httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject svn commit: r1025526 - in /httpd/site/trunk/docs/security: vulnerabilities-oval.xml vulnerabilities_20.html vulnerabilities_22.html
Date Wed, 20 Oct 2010 12:10:22 GMT
Author: mjc
Date: Wed Oct 20 12:10:22 2010
New Revision: 1025526

URL: http://svn.apache.org/viewvc?rev=1025526&view=rev
Log:
Make pages with updates

Modified:
    httpd/site/trunk/docs/security/vulnerabilities-oval.xml
    httpd/site/trunk/docs/security/vulnerabilities_20.html
    httpd/site/trunk/docs/security/vulnerabilities_22.html

Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=1025526&r1=1025525&r2=1025526&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Wed Oct 20 12:10:22 2010
@@ -5,6 +5,194 @@
 <oval:timestamp>2005-10-12T18:13:45</oval:timestamp>
 </generator>
 <definitions>
+<definition id="oval:org.apache.httpd:def:20093720" version="1" class="vulnerability">
+<metadata>
+<title>expat DoS</title>
+<reference source="CVE" ref_id="CVE-2009-3720" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720"/>
+<description>
+A buffer over-read flaw was found in the bundled expat
+library.  An attacker who is able to get Apache to parse
+an untrused XML document (for example through mod_dav) may
+be able to cause a crash.  This crash would only                                        
                                                                         
+be a denial of service if using the worker MPM.
+</description>
+<apache_httpd_repository>
+<public>20090117</public>
+<reported>20090821</reported>
+<released>20101019</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2216" comment="the version of httpd is
2.2.16"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2215" comment="the version of httpd is
2.2.15"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2214" comment="the version of httpd is
2.2.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2213" comment="the version of httpd is
2.2.13"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2212" comment="the version of httpd is
2.2.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2211" comment="the version of httpd is
2.2.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2210" comment="the version of httpd is
2.2.10"/>
+<criterion test_ref="oval:org.apache.httpd:tst:229" comment="the version of httpd is 2.2.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:228" comment="the version of httpd is 2.2.8"/>
+<criterion test_ref="oval:org.apache.httpd:tst:226" comment="the version of httpd is 2.2.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:225" comment="the version of httpd is 2.2.5"/>
+<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2063" comment="the version of httpd is
2.0.63"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2061" comment="the version of httpd is
2.0.61"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2059" comment="the version of httpd is
2.0.59"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2058" comment="the version of httpd is
2.0.58"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2055" comment="the version of httpd is
2.0.55"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is
2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is
2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is
2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is
2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is
2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is
2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is
2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is
2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is
2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is
2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is
2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is
2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is
2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is
2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is
2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is
2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is
2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is
2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20093560" version="1" class="vulnerability">
+<metadata>
+<title>expat DoS</title>
+<reference source="CVE" ref_id="CVE-2009-3560" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560"/>
+<description>
+A buffer over-read flaw was found in the bundled expat
+library.  An attacker who is able to get Apache to parse
+an untrused XML document (for example through mod_dav) may
+be able to cause a crash.  This crash would only                                        
                                                                         
