httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From humbed...@apache.org
Subject svn commit: r1334737 - in /httpd/site/trunk/content/security: vulnerabilities_13.mdtext vulnerabilities_20.mdtext
Date Sun, 06 May 2012 18:48:34 GMT
Author: humbedooh
Date: Sun May  6 18:48:34 2012
New Revision: 1334737

URL: http://svn.apache.org/viewvc?rev=1334737&view=rev
Log:
aaand utf8 encode it

Modified:
    httpd/site/trunk/content/security/vulnerabilities_13.mdtext
    httpd/site/trunk/content/security/vulnerabilities_20.mdtext

Modified: httpd/site/trunk/content/security/vulnerabilities_13.mdtext
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities_13.mdtext?rev=1334737&r1=1334736&r2=1334737&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities_13.mdtext (original)
+++ httpd/site/trunk/content/security/vulnerabilities_13.mdtext Sun May  6 18:48:34 2012
@@ -1,4 +1,4 @@
-Title: Apache httpd 1.3 vulnerabilities
+Title: Apache httpd 1.3 vulnerabilities
 Notice:    Licensed to the Apache Software Foundation (ASF) under one
            or more contributor license agreements.  See the NOTICE file
            distributed with this work for additional information
@@ -50,8 +50,8 @@ No update of 1.3 will be released. Patch
 Acknowledgements: This issue was reported by Context Information Security
 Ltd
 
-:    Reported to security team: 16th September 2011<br></br>Issue public:
-     5th October 2011<br></br>
+:    Reported to security team: 16th September 2011<br></br>Issue public:
+     5th October 2011<br></br>
 :    Affected: 1.3.42, 1.3.41, 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34,
      1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24,
      1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6,
@@ -68,9 +68,9 @@ malicious HTTP server to which requests 
 flaw to trigger a heap buffer overflow in an httpd child process via a
 carefully crafted response.
 
-:    Reported to security team: 30th December 2009<br></br>Issue public:
-     7th December 2010<br></br>Update released:
-     3rd February 2010<br></br>
+:    Reported to security team: 30th December 2009<br></br>Issue public:
+     7th December 2010<br></br>Update released:
+     3rd February 2010<br></br>
 :    Affected: 1.3.41, 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33,
      1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22,
      1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4,
@@ -86,9 +86,9 @@ scripting attack is possible. Note that 
 enabled by default and it is best practice to not make this publicly
 available.
 
-:    Reported to security team: 15th December 2007<br></br>Issue public:
-     2nd January 2008<br></br>Update released:
-     19th January 2008<br></br>
+:    Reported to security team: 15th December 2007<br></br>Issue public:
+     2nd January 2008<br></br>Update released:
+     19th January 2008<br></br>
 :    Affected: 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32,
      1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20,
      1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3,
@@ -100,9 +100,9 @@ A flaw was found in the mod_imap module.
 and an imagemap file is publicly available, a cross-site scripting attack
 is possible.
 
-:    Reported to security team: 23rd October 2007<br></br>Issue public:
-     11th December 2007<br></br>Update released:
-     19th January 2008<br></br>
+:    Reported to security team: 23rd October 2007<br></br>Issue public:
+     11th December 2007<br></br>Update released:
+     19th January 2008<br></br>
 :    Affected: 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32,
      1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20,
      1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3,
@@ -119,9 +119,9 @@ to a cross-site scripting attack. Note t
 enabled by default and it is best practice to not make this publicly
 available.
 
-:    Reported to security team: 19th October 2006<br></br>Issue public:
-     20th June 2007<br></br>Update released:
-     7th September 2007<br></br>
+:    Reported to security team: 19th October 2006<br></br>Issue public:
+     20th June 2007<br></br>Update released:
+     7th September 2007<br></br>
 :    Affected: 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31,
      1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19,
      1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2
@@ -135,9 +135,9 @@ scripts on the HTTP server could manipul
 arbitrary processes to be terminated which could lead to a denial of
 service.
 
