:44 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 28333 invoked by uid 99); 1 May 2006 01:32:44 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 30 Apr 2006 18:32:44 -0700 X-ASF-Spam-Status: No, hits=-9.4 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194) by apache.org (qpsmtpd/0.29) with SMTP; Sun, 30 Apr 2006 18:32:42 -0700 Received: (qmail 83362 invoked by uid 65534); 1 May 2006 01:32:21 -0000 Message-ID: <20060501013221.83361.qmail@minotaur.apache.org> Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: svn commit: r398494 - in /httpd/site/trunk: docs/security/vulnerabilities_13.html docs/security/vulnerabilities_20.html docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities_22.xml Date: Mon, 01 May 2006 01:32:20 -0000 To: cvs@httpd.apache.org From: pquerna@apache.org X-Mailer: svnmailer-1.0.8 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Author: pquerna Date: Sun Apr 30 18:32:18 2006 New Revision: 398494 URL: http://svn.apache.org/viewcvs?rev=398494&view=rev Log: rebuild all. Modified: httpd/site/trunk/docs/security/vulnerabilities_13.html httpd/site/trunk/docs/security/vulnerabilities_20.html httpd/site/trunk/docs/security/vulnerabilities_22.html httpd/site/trunk/xdocs/security/vulnerabilities_22.xml Modified: httpd/site/trunk/docs/security/vulnerabilities_13.html URL: http://svn.apache.org/viewcvs/httpd/site/trunk/docs/security/vulnerabilities_13.html?rev=398494&r1=398493&r2=398494&view=diff ============================================================================== --- httpd/site/trunk/docs/security/vulnerabilities_13.html (original) +++ httpd/site/trunk/docs/security/vulnerabilities_13.html Sun Apr 30 18:32:18 2006 @@ -78,775 +78,6 @@ - - - -

- - Fixed in Apache httpd 1.3.35-dev - -

-
-
-moderate: - -mod_imap Referer Cross-Site Scripting - -CVE-2005-3352 -
-A flaw in mod_imap when using the Referer directive with image maps. -In certain site configurations a remote attacker could perform a cross-site -scripting attack if a victim can be forced to visit a malicious -URL using certain web browsers. -
-
-
-
- Affects: - 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.33 - -

-
-
-moderate: - -mod_include overflow - -CVE-2004-0940 -
-A buffer overflow in mod_include could allow a local user who -is authorised to create server side include (SSI) files to gain -the privileges of a httpd child. -
-
-
- Update Released: 28th October 2004
-
-
- Affects: - 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.32 - -

-
-
-moderate: - -mod_proxy buffer overflow - -CVE-2004-0492 -
-A buffer overflow was found in the Apache proxy module, mod_proxy, which -can be triggered by receiving an invalid Content-Length header. In order -to exploit this issue an attacker would need to get an Apache installation -that was configured as a proxy to connect to a malicious site. This would -cause the Apache child processing the request to crash, although this does -not represent a significant Denial of Service attack as requests will -continue to be handled by other Apache child processes. This issue may -lead to remote arbitrary code execution on some BSD platforms. -
-
-
- Update Released: 20th October 2004
-
-
- Affects: - 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.31 - -