+be a denial of service if using the worker MPM.
+</description>
+<apache_httpd_repository>
+<public>20091202</public>
+<reported/>
+<released>20101019</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2216" comment="the version of httpd is
2.2.16"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2215" comment="the version of httpd is
2.2.15"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2214" comment="the version of httpd is
2.2.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2213" comment="the version of httpd is
2.2.13"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2212" comment="the version of httpd is
2.2.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2211" comment="the version of httpd is
2.2.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2210" comment="the version of httpd is
2.2.10"/>
+<criterion test_ref="oval:org.apache.httpd:tst:229" comment="the version of httpd is 2.2.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:228" comment="the version of httpd is 2.2.8"/>
+<criterion test_ref="oval:org.apache.httpd:tst:226" comment="the version of httpd is 2.2.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:225" comment="the version of httpd is 2.2.5"/>
+<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2063" comment="the version of httpd is
2.0.63"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2061" comment="the version of httpd is
2.0.61"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2059" comment="the version of httpd is
2.0.59"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2058" comment="the version of httpd is
2.0.58"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2055" comment="the version of httpd is
2.0.55"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is
2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is
2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is
2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is
2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is
2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is
2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is
2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is
2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is
2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is
2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is
2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is
2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is
2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is
2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is
2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is
2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is
2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is
2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20101623" version="1" class="vulnerability">
+<metadata>
+<title>apr_bridage_split_line DoS</title>
+<reference source="CVE" ref_id="CVE-2010-1623" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623"/>
+<description>
+A flaw was found in the apr_brigade_split_line() function of the bundled
+APR-util library, used to process non-SSL requests.  A remote attacker
+could send carefully crafted requests which would slowly consume
+memory, potentially leading to a denial of service.
+</description>
+<apache_httpd_repository>
+<public>20101001</public>
+<reported>20100303</reported>
+<released>20101019</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2216" comment="the version of httpd is
2.2.16"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2215" comment="the version of httpd is
2.2.15"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2214" comment="the version of httpd is
2.2.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2213" comment="the version of httpd is
2.2.13"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2212" comment="the version of httpd is
2.2.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2211" comment="the version of httpd is
2.2.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2210" comment="the version of httpd is
2.2.10"/>
+<criterion test_ref="oval:org.apache.httpd:tst:229" comment="the version of httpd is 2.2.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:228" comment="the version of httpd is 2.2.8"/>
+<criterion test_ref="oval:org.apache.httpd:tst:226" comment="the version of httpd is 2.2.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:225" comment="the version of httpd is 2.2.5"/>
+<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2063" comment="the version of httpd is
2.0.63"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2061" comment="the version of httpd is
2.0.61"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2059" comment="the version of httpd is
2.0.59"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2058" comment="the version of httpd is
2.0.58"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2055" comment="the version of httpd is
2.0.55"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is
2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is
2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is
2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is
2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is
2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is
2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is
2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is
2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is
2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is
2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is
2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is
2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is
2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is
2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is
2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is
2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is
2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is
2.0.35"/>
+</criteria>
+</criteria>
+</definition>
 <definition id="oval:org.apache.httpd:def:20101452" version="1" class="vulnerability">
 <metadata>
 <title>mod_cache and mod_dav DoS</title>
@@ -3715,6 +3903,10 @@ a constant rate, since the attacker has 
 </definition>
 </definitions>
 <tests>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:2216"
version="1" comment="the version of httpd is 2.2.16" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:2216"/>
+</httpd_test>
 <httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:2215"
version="1" comment="the version of httpd is 2.2.15" check="at least one">
 <object object_ref="oval:org.apache.httpd:obj:1"/>
 <state state_ref="oval:org.apache.httpd:ste:2215"/>
@@ -3992,6 +4184,9 @@ a constant rate, since the attacker has 
 </httpd_object>
 </objects>
 <states>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2216"
version="1" comment="the version of httpd is 2.2.16">
+<version operation="equals" datatype="version">2.2.16</version>
+</httpd_state>
 <httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2215"
version="1" comment="the version of httpd is 2.2.15">
 <version operation="equals" datatype="version">2.2.15</version>
 </httpd_state>

Modified: httpd/site/trunk/docs/security/vulnerabilities_20.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_20.html?rev=1025526&r1=1025525&r2=1025526&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_20.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_20.html [utf-8] Wed Oct 20 12:10:22 2010
@@ -129,6 +129,68 @@ proposing a patch fix for this issue.
 <dd>
 <b>low: </b>
 <b>
+<name name="CVE-2009-3720">expat DoS</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720">CVE-2009-3720</a>
+<p>
+A buffer over-read flaw was found in the bundled expat
+library.  An attacker who is able to get Apache to parse
+an untrused XML document (for example through mod_dav) may
+be able to cause a crash.  This crash would only                                        
                                                                         