-:    Reported to security team: 15th May 2006<br></br>Issue public:
-     19th June 2007<br></br>Update released:
-     7th September 2007<br></br>
+:    Reported to security team: 15th May 2006<br></br>Issue public:
+     19th June 2007<br></br>Update released:
+     7th September 2007<br></br>
 :    Affected: 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31,
      1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19,
      1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2,
@@ -156,8 +156,8 @@ remotely. For vulnerable builds, the nat
 denial of service (crashing of web server processes) or potentially allow
 arbitrary code execution.
 
-:    Reported to security team: 21st July 2006<br></br>Issue public:
-     27th July 2006<br></br>Update released: 27th July 2006<br></br>
+:    Reported to security team: 21st July 2006<br></br>Issue public:
+     27th July 2006<br></br>Update released: 27th July 2006<br></br>
 :    Affected: 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29,
      1.3.28
 
@@ -173,8 +173,8 @@ Flash can set an arbitrary Expect header
 marked as a security issue for 2.0 or 2.2 as the cross-site scripting is
 only returned to the victim after the server times out a connection.
 
-:    Issue public: 8th May 2006<br></br>Update released:
-     1st May 2006<br></br>
+:    Issue public: 8th May 2006<br></br>Update released:
+     1st May 2006<br></br>
 :    Affected: 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27,
      1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12,
      1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3
@@ -187,8 +187,8 @@ certain site configurations a remote att
 scripting attack if a victim can be forced to visit a malicious URL using
 certain web browsers.
 
-:    Reported to security team: 1st November 2005<br></br>Issue public:
-     12th December 2005<br></br>Update released: 1st May 2006<br></br>
+:    Reported to security team: 1st November 2005<br></br>Issue public:
+     12th December 2005<br></br>Update released: 1st May 2006<br></br>
 :    Affected: 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27,
      1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12,
      1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
@@ -202,8 +202,8 @@ A buffer overflow in mod_include could a
 to create server side include (SSI) files to gain the privileges of a httpd
 child.
 
-:    Issue public: 21st October 2004<br></br>Update released:
-     28th October 2004<br></br>
+:    Issue public: 21st October 2004<br></br>Update released:
+     28th October 2004<br></br>
 :    Affected: 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24,
      1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6,
      1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
@@ -222,8 +222,8 @@ not represent a significant Denial of Se
 continue to be handled by other Apache child processes. This issue may lead
 to remote arbitrary code execution on some BSD platforms.
 
-:    Reported to security team: 8th June 2003<br></br>Issue public:
-     10th June 2003<br></br>Update released: 20th October 2004<br></br>
+:    Reported to security team: 8th June 2003<br></br>Issue public:
+     10th June 2003<br></br>Update released: 20th October 2004<br></br>
 :    Affected: 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26
 
 # Fixed in Apache httpd 1.3.31 # {#1.3.31}
@@ -238,8 +238,8 @@ arrives on that rarely-accessed listenin
 affect some versions of AIX, Solaris, and Tru64; it is known to not affect
 FreeBSD or Linux.
 
-:    Reported to security team: 25th February 2004<br></br>Issue public:
-     18th March 2004<br></br>Update released: 12th May 2004<br></br>
+:    Reported to security team: 25th February 2004<br></br>Issue public:
+     18th March 2004<br></br>Update released: 12th May 2004<br></br>
 :    Affected: 1.3.29, 1.3.28?, 1.3.27?, 1.3.26?, 1.3.24?, 1.3.22?,
      1.3.20?, 1.3.19?, 1.3.17?, 1.3.14?, 1.3.12?, 1.3.11?, 1.3.9?, 1.3.6?,
      1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
@@ -250,8 +250,8 @@ FreeBSD or Linux.
 A bug in the parsing of Allow/Deny rules using IP addresses without a
 netmask on big-endian 64-bit platforms causes the rules to fail to match.
 