-
-
-important: - -listening socket starvation - -CVE-2004-0174 -
-A starvation issue on listening sockets occurs when a short-lived -connection on a rarely-accessed listening socket will cause a child to -hold the accept mutex and block out new connections until another -connection arrives on that rarely-accessed listening socket. This -issue is known to affect some versions of AIX, Solaris, and Tru64; it -is known to not affect FreeBSD or Linux. - -
-
-
- Update Released: 12th May 2004
-
-
- Affects: - 1.3.29, 1.3.28?, 1.3.27?, 1.3.26?, 1.3.24?, 1.3.22?, 1.3.20?, 1.3.19?, 1.3.17?, 1.3.14?, 1.3.12?, 1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
-
-
-important: - -Allow/Deny parsing on big-endian 64-bit platforms - -CVE-2003-0993 -
-A bug in the parsing of Allow/Deny rules using IP addresses -without a netmask on big-endian 64-bit platforms causes the rules -to fail to match. -
-
-
- Update Released: 12th May 2004
-
-
- Affects: - 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-low: - -Error log escape filtering - -CVE-2003-0020 -
-Apache does not filter terminal escape sequences from error logs, -which could make it easier for attackers to insert those sequences -into terminal emulators containing vulnerabilities related to escape -sequences. -
-
-
- Update Released: 12th May 2004
-
-
- Affects: - 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-low: - -mod_digest nonce checking - -CVE-2003-0987 -
- -mod_digest does not properly verify the nonce of a client response by -using a AuthNonce secret. This could allow a malicious user who is -able to sniff network traffic to conduct a replay attack against a -website using Digest protection. Note that mod_digest implements an -older version of the MD5 Digest Authentication specification which -is known not to work with modern browsers. This issue does not affect -mod_auth_digest. - -
-
-
- Update Released: 12th May 2004
-
-
- Affects: - 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.29 - -

-
-
-low: - -Local configuration regular expression overflow - -CVE-2003-0542 -
-By using a regular expression with more than 9 captures a buffer -overflow can occur in mod_alias or mod_rewrite. To exploit this an -attacker would need to be able to create a carefully crafted configuration -file (.htaccess or httpd.conf) -
-
-
- Update Released: 27th October 2003
-
-
- Affects: - 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.28 - -

-
-
-important: - -RotateLogs DoS - -CVE-2003-0460 -
The rotatelogs support program on Win32 and OS/2 would quit logging -and exit if it received special control characters such as 0x1A. -
-
-
- Update Released: 18th July 2003
-
-
- Affects: - 1.3.27, 1.3.26?, 1.3.24?, 1.3.22?, 1.3.20?, 1.3.19?, 1.3.17?, 1.3.14?, 1.3.12?, 1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.27 - -

-
-
-important: - -Buffer overflows in ab utility - -CVE-2002-0843 -
Buffer overflows in the benchmarking utility ab could be exploited if -ab is run against a malicious server -
-
-
- Update Released: 3rd October 2002
-
-
- Affects: - 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-important: - -Shared memory permissions lead to local privilege escalation - -CVE-2002-0839 -
The permissions of the shared memory used for the scoreboard -allows an attacker who can execute under -the Apache UID to send a signal to any process as root or cause a local -denial of service attack. -
-
-
- Update Released: 3rd October 2002
-
-
- Affects: - 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-low: - -Error page XSS using wildcard DNS - -CVE-2002-0840 -
Cross-site scripting (XSS) vulnerability in the default error page of -Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when -UseCanonicalName is "Off" and support for wildcard DNS is present, -allows remote attackers to execute script as other web page visitors -via the Host: header.
-
-
- Update Released: 3rd October 2002
-
-
- Affects: - 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.26 - -

-
-
-critical: - -Apache Chunked encoding vulnerability - -CVE-2002-0392 -
Requests to all versions of Apache 1.3 can cause various effects -ranging from a relatively harmless increase in -system resources through to denial of service attacks and in some -cases the ability to be remotely exploited.
-
-
- Update Released: 18th June 2002
-
-
- Affects: - 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-low: - -Filtered escape sequences - -CVE-2003-0083 -
-Apache does not filter terminal escape sequences from its -access logs, which could make it easier for attackers to insert those -sequences into terminal emulators containing vulnerabilities related -to escape sequences, -
-
-
- Update Released: 18th June 2002
-
-
- Affects: - 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.24 - -

-
-
-critical: - -Win32 Apache Remote command execution - -CVE-2002-0061 -
Apache for Win32 before 1.3.24 and 2.0.34-beta allows remote -attackers to execute arbitrary commands via parameters passed -to batch file CGI scripts.
-
-
- Update Released: 22nd March 2002
-
-
- Affects: - 1.3.22, 1.3.20?, 1.3.19?, 1.3.17?, 1.3.14?, 1.3.12?, 1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.22 - -

