httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r1024392 - /httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
Date Tue, 19 Oct 2010 20:13:08 GMT
Author: wrowe
Date: Tue Oct 19 20:13:08 2010
New Revision: 1024392

URL: http://svn.apache.org/viewvc?rev=1024392&view=rev
Log:
Researchers, please verify these older issues do date back all the way
to 2.0.35, or modify the applies lists as appropriate.  For some reason
the original recorders had failed to note the applicable httpd 2.0 revs.

The incidents CVE-2009-3555 (OpenSSL), CVE-2010-1623 (apr-util), 
CVE-2009-3560 & CVE-2009-3720 (expat) are all still missing from
our documentation, and it seems there should be notes on these?


Modified:
    httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=1024392&r1=1024391&r2=1024392&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Tue Oct 19 20:13:08
2010
@@ -1,4 +1,4 @@
-<security updated="20100726">
+<security updated="20101019">
 
 <issue fixed="2.2.16" reported="20100504" public="20100725" released="20100725">
 <cve name="CVE-2010-1452"/>
@@ -35,6 +35,47 @@ This issue was reported by Mark Drayton.
 </issue>
 
 
+<issue fixed="2.0.64" reported="20100504" public="20100725" released="20101019">
+<cve name="CVE-2010-1452"/>
+<severity level="4">low</severity>
+<title>mod_dav DoS</title>
+<description><p>
+A flaw was found in the handling of requests by mod_dav.  A malicious remote
+attacker could send a carefully crafted request and cause a httpd child process
+to crash.  This crash would only be a denial of service if using the worker MPM.
+This issue is further mitigated as mod_dav is only affected by requests that are 
+most likely to be authenticated.
+</p>
+</description>
+<acknowledgements>
+This issue was reported by Mark Drayton.
+</acknowledgements>
+<affects prod="httpd" version="2.0.63"/>
+<affects prod="httpd" version="2.0.61"/>
+<affects prod="httpd" version="2.0.59"/>
+<affects prod="httpd" version="2.0.58"/>
+<affects prod="httpd" version="2.0.55"/>
+<affects prod="httpd" version="2.0.54"/>
+<affects prod="httpd" version="2.0.53"/>
+<affects prod="httpd" version="2.0.52"/>
+<affects prod="httpd" version="2.0.51"/>
+<affects prod="httpd" version="2.0.50"/>
+<affects prod="httpd" version="2.0.49"/>
+<affects prod="httpd" version="2.0.48"/>
+<affects prod="httpd" version="2.0.47"/>
+<affects prod="httpd" version="2.0.46"/>
+<affects prod="httpd" version="2.0.45"/>
+<affects prod="httpd" version="2.0.44"/>
+<affects prod="httpd" version="2.0.43"/>
+<affects prod="httpd" version="2.0.42"/>
+<affects prod="httpd" version="2.0.40"/>
+<affects prod="httpd" version="2.0.39"/>
+<affects prod="httpd" version="2.0.37"/>
+<affects prod="httpd" version="2.0.36"/>
+<affects prod="httpd" version="2.0.35"/>
+</issue>
+
+
 <issue fixed="2.2.16" reported="20100609" public="20100609" released="20100725">
 <cve name="CVE-2010-2068"/>
 <severity level="2">important</severity>
@@ -270,6 +311,43 @@ in a vulnerable way.
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
+<issue fixed="2.0.64" reported="20090727" public="20090804" released="20101019">
+<cve name="CVE-2009-2412"/>
+<severity level="4">low</severity>
+<title>APR apr_palloc heap overflow</title>
+<description><p>
+A flaw in apr_palloc() in the bundled copy of APR could
+cause heap overflows in programs that try to apr_palloc() a user
+controlled size.  The Apache HTTP Server itself does not pass 
+unsanitized user-provided sizes to this function, so it could only
+be triggered through some other application which uses apr_palloc()
+in a vulnerable way.
+</p></description>
+<affects prod="httpd" version="2.0.63"/>
+<affects prod="httpd" version="2.0.61"/>
+<affects prod="httpd" version="2.0.59"/>
+<affects prod="httpd" version="2.0.58"/>
+<affects prod="httpd" version="2.0.55"/>
+<affects prod="httpd" version="2.0.54"/>
+<affects prod="httpd" version="2.0.53"/>
+<affects prod="httpd" version="2.0.52"/>
+<affects prod="httpd" version="2.0.51"/>
+<affects prod="httpd" version="2.0.50"/>
+<affects prod="httpd" version="2.0.49"/>
+<affects prod="httpd" version="2.0.48"/>
+<affects prod="httpd" version="2.0.47"/>
+<affects prod="httpd" version="2.0.46"/>
+<affects prod="httpd" version="2.0.45"/>
+<affects prod="httpd" version="2.0.44"/>
+<affects prod="httpd" version="2.0.43"/>
+<affects prod="httpd" version="2.0.42"/>
+<affects prod="httpd" version="2.0.40"/>
+<affects prod="httpd" version="2.0.39"/>
+<affects prod="httpd" version="2.0.37"/>
+<affects prod="httpd" version="2.0.36"/>
+<affects prod="httpd" version="2.0.35"/>
+</issue>
+
 <issue fixed="2.2.12" public="20090424" released="200900727">
 <cve name="CVE-2009-1956"/>
 <severity level="3">moderate</severity>
@@ -341,6 +419,43 @@ file.</p></description>
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
+<issue fixed="2.0.64" public="20090626" reported="20090626" released="20101019">
+<cve name="CVE-2009-1891"/>
+<severity level="4">low</severity>
+<cvss>2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P</cvss>
+<title>mod_deflate DoS</title>
+<description><p>
+A denial of service flaw was found in the mod_deflate module. This
+module continued to compress large files until compression was
+complete, even if the network connection that requested the content
+was closed before compression completed. This would cause mod_deflate
+to consume large amounts of CPU if mod_deflate was enabled for a large
+file.</p></description>
+<affects prod="httpd" version="2.0.63"/>
+<affects prod="httpd" version="2.0.61"/>
+<affects prod="httpd" version="2.0.59"/>
+<affects prod="httpd" version="2.0.58"/>
+<affects prod="httpd" version="2.0.55"/>
+<affects prod="httpd" version="2.0.54"/>
+<affects prod="httpd" version="2.0.53"/>
+<affects prod="httpd" version="2.0.52"/>
+<affects prod="httpd" version="2.0.51"/>
+<affects prod="httpd" version="2.0.50"/>
+<affects prod="httpd" version="2.0.49"/>
+<affects prod="httpd" version="2.0.48"/>
+<affects prod="httpd" version="2.0.47"/>
+<affects prod="httpd" version="2.0.46"/>
+<affects prod="httpd" version="2.0.45"/>
+<affects prod="httpd" version="2.0.44"/>
+<affects prod="httpd" version="2.0.43"/>
+<affects prod="httpd" version="2.0.42"/>
+<affects prod="httpd" version="2.0.40"/>
+<affects prod="httpd" version="2.0.39"/>
+<affects prod="httpd" version="2.0.37"/>
+<affects prod="httpd" version="2.0.36"/>
+<affects prod="httpd" version="2.0.35"/>
+</issue>
+
 <issue fixed="2.2.12" public="20090702" reported="20090630" released="20090727">
 <cve name="CVE-2009-1890"/>
 <severity level="2">important</severity>
@@ -459,7 +574,7 @@ globally configure:</p>
 <affects prod="httpd" version="2.2.9"/>
 </issue>
 