-:    Issue public: 15th October 2003<br></br>Update released:
-     12th May 2004<br></br>
+:    Issue public: 15th October 2003<br></br>Update released:
+     12th May 2004<br></br>
 :    Affected: 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20,
      1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3,
      1.3.2, 1.3.1, 1.3.0
@@ -263,8 +263,8 @@ Apache does not filter terminal escape s
 could make it easier for attackers to insert those sequences into terminal
 emulators containing vulnerabilities related to escape sequences.
 
-:    Issue public: 24th February 2003<br></br>Update released:
-     12th May 2004<br></br>
+:    Issue public: 24th February 2003<br></br>Update released:
+     12th May 2004<br></br>
 :    Affected: 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20,
      1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3,
      1.3.2, 1.3.1, 1.3.0
@@ -279,8 +279,8 @@ protection. Note that mod_digest impleme
 Digest Authentication specification which is known not to work with modern
 browsers. This issue does not affect mod_auth_digest.
 
-:    Issue public: 18th December 2003<br></br>Update released:
-     12th May 2004<br></br>
+:    Issue public: 18th December 2003<br></br>Update released:
+     12th May 2004<br></br>
 :    Affected: 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20,
      1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3,
      1.3.2, 1.3.1, 1.3.0
@@ -295,9 +295,9 @@ can occur in mod_alias or mod_rewrite. T
 need to be able to create a carefully crafted configuration file (.htaccess
 or httpd.conf)
 
-:    Reported to security team: 4th August 2003<br></br>Issue public:
-     27th October 2003<br></br>Update released:
-     27th October 2003<br></br>
+:    Reported to security team: 4th August 2003<br></br>Issue public:
+     27th October 2003<br></br>Update released:
+     27th October 2003<br></br>
 :    Affected: 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19,
      1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2,
      1.3.1, 1.3.0
@@ -309,8 +309,8 @@ or httpd.conf)
 The rotatelogs support program on Win32 and OS/2 would quit logging and
 exit if it received special control characters such as 0x1A.
 
-:    Reported to security team: 4th July 2003<br></br>Issue public:
-     18th July 2003<br></br>Update released: 18th July 2003<br></br>
+:    Reported to security team: 4th July 2003<br></br>Issue public:
+     18th July 2003<br></br>Update released: 18th July 2003<br></br>
 :    Affected: 1.3.27, 1.3.26?, 1.3.24?, 1.3.22?, 1.3.20?, 1.3.19?,
      1.3.17?, 1.3.14?, 1.3.12?, 1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?,
      1.3.2?, 1.3.1?, 1.3.0?
@@ -323,9 +323,9 @@ exit if it received special control char
 Buffer overflows in the benchmarking utility ab could be exploited if ab is
 run against a malicious server
 
-:    Reported to security team: 23rd September 2002<br></br>Issue public:
-     3rd October 2002<br></br>Update released:
-     3rd October 2002<br></br>
+:    Reported to security team: 23rd September 2002<br></br>Issue public:
+     3rd October 2002<br></br>Update released:
+     3rd October 2002<br></br>
 :    Affected: 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14,
      1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
 
@@ -336,9 +336,9 @@ The permissions of the shared memory use
 attacker who can execute under the Apache UID to send a signal to any
 process as root or cause a local denial of service attack.
 
-:    Reported to security team: 11th November 2001<br></br>Issue public:
-     3rd October 2002<br></br>Update released:
-     3rd October 2002<br></br>
+:    Reported to security team: 11th November 2001<br></br>Issue public:
+     3rd October 2002<br></br>Update released:
+     3rd October 2002<br></br>
 :    Affected: 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14,
      1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
 
@@ -350,9 +350,9 @@ Apache 2.0 before 2.0.43, and 1.3.x up t
 "Off" and support for wildcard DNS is present, allows remote attackers to
 execute script as other web page visitors via the Host: header.
 