-
-
-important: - -Requests can cause directory listing to be displayed - -CVE-2001-0729 -
A vulnerability was found in the Win32 port of -Apache 1.3.20. A client submitting a very long URI -could cause a directory listing to be returned rather than -the default index page.
-
-
- Update Released: 12th October 2001
-
-
- Affects: - 1.3.20
-
-
-important: - -Multiviews can cause a directory listing to be displayed - -CVE-2001-0731 -
A vulnerability was found when Multiviews - are used to negotiate the directory index. In some - configurations, requesting a URI with a QUERY_STRING of - M=D could - return a directory listing rather than the expected index page.
-
-
- Update Released: 12th October 2001
-
-
- Affects: - 1.3.20, 1.3.19?, 1.3.17?, 1.3.14?, 1.3.12?, 1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
-
-
-moderate: - -split-logfile can cause arbitrary log files to be written to - -CVE-2001-0730 -
A vulnerability was found in the split-logfile support - program. A request with a specially crafted Host: - header could allow any file with a .log extension on - the system to be written to.
-
-
- Update Released: 12th October 2001
-
-
- Affects: - 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.20 - -

-
-
-important: - -Denial of service attack on Win32 and OS2 - -CVE-2001-1342 -
A vulnerability was found in the Win32 and OS2 ports of Apache 1.3. A - client submitting a carefully constructed URI could cause a General - Protection Fault in a child process, bringing up a message box which - would have to be cleared by the operator to resume operation. This - vulnerability introduced no identified means to compromise the server - other than introducing a possible denial of service.
-
-
- Update Released: 22nd May 2001
-
-
- Affects: - 1.3.20, 1.3.19?, 1.3.17?, 1.3.14?, 1.3.12?, 1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.19 - -

-
-
-important: - -Requests can cause directory listing to be displayed - -CVE-2001-0925 -
The default installation can lead mod_negotiation and - mod_dir or mod_autoindex to display a - directory listing instead of the multiview index.html file if a - very long path was created artificially by using many slashes.
-
-
- Update Released: 28th February 2001
-
-
- Affects: - 1.3.17, 1.3.14, 1.3.12, 1.3.11
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.14 - -

-
-
-important: - -Rewrite rules that include references allow access to any file - -CVE-2000-0913 -
The Rewrite module, mod_rewrite, can allow access to - any file on the web server. The vulnerability occurs only with - certain specific cases of using regular expression references in - RewriteRule directives: If the destination - of a RewriteRule contains regular expression references - then an attacker will be able to access any file on the server.
-
-
- Update Released: 13th October 2000
-
-
- Affects: - 1.3.12, 1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
-
-
-important: - -Mass virtual hosting can display CGI source - -CVE-2000-1204 -
A security problem for users of the mass virtual hosting module, - mod_vhost_alias, causes - the source to a CGI to be sent if the cgi-bin directory is - under the document root. However, it is not normal to have your - cgi-bin directory under a document root.
-
-
- Update Released: 13th October 2000
-
-
- Affects: - 1.3.12, 1.3.11, 1.3.9
-
-
-moderate: - -Requests can cause directory listing to be displayed on NT - -CVE-2000-0505 -
A security hole on Apache for Windows allows a user to - view the listing of a - directory instead of the default HTML page by sending a carefully - constructed request.
-
-
- Update Released: 13th October 2000
-
-
- Affects: - 1.3.12, 1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.12 - -

-
-
-important: - -Cross-site scripting can reveal private session information - -CVE-2000-1205 -
Apache was vulnerable to cross site scripting issues. - It was shown that malicious HTML tags can be embedded in client web - requests if the server or script handling the request does not - carefully encode all information displayed to - the user. Using these vulnerabilities attackers could, for - example, obtain copies of your private - cookies used to authenticate - you to other sites.
-
-
- Update Released: 25th February 2000
-
-
- Affects: - 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.11 - -

-
-
-moderate: - -Mass virtual hosting security issue - -CVE-2000-1206 -
A security problem can occur for sites using mass name-based virtual -hosting (using -the new mod_vhost_alias module) or with special -mod_rewrite rules. - - - -
-
-
- Update Released: 21st January 2000
-
-
- Affects: - 1.3.9, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.4 - -