+be a denial of service if using the worker MPM.
+</p>
+</dd>
+<dd>
+  Update Released: 19th October 2010<br />
+</dd>
+<dd>
+      Affects: 
+    2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49,
2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p
/>
+</dd>
+<dd>
+<b>low: </b>
+<b>
+<name name="CVE-2009-3560">expat DoS</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560">CVE-2009-3560</a>
+<p>
+A buffer over-read flaw was found in the bundled expat
+library.  An attacker who is able to get Apache to parse
+an untrused XML document (for example through mod_dav) may
+be able to cause a crash.  This crash would only                                        
                                                                         
+be a denial of service if using the worker MPM.
+</p>
+</dd>
+<dd>
+  Update Released: 19th October 2010<br />
+</dd>
+<dd>
+      Affects: 
+    2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49,
2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p
/>
+</dd>
+<dd>
+<b>low: </b>
+<b>
+<name name="CVE-2010-1623">apr_bridage_split_line DoS</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623">CVE-2010-1623</a>
+<p>
+A flaw was found in the apr_brigade_split_line() function of the bundled
+APR-util library, used to process non-SSL requests.  A remote attacker
+could send carefully crafted requests which would slowly consume
+memory, potentially leading to a denial of service.
+</p>
+</dd>
+<dd>
+  Update Released: 19th October 2010<br />
+</dd>
+<dd>
+      Affects: 
+    2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49,
2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p
/>
+</dd>
+<dd>
+<b>low: </b>
+<b>
 <name name="CVE-2010-1452">mod_dav DoS</name>
 </b>
 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452">CVE-2010-1452</a>

Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=1025526&r1=1025525&r2=1025526&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Wed Oct 20 12:10:22 2010
@@ -91,6 +91,83 @@ Team</a>.  </p>
  <tr>
  <td bgcolor="#525D76">
   <font color="#ffffff" face="arial,helvetica,sanserif">
+   <a name="2.2.17"><strong>Fixed in Apache httpd 2.2.17</strong></a>
+  </font>
+ </td>
+ </tr>
+ <tr><td>
+  <blockquote>
+<dl>
+<dd>
+<b>low: </b>
+<b>
+<name name="CVE-2009-3720">expat DoS</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720">CVE-2009-3720</a>
+<p>
+A buffer over-read flaw was found in the bundled expat
+library.  An attacker who is able to get Apache to parse
+an untrused XML document (for example through mod_dav) may
+be able to cause a crash.  This crash would only                                        
                                                                         
+be a denial of service if using the worker MPM.
+</p>
+</dd>
+<dd>
+  Update Released: 19th October 2010<br />
+</dd>
+<dd>
+      Affects: 
+    2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4,
2.2.3, 2.2.2, 2.2.0<p />
+</dd>
+<dd>
+<b>low: </b>
+<b>
+<name name="CVE-2009-3560">expat DoS</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560">CVE-2009-3560</a>
+<p>
+A buffer over-read flaw was found in the bundled expat
+library.  An attacker who is able to get Apache to parse
+an untrused XML document (for example through mod_dav) may
+be able to cause a crash.  This crash would only                                        
                                                                         
+be a denial of service if using the worker MPM.
+</p>
+</dd>
+<dd>
+  Update Released: 19th October 2010<br />
+</dd>
+<dd>
+      Affects: 
+    2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4,
2.2.3, 2.2.2, 2.2.0<p />
+</dd>
+<dd>
+<b>low: </b>
+<b>
+<name name="CVE-2010-1623">apr_bridage_split_line DoS</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623">CVE-2010-1623</a>
+<p>
+A flaw was found in the apr_brigade_split_line() function of the bundled
+APR-util library, used to process non-SSL requests.  A remote attacker
+could send carefully crafted requests which would slowly consume
+memory, potentially leading to a denial of service.
+</p>
+</dd>
+<dd>
+  Update Released: 19th October 2010<br />
+</dd>
+<dd>
+      Affects: 
+    2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4,
2.2.3, 2.2.2, 2.2.0<p />
+</dd>
+</dl>
+  </blockquote>
+ </td></tr>
+</table>
+           <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr>
+ <td bgcolor="#525D76">
+  <font color="#ffffff" face="arial,helvetica,sanserif">
    <a name="2.2.16"><strong>Fixed in Apache httpd 2.2.16</strong></a>
   </font>
  </td>



Mime
View raw message