-:    Reported to security team: 20th September 2002<br></br>Issue public:
-     2nd October 2002<br></br>Update released:
-     3rd October 2002<br></br>
+:    Reported to security team: 20th September 2002<br></br>Issue public:
+     2nd October 2002<br></br>Update released:
+     3rd October 2002<br></br>
 :    Affected: 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14,
      1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
 
@@ -365,8 +365,8 @@ Requests to all versions of Apache 1.3 c
 from a relatively harmless increase in system resources through to denial
 of service attacks and in some cases the ability to be remotely exploited.
 
-:    Reported to security team: 27th May 2002<br></br>Issue public:
-     17th June 2002<br></br>Update released: 18th June 2002<br></br>
+:    Reported to security team: 27th May 2002<br></br>Issue public:
+     17th June 2002<br></br>Update released: 18th June 2002<br></br>
 :    Affected: 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12,
      1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
 
@@ -377,8 +377,8 @@ Apache does not filter terminal escape s
 which could make it easier for attackers to insert those sequences into
 terminal emulators containing vulnerabilities related to escape sequences,
 
-:    Issue public: 24th February 2003<br></br>Update released:
-     18th June 2002<br></br>
+:    Issue public: 24th February 2003<br></br>Update released:
+     18th June 2002<br></br>
 :    Affected: 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12,
      1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
 
@@ -390,7 +390,7 @@ terminal emulators containing vulnerabil
 Apache for Win32 before 1.3.24 and 2.0.34-beta allows remote attackers to
 execute arbitrary commands via parameters passed to batch file CGI scripts.
 
-:    Update released: 22nd March 2002<br></br>
+:    Update released: 22nd March 2002<br></br>
 :    Affected: 1.3.22, 1.3.20?, 1.3.19?, 1.3.17?, 1.3.14?, 1.3.12?,
      1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
 
@@ -403,9 +403,9 @@ A vulnerability was found in the Win32 p
 submitting a very long URI could cause a directory listing to be returned
 rather than the default index page.
 
-:    Reported to security team: 18th September 2001<br></br>Issue public:
-     28th September 2001<br></br>Update released:
-     12th October 2001<br></br>
+:    Reported to security team: 18th September 2001<br></br>Issue public:
+     28th September 2001<br></br>Update released:
+     12th October 2001<br></br>
 :    Affected: 1.3.20
 
 :     **important:**  **<name name="CVE-2001-0731">Multiviews can cause a
@@ -416,8 +416,8 @@ negotiate the directory index. In some c
 with a<samp>QUERY_STRING</samp>of<samp>M=D</samp>could return a directory
 listing rather than the expected index page.
 
-:    Issue public: 9th July 2001<br></br>Update released:
-     12th October 2001<br></br>
+:    Issue public: 9th July 2001<br></br>Update released:
+     12th October 2001<br></br>
 :    Affected: 1.3.20, 1.3.19?, 1.3.17?, 1.3.14?, 1.3.12?, 1.3.11?, 1.3.9?,
      1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
 
@@ -428,8 +428,8 @@ A vulnerability was found in the<samp>sp
 A request with a specially crafted<samp>Host:</samp>header could allow any
 file with a<samp>.log</samp>extension on the system to be written to.
 
-:    Issue public: 28th September 2001<br></br>Update released:
-     12th October 2001<br></br>
+:    Issue public: 28th September 2001<br></br>Update released:
+     12th October 2001<br></br>
 :    Affected: 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9,
      1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
 
@@ -445,7 +445,7 @@ have to be cleared by the operator to re
 introduced no identified means to compromise the server other than
 introducing a possible denial of service.
 
-:    Update released: 22nd May 2001<br></br>
+:    Update released: 22nd May 2001<br></br>
 :    Affected: 1.3.20, 1.3.19?, 1.3.17?, 1.3.14?, 1.3.12?, 1.3.11?, 1.3.9?,
      1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
 
@@ -459,7 +459,7 @@ lead<samp>mod_negotiation</samp>and<samp
 display a directory listing instead of the multiview index.html file if a
 very long path was created artificially by using many slashes.
 