-
-
-important: - -Denial of service attack on Win32 - -
There have been a number of important security fixes to Apache on -Windows. The most important is that there is much better protection -against people trying to access special DOS device names (such as -"nul").
-
-
- Update Released: 11th January 1999
-
-
- Affects: - 1.3.3, 1.3.2, 1.3.1, 1.3.0
-
-
-

- - - -

- - Fixed in Apache httpd 1.3.2 - -

-
-
-important: - -Multiple header Denial of Service vulnerability - -CVE-1999-1199 -
A serious problem exists when a client -sends a large number of headers with the same header name. Apache uses -up memory faster than the amount of memory required to simply store -the received data itself. That is, memory use increases faster and -faster as more headers are received, rather than increasing at a -constant rate. This makes a denial of service attack based on this -method more effective than methods which cause Apache to use memory at -a constant rate, since the attacker has to send less data.
-
-
- Update Released: 23rd September 1998
-
-
- Affects: - 1.3.1, 1.3.0
-
-
-important: - -Denial of service attacks - -
Apache 1.3.2 has -better protection against denial of service attacks. These are when -people make excessive requests to the server to try and prevent other -people using it. In 1.3.2 there are several new directives which can -limit the size of requests (these directives all start with the word -Limit). -
-
-
- Update Released: 23rd September 1998
-
-
- Affects: - 1.3.1, 1.3.0
-
-
-

Modified: httpd/site/trunk/docs/security/vulnerabilities_20.html URL: http://svn.apache.org/viewcvs/httpd/site/trunk/docs/security/vulnerabilities_20.html?rev=398494&r1=398493&r2=398494&view=diff ============================================================================== --- httpd/site/trunk/docs/security/vulnerabilities_20.html (original) +++ httpd/site/trunk/docs/security/vulnerabilities_20.html Sun Apr 30 18:32:18 2006 @@ -78,1048 +78,6 @@ - - - -

- - Fixed in Apache httpd 2.0.56-dev - -

-
-
-low: - -mod_ssl access control DoS - -CVE-2005-3357 -
-A NULL pointer dereference flaw in mod_ssl was discovered affecting server -configurations where an SSL virtual host is configured with access control -and a custom 400 error document. A remote attacker could send a carefully -crafted request to trigger this issue which would lead to a crash. This -crash would only be a denial of service if using the worker MPM. -
-
-
-
- Affects: - 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-moderate: - -mod_imap Referer Cross-Site Scripting - -CVE-2005-3352 -
-A flaw in mod_imap when using the Referer directive with image maps. -In certain site configurations a remote attacker could perform a cross-site -scripting attack if a victim can be forced to visit a malicious -URL using certain web browsers. -
-
-
-
- Affects: - 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.55 - -

-
-
-important: - -SSLVerifyClient bypass - -CVE-2005-2700 -
-A flaw in the mod_ssl handling of the "SSLVerifyClient" -directive. This flaw would occur if a virtual host has been configured -using "SSLVerifyClient optional" and further a directive "SSLVerifyClient -required" is set for a specific location. For servers configured in this -fashion, an attacker may be able to access resources that should otherwise -be protected, by not supplying a client certificate when connecting. -
-
-
- Update Released: 14th October 2005
-
-
- Affects: - 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-low: - -Worker MPM memory leak - -CVE-2005-2970 -
-A memory leak in the worker MPM would allow remote attackers to cause -a denial of service (memory consumption) via aborted connections, -which prevents the memory for the transaction pool from being reused -for other connections. This issue was downgraded in severity to low -(from moderate) as sucessful exploitation of the race condition would -be difficult. -
-
-
- Update Released: 14th October 2005
-
-
- Affects: - 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36
-
-
-low: - -PCRE overflow - -CVE-2005-2491 -
-An integer overflow flaw was found in PCRE, a Perl-compatible regular -expression library included within httpd. A local user who has the -ability to create .htaccess files could create a maliciously crafted -regular expression in such as way that they could gain the privileges -of a httpd child. -
-
-
- Update Released: 14th October 2005
-
-
- Affects: - 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-low: - -Malicious CRL off-by-one - -CVE-2005-1268 -
-An off-by-one stack overflow was discovered in the mod_ssl CRL -verification callback. In order to exploit this issue the Apache -server would need to be configured to use a malicious certificate -revocation list (CRL) -
-
-
- Update Released: 14th October 2005
-
-
- Affects: - 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-moderate: - -Byterange filter DoS - -CVE-2005-2728 -
-A flaw in the byterange filter would cause some responses to be buffered -into memory. If a server has a dynamic resource such as a CGI -script or PHP script which generates a large amount of data, an attacker -could send carefully crafted requests in order to consume resources, -potentially leading to a Denial of Service. -
-
-
- Update Released: 14th October 2005
-
-
- Affects: - 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-moderate: - -HTTP Request Spoofing - -CVE-2005-2088 -
-A flaw occured when using the Apache server as a HTTP proxy. A remote -attacker could send a HTTP request with both a "Transfer-Encoding: -chunked" header and a Content-Length header, causing Apache to -incorrectly handle and forward the body of the request in a way that -causes the receiving server to process it as a separate HTTP request. -This could allow the bypass of web application firewall protection or -lead to cross-site scripting (XSS) attacks. -
-
-
- Update Released: 14th October 2005
-
-
- Affects: - 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.53 - -