-<issue fixed="2.0.64-dev" reported="20090903" public="20090803" released="">
+<issue fixed="2.0.64" reported="20090903" public="20090803" released="20101019">
 <cve name="CVE-2009-3095"/>
 <severity level="4">low</severity>
 <title>mod_proxy_ftp FTP command injection</title>
@@ -495,7 +610,7 @@ to the FTP server.
 <affects prod="httpd" version="2.0.35"/>
 </issue>
 
-<issue fixed="2.0.64-dev" reported="20090904" public="20090802" released="">
+<issue fixed="2.0.64" reported="20090904" public="20090802" released="20101019">
 <cve name="CVE-2009-3094"/>
 <severity level="4">low</severity>
 <title>mod_proxy_ftp DoS</title>
@@ -531,7 +646,7 @@ service.
 <affects prod="httpd" version="2.0.35"/>
 </issue>
 
-<issue fixed="2.0.64-dev" reported="20091209" public="20091209" released="">
+<issue fixed="2.0.64" reported="20091209" public="20091209" released="20101019">
 <cve name="CVE-2010-0434"/>
 <severity level="4">low</severity>
 <title>Subrequest handling of request headers (mod_headers)</title>
@@ -576,7 +691,7 @@ fix for this issue.
 <affects prod="httpd" version="2.0.35"/>
 </issue>
 
-<issue fixed="2.0.64-dev" public="20100302" reported="20100209" released="">
+<issue fixed="2.0.64" public="20100302" reported="20100209" released="20101019">
 <cve name="CVE-2010-0425"/>
 <severity level="2">important</severity>
 <title>mod_isapi module unload flaw</title>
@@ -615,7 +730,7 @@ proposing a patch fix for this issue.
 <affects prod="httpd" version="2.0.37"/>
 </issue>
 
-<issue fixed="2.0.64-dev" public="20080610" reported="20080529" released="">
+<issue fixed="2.0.64" public="20080610" reported="20080529" released="20101019">
 <cve name="CVE-2008-2364"/>
 <severity level="3">moderate</severity>
 <title>mod_proxy_http DoS</title>
@@ -648,7 +763,7 @@ could cause a denial of service or high 
 <affects prod="httpd" version="2.0.35"/>
 </issue>
 
-<issue fixed="2.0.64-dev" public="20080805" reported="20080728" released="">
+<issue fixed="2.0.64" public="20080805" reported="20080728" released="20101019">
 <cve name="CVE-2008-2939"/>
 <severity level="4">low</severity>
 <title>mod_proxy_ftp globbing XSS</title>



Mime
View raw message