-:    Update released: 28th February 2001<br></br>
+:    Update released: 28th February 2001<br></br>
 :    Affected: 1.3.17, 1.3.14, 1.3.12, 1.3.11
 
 # Fixed in Apache httpd 1.3.14 # {#1.3.14}
@@ -474,8 +474,8 @@ in<samp>RewriteRule</samp>directives: If
 a<samp>RewriteRule</samp>contains regular expression references then an
 attacker will be able to access any file on the server.
 
-:    Issue public: 29th September 2000<br></br>Update released:
-     13th October 2000<br></br>
+:    Issue public: 29th September 2000<br></br>Update released:
+     13th October 2000<br></br>
 :    Affected: 1.3.12, 1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?,
      1.3.1?, 1.3.0?
 
@@ -487,7 +487,7 @@ module,<samp>mod_vhost_alias</samp>, cau
 if the<samp>cgi-bin</samp>directory is under the document root. However, it
 is not normal to have your cgi-bin directory under a document root.
 
-:    Update released: 13th October 2000<br></br>
+:    Update released: 13th October 2000<br></br>
 :    Affected: 1.3.12, 1.3.11, 1.3.9
 
 :     **moderate:**  **<name name="CVE-2000-0505">Requests can cause
@@ -497,7 +497,7 @@ A security hole on Apache for Windows al
 a directory instead of the default HTML page by sending a carefully
 constructed request.
 
-:    Update released: 13th October 2000<br></br>
+:    Update released: 13th October 2000<br></br>
 :    Affected: 1.3.12, 1.3.11?, 1.3.9?, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?,
      1.3.1?, 1.3.0?
 
@@ -513,7 +513,7 @@ displayed to the user. Using these vulne
 example, obtain copies of your private cookies used to authenticate you to
 other sites.
 
-:    Update released: 25th February 2000<br></br>
+:    Update released: 25th February 2000<br></br>
 :    Affected: 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
 
 # Fixed in Apache httpd 1.3.11 # {#1.3.11}
@@ -525,7 +525,7 @@ A security problem can occur for sites u
 hosting (using the new<samp>mod_vhost_alias</samp>module) or with
 special<samp>mod_rewrite</samp>rules.
 
-:    Update released: 21st January 2000<br></br>
+:    Update released: 21st January 2000<br></br>
 :    Affected: 1.3.9, 1.3.6?, 1.3.4?, 1.3.3?, 1.3.2?, 1.3.1?, 1.3.0?
 
 # Fixed in Apache httpd 1.3.4 # {#1.3.4}
@@ -536,7 +536,7 @@ There have been a number of important se
 The most important is that there is much better protection against people
 trying to access special DOS device names (such as "nul").
 
-:    Update released: 11th January 1999<br></br>
+:    Update released: 11th January 1999<br></br>
 :    Affected: 1.3.3, 1.3.2, 1.3.1, 1.3.0
 
 # Fixed in Apache httpd 1.3.2 # {#1.3.2}
@@ -552,7 +552,7 @@ increasing at a constant rate. This make
 on this method more effective than methods which cause Apache to use memory
 at a constant rate, since the attacker has to send less data.
 
-:    Update released: 23rd September 1998<br></br>
+:    Update released: 23rd September 1998<br></br>
 :    Affected: 1.3.1, 1.3.0
 
 :     **important:**  **<name name="">Denial of service attacks</name>** 
@@ -562,6 +562,6 @@ other people using it. In 1.3.2 there ar
 limit the size of requests (these directives all start with the
 word<SAMP>Limit</SAMP>).
 