-
-
-important: - -Memory consumption DoS - -CVE-2004-0942 -
-An issue was discovered where the field length limit was not enforced -for certain malicious requests. This could allow a remote attacker who -is able to send large amounts of data to a server the ability to cause -Apache children to consume proportional amounts of memory, leading to -a denial of service. -
-
-
- Update Released: 8th February 2005
-
-
- Affects: - 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-low: - -mod_disk_cache stores sensitive headers - -CVE-2004-1834 -
-The experimental mod_disk_cache module stored client authentication -credentials for cached objects such as proxy authentication credentials -and Basic Authentication passwords on disk. -
-
-
- Update Released: 8th February 2005
-
-
- Affects: - 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-moderate: - -SSLCipherSuite bypass - -CVE-2004-0885 -
-An issue has been discovered in the mod_ssl module when configured to use -the "SSLCipherSuite" directive in directory or location context. If a -particular location context has been configured to require a specific set -of cipher suites, then a client will be able to access that location using -any cipher suite allowed by the virtual host configuration. -
-
-
- Update Released: 8th February 2005
-
-
- Affects: - 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.52 - -

-
-
-important: - -Basic authentication bypass - -CVE-2004-0811 -
-A flaw in Apache 2.0.51 (only) broke the merging of the Satisfy -directive which could result in access being granted to -resources despite any configured authentication -
-
-
- Update Released: 28th September 2004
-
-
- Affects: - 2.0.51
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.51 - -

-
-
-critical: - -IPv6 URI parsing heap overflow - -CVE-2004-0786 -
-Testing using the Codenomicon HTTP Test Tool performed by the Apache -Software Foundation security group and Red Hat uncovered an input -validation issue in the IPv6 URI parsing routines in the apr-util library. -If a remote attacker sent a request including a carefully crafted URI, an -httpd child process could be made to crash. One some BSD systems it -is believed this flaw may be able to lead to remote code execution. -
-
-
- Update Released: 15th September 2004
-
-
- Affects: - 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-important: - -SSL connection infinite loop - -CVE-2004-0748 -
-An issue was discovered in the mod_ssl module in Apache 2.0. -A remote attacker who forces an SSL connection to -be aborted in a particular state may cause an Apache child process to -enter an infinite loop, consuming CPU resources. -
-
-
- Update Released: 15th September 2004
-
-
- Affects: - 2.0.50, 2.0.49?, 2.0.48?, 2.0.47?, 2.0.46?, 2.0.45?, 2.0.44?, 2.0.43?, 2.0.42?, 2.0.40?, 2.0.39?, 2.0.37?, 2.0.36?, 2.0.35?
-
-
-low: - -Environment variable expansion flaw - -CVE-2004-0747 -
-The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the -expansion of environment variables during configuration file parsing. This -issue could allow a local user to gain the privileges of a httpd -child if a server can be forced to parse a carefully crafted .htaccess file -written by a local user. -
-
-
- Update Released: 15th September 2004
-
-
- Affects: - 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-low: - -Malicious SSL proxy can cause crash - -CVE-2004-0751 -
-An issue was discovered in the mod_ssl module in Apache 2.0.44-2.0.50 -which could be triggered if -the server is configured to allow proxying to a remote SSL server. A -malicious remote SSL server could force an httpd child process to crash by -sending a carefully crafted response header. This issue is not believed to -allow execution of arbitrary code and will only result in a denial -of service where a threaded process model is in use. -
-
-
- Update Released: 15th September 2004
-
-
- Affects: - 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44
-
-
-low: - -WebDAV remote crash - -CVE-2004-0809 -
-An issue was discovered in the mod_dav module which could be triggered -for a location where WebDAV authoring access has been configured. A -malicious remote client which is authorized to use the LOCK method -could force an httpd child process to crash by sending a particular -sequence of LOCK requests. This issue does not allow execution of -arbitrary code. and will only result in a denial of service where a -threaded process model is in use. -
-
-
- Update Released: 15th September 2004
-
-
- Affects: - 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.50 - -

-
-
-important: - -Header parsing memory leak - -CVE-2004-0493 -
-A memory leak in parsing of HTTP headers which can be triggered -remotely may allow a denial of service attack due to excessive memory -consumption. -
-
-
- Update Released: 1st July 2004
-
-
- Affects: - 2.0.49, 2.0.48?, 2.0.47?, 2.0.46?, 2.0.45?, 2.0.44?, 2.0.43?, 2.0.42?, 2.0.40?, 2.0.39?, 2.0.37?, 2.0.36?, 2.0.35?
-
-
-low: - -FakeBasicAuth overflow - -CVE-2004-0488 -
-A buffer overflow in the mod_ssl FakeBasicAuth code could be exploited -by an attacker using a (trusted) client certificate with a subject DN -field which exceeds 6K in length. -
-
-
- Update Released: 1st July 2004
-
-
- Affects: - 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.49 - -

-
-
-important: - -listening socket starvation - -CVE-2004-0174 -
-A starvation issue on listening sockets occurs when a short-lived -connection on a rarely-accessed listening socket will cause a child to -hold the accept mutex and block out new connections until another -connection arrives on that rarely-accessed listening socket. This -issue is known to affect some versions of AIX, Solaris, and Tru64; it -is known to not affect FreeBSD or Linux. - -
-
-
- Update Released: 19th March 2004
-
-
- Affects: - 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-important: - -mod_ssl memory leak - -CVE-2004-0113 -
-A memory leak in mod_ssl allows a remote denial of service attack -against an SSL-enabled server by sending plain HTTP requests to the -SSL port. -
-
-
- Update Released: 19th March 2004
-
-
- Affects: - 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-low: - -Error log escape filtering - -CVE-2003-0020 -
-Apache does not filter terminal escape sequences from error logs, -which could make it easier for attackers to insert those sequences -into terminal emulators containing vulnerabilities related to escape -sequences. -
-
-
- Update Released: 19th March 2004
-
-
- Affects: - 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.48 - -

-
-
-low: - -Local configuration regular expression overflow - -CVE-2003-0542 -
-By using a regular expression with more than 9 captures a buffer -overflow can occur in mod_alias or mod_rewrite. To exploit this an -attacker would need to be able to create a carefully crafted configuration -file (.htaccess or httpd.conf) -
-
-
- Update Released: 27th October 2003
-
-
- Affects: - 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-moderate: - -CGI output information leak - -CVE-2003-0789 -
-A bug in mod_cgid mishandling of CGI redirect paths can result in -CGI output going to the wrong client when a threaded MPM -is used. -
-
-
- Update Released: 27th October 2003
-
-
- Affects: - 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.47 - -