-:    Update released: 23rd September 1998<br></br>
+:    Update released: 23rd September 1998<br></br>
 :    Affected: 1.3.1, 1.3.0
 

Modified: httpd/site/trunk/content/security/vulnerabilities_20.mdtext
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities_20.mdtext?rev=1334737&r1=1334736&r2=1334737&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities_20.mdtext (original)
+++ httpd/site/trunk/content/security/vulnerabilities_20.mdtext Sun May  6 18:48:34 2012
@@ -1,4 +1,4 @@
-Title: Apache httpd 2.0 vulnerabilities
+Title: Apache httpd 2.0 vulnerabilities
 Notice:    Licensed to the Apache Software Foundation (ASF) under one
            or more contributor license agreements.  See the NOTICE file
            distributed with this work for additional information
@@ -46,8 +46,8 @@ attack.
 
 Advisory: [CVE-2011-3192.txt](CVE-2011-3192.txt) 
 
-:    Issue public: 20th August 2011<br></br>Update released:
-     30th August 2011<br></br>
+:    Issue public: 20th August 2011<br></br>Update released:
+     30th August 2011<br></br>
 :    Affected: 2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54,
      2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46,
      2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -64,8 +64,8 @@ not directly accessible to attacker.
 Acknowledgements: This issue was reported by Context Information Security
 Ltd
 
-:    Reported to security team: 16th September 2011<br></br>Issue public:
-     5th October 2011<br></br>
+:    Reported to security team: 16th September 2011<br></br>Issue public:
+     5th October 2011<br></br>
 :    Affected: 2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54,
      2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46,
      2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -87,8 +87,8 @@ Resolution: Update APR to release 0.9.20
 
 Acknowledgements: This issue was reported by Maksymilian Arciemowicz
 
-:    Reported to security team: 2nd March 2011<br></br>Issue public:
-     10th May 2011<br></br>Update released: 21st May 2011<br></br>
+:    Reported to security team: 2nd March 2011<br></br>Issue public:
+     10th May 2011<br></br>Update released: 21st May 2011<br></br>
 :    Affected: 2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54,
      2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46,
      2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -109,8 +109,8 @@ execution.
 Acknowledgements: We would like to thank Brett Gervasoni of Sense of
 Security for reporting and proposing a patch fix for this issue.
 
-:    Reported to security team: 9th February 2010<br></br>Issue public:
-     2nd March 2010<br></br>Update released: 19th October 2010<br></br>
+:    Reported to security team: 9th February 2010<br></br>Issue public:
+     2nd March 2010<br></br>Update released: 19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37
@@ -122,9 +122,9 @@ who is able to get Apache to parse an un
 through mod_dav) may be able to cause a crash. This crash would only be a
 denial of service if using the worker MPM.
 
-:    Reported to security team: 21st August 2009<br></br>Issue public:
-     17th January 2009<br></br>Update released:
-     19th October 2010<br></br>
+:    Reported to security team: 21st August 2009<br></br>Issue public:
+     17th January 2009<br></br>Update released:
+     19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -136,8 +136,8 @@ who is able to get Apache to parse an un
 through mod_dav) may be able to cause a crash. This crash would only be a
 denial of service if using the worker MPM.
 
-:    Issue public: 2nd December 2009<br></br>Update released:
-     19th October 2010<br></br>
+:    Issue public: 2nd December 2009<br></br>Update released:
+     19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -150,9 +150,9 @@ APR-util library, used to process non-SS
 send requests, carefully crafting the timing of individual bytes, which
 would slowly consume memory, potentially leading to a denial of service.
 
-:    Reported to security team: 3rd March 2010<br></br>Issue public:
-     1st October 2010<br></br>Update released:
-     19th October 2010<br></br>
+:    Reported to security team: 3rd March 2010<br></br>Issue public:
+     1st October 2010<br></br>Update released:
+     19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -167,8 +167,8 @@ requests that are most likely to be auth
 
 Acknowledgements: This issue was reported by Mark Drayton.
 
-:    Reported to security team: 4th May 2010<br></br>Issue public:
-     25th July 2010<br></br>Update released: 19th October 2010<br></br>
+:    Reported to security team: 4th May 2010<br></br>Issue public:
+     25th July 2010<br></br>Update released: 19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -182,9 +182,9 @@ Apache HTTP Server itself does not pass 
 this function, so it could only be triggered through some other application
 which uses apr_palloc() in a vulnerable way.
 