-
-
-important: - -Remote DoS with multiple Listen directives - -CVE-2003-0253 -
-In a server with multiple listening sockets a certain error returned -by accept() on a rarely access port can cause a temporary denial of -service, due to a bug in the prefork MPM. -
-
-
- Update Released: 9th July 2003
-
-
- Affects: - 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-low: - -mod_ssl renegotiation issue - -CVE-2003-0192 -
-A bug in the optional renegotiation code in mod_ssl included with -Apache httpd can cause cipher suite restrictions to be ignored. -This is triggered if optional renegotiation is used (SSLOptions -+OptRenegotiate) along with verification of client certificates -and a change to the cipher suite over the renegotiation. -
-
-
- Update Released: 9th July 2003
-
-
- Affects: - 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-moderate: - -Remote DoS via IPv6 ftp proxy - -CVE-2003-0254 -
-When a client requests that proxy ftp connect to a ftp server with -IPv6 address, and the proxy is unable to create an IPv6 socket, -an infinite loop occurs causing a remote Denial of Service. -
-
-
- Update Released: 9th July 2003
-
-
- Affects: - 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.46 - -

-
-
-critical: - -APR remote crash - -CVE-2003-0245 -
-A vulnerability in the apr_psprintf function in the Apache Portable -Runtime (APR) library allows remote -attackers to cause a denial of service (crash) and possibly execute -arbitrary code via long strings, as demonstrated using XML objects to -mod_dav, and possibly other vectors. -
-
-
- Update Released: 28th May 2003
-
-
- Affects: - 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37
-
-
-important: - -Basic Authentication DoS - -CVE-2003-0189 -
-A build system problem in Apache 2.0.40 through 2.0.45 allows remote attackers -to cause a denial of access to authenticated content when a threaded -server is used. -
-
-
- Update Released: 28th May 2003
-
-
- Affects: - 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40
-
-
-important: - -OS2 device name DoS - -CVE-2003-0134 -
-Apache on OS2 up to and including Apache 2.0.45 -have a Denial of Service vulnerability caused by -device names. -
-
-
- Update Released: 28th May 2003
-
-
- Affects: - 2.0.45, 2.0.44?, 2.0.43?, 2.0.42?, 2.0.40?, 2.0.39?, 2.0.37?, 2.0.36?, 2.0.35?
-
-
-low: - -Filtered escape sequences - -CVE-2003-0083 -
-Apache did not filter terminal escape sequences from its -access logs, which could make it easier for attackers to insert those -sequences into terminal emulators containing vulnerabilities related -to escape sequences. -
-
-
- Update Released: 2nd April 2004
-
-
- Affects: - 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.45 - -

-
-
-important: - -Line feed memory leak DoS - -CVE-2003-0132 -
-Apache 2.0 versions before Apache 2.0.45 had a significant Denial of -Service vulnerability. Remote attackers could cause a denial of service -(memory consumption) via large chunks of linefeed characters, which -causes Apache to allocate 80 bytes for each linefeed. -
-
-
- Update Released: 2nd April 2004
-
-
- Affects: - 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.44 - -

-
-
-critical: - -MS-DOS device name filtering - -CVE-2003-0016 -
On Windows platforms Apache did not -correctly filter MS-DOS device names which -could lead to denial of service attacks or remote code execution. -
-
-
- Update Released: 20th January 2003
-
-
- Affects: - 2.0.43, 2.0.42?, 2.0.40?, 2.0.39?, 2.0.37?, 2.0.36?, 2.0.35?
-
-
-important: - -Apache can serve unexpected files - -CVE-2003-0017 -
-On Windows platforms Apache could be forced to serve unexpected files -by appending illegal characters such as '<' to the request URL -
-
-
- Update Released: 20th January 2003
-
-
- Affects: - 2.0.43, 2.0.42?, 2.0.40?, 2.0.39?, 2.0.37?, 2.0.36?, 2.0.35?
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.43 - -

-
-
-low: - -Error page XSS using wildcard DNS - -CVE-2002-0840 -
Cross-site scripting (XSS) vulnerability in the default error page of -Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when -UseCanonicalName is "Off" and support for wildcard DNS is present, -allows remote attackers to execute script as other web page visitors -via the Host: header.
-
-
- Update Released: 3rd October 2002
-
-
- Affects: - 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-moderate: - -CGI scripts source revealed using WebDAV - -CVE-2002-1156 -
In Apache 2.0.42 only, for a location where both WebDAV and CGI were -enabled, a POST request to a CGI script would reveal the CGI source to -a remote user.
-
-
- Update Released: 3rd October 2002
-
-
- Affects: - 2.0.42
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.42 - -

-
-
-moderate: - -mod_dav crash - -CVE-2002-1593 -
-A flaw was found in handling of versioning hooks in mod_dav. An attacker -could send a carefully crafted request in such a way to cause the child -process handling the connection to crash. This issue will only result -in a denial of service where a threaded process model is in use. -
-
-
- Update Released: 24th September 2002
-
-
- Affects: - 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.40 - -

-
-
-important: - -Path vulnerability - -CVE-2002-0661 -
Certain URIs would bypass security -and allow users to invoke or access any file depending on the system -configuration. Affects Windows, OS2, Netware and Cygwin platforms -only.
-
-
- Update Released: 9th August 2002
-
-
- Affects: - 2.0.39, 2.0.37, 2.0.36, 2.0.35
-
-
-low: - -Path revealing exposures - -CVE-2002-0654 -
A path-revealing exposure was present in multiview type -map negotiation (such as the default error documents) where a -module would report the full path of the typemapped .var file when -multiple documents or no documents could be served. -Additionally a path-revealing exposure in cgi/cgid when Apache -fails to invoke a script. The modules would report "couldn't create -child process /path-to-script/script.pl" revealing the full path -of the script.
-
-
- Update Released: 9th August 2002
-
-
- Affects: - 2.0.39, 2.0.37?, 2.0.36?, 2.0.35?
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.37 - -

-
-
-critical: - -Apache Chunked encoding vulnerability - -CVE-2002-0392 -
Malicious requests can cause various effects -ranging from a relatively harmless increase in -system resources through to denial of service attacks and in some -cases the ability to execute arbitrary remote code.
-
-
- Update Released: 18th June 2002
-
-
- Affects: - 2.0.36, 2.0.35
-
-
-

- - - -

- - Fixed in Apache httpd 2.0.36 - -

-
-
-low: - -Warning messages could be displayed to users - -CVE-2002-1592 -
-In some cases warning messages could get returned to end users in -addition to being recorded in the error log. This could reveal the -path to a CGI script for example, a minor security exposure. -
-
-
- Update Released: 8th May 2002
-
-
- Affects: - 2.0.35
-
-
-

Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html URL: http://svn.apache.org/viewcvs/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=398494&r1=398493&r2=398494&view=diff ============================================================================== --- httpd/site/trunk/docs/security/vulnerabilities_22.html (original) +++ httpd/site/trunk/docs/security/vulnerabilities_22.html Sun Apr 30 18:32:18 2006 @@ -78,37 +78,6 @@ - - - -

- - Fixed in Apache httpd 2.2.1-dev - -

-
-
-moderate: - -mod_imap Referer Cross-Site Scripting - -CVE-2005-3352 -
-A flaw in mod_imap when using the Referer directive with image maps. -In certain site configurations a remote attacker could perform a cross-site -scripting attack if a victim can be forced to visit a malicious -URL using certain web browsers. -
-
-
-
- Affects: - 2.2.0
-
-
-

Modified: httpd/site/trunk/xdocs/security/vulnerabilities_22.xml URL: http://svn.apache.org/viewcvs/httpd/site/trunk/xdocs/security/vulnerabilities_22.xml?rev=398494&r1=398493&r2=398494&view=diff ============================================================================== --- httpd/site/trunk/xdocs/security/vulnerabilities_22.xml (original) +++ httpd/site/trunk/xdocs/security/vulnerabilities_22.xml Sun Apr 30 18:32:18 2006 @@ -19,28 +19,5 @@ these vulnerabilities to the Security Team.

-Fixed in Apache httpd 2.2.1-dev -

-moderate: - -mod_imap Referer Cross-Site Scripting - -CVE-2005-3352 -

-A flaw in mod_imap when using the Referer directive with image maps. -In certain site configurations a remote attacker could perform a cross-site -scripting attack if a victim can be forced to visit a malicious -URL using certain web browsers. -

- Affects: - 2.2.0

- -