-:    Reported to security team: 27th July 2009<br></br>Issue public:
-     4th August 2009<br></br>Update released:
-     19th October 2010<br></br>
+:    Reported to security team: 27th July 2009<br></br>Issue public:
+     4th August 2009<br></br>Update released:
+     19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -197,8 +197,8 @@ the network connection that requested th
 compression completed. This would cause mod_deflate to consume large
 amounts of CPU if mod_deflate was enabled for a large file.
 
-:    Issue public: 26th June 2009<br></br>Update released:
-     19th October 2010<br></br>
+:    Issue public: 26th June 2009<br></br>Update released:
+     19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -211,9 +211,9 @@ configuration, a remote attacker could u
 access restrictions by creating a carefully-crafted HTTP Authorization
 header, allowing the attacker to send arbitrary commands to the FTP server.
 
-:    Reported to security team: 3rd September 2009<br></br>Issue public:
-     3rd August 2009<br></br>Update released:
-     19th October 2010<br></br>
+:    Reported to security team: 3rd September 2009<br></br>Issue public:
+     3rd August 2009<br></br>Update released:
+     19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -225,9 +225,9 @@ malicious FTP server to which requests a
 flaw to crash an httpd child process via a malformed reply to the EPSV or
 PASV commands, resulting in a limited denial of service.
 
-:    Reported to security team: 4th September 2009<br></br>Issue public:
-     2nd August 2009<br></br>Update released:
-     19th October 2010<br></br>
+:    Reported to security team: 4th September 2009<br></br>Issue public:
+     2nd August 2009<br></br>Update released:
+     19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -250,8 +250,8 @@ or winnt MPMs.
 Acknowledgements: We would like to thank Philip Pickett of VMware for
 reporting and proposing a fix for this issue.
 
-:    Issue public: 9th December 2009<br></br>Update released:
-     19th October 2010<br></br>
+:    Issue public: 9th December 2009<br></br>Update released:
+     19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -264,9 +264,9 @@ mod_proxy_ftp. If mod_proxy_ftp is enabl
 requests containing globbing characters could lead to cross-site scripting
 (XSS) attacks.
 
-:    Reported to security team: 28th July 2008<br></br>Issue public:
-     5th August 2008<br></br>Update released:
-     19th October 2010<br></br>
+:    Reported to security team: 28th July 2008<br></br>Issue public:
+     5th August 2008<br></br>Update released:
+     19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -278,8 +278,8 @@ A flaw was found in the handling of exce
 origin server when using mod_proxy_http. A remote attacker could cause a
 denial of service or high memory usage.
 
-:    Reported to security team: 29th May 2008<br></br>Issue public:
-     10th June 2008<br></br>Update released: 19th October 2010<br></br>
+:    Reported to security team: 29th May 2008<br></br>Issue public:
+     10th June 2008<br></br>Update released: 19th October 2010<br></br>
 :    Affected: 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53,
      2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45,
      2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -294,9 +294,9 @@ mod_proxy_ftp is enabled and a forward p
 scripting attack is possible against Web browsers which do not correctly
 derive the response character set following the rules in RFC 2616.
 
-:    Reported to security team: 15th December 2007<br></br>Issue public:
-     8th January 2008<br></br>Update released:
-     19th January 2008<br></br>
+:    Reported to security team: 15th December 2007<br></br>Issue public:
+     8th January 2008<br></br>Update released:
+     19th January 2008<br></br>
 :    Affected: 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52,
      2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44,
      2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -309,9 +309,9 @@ scripting attack is possible. Note that 
 enabled by default and it is best practice to not make this publicly
 available.
 
-:    Reported to security team: 15th December 2007<br></br>Issue public:
-     2nd January 2008<br></br>Update released:
-     19th January 2008<br></br>
+:    Reported to security team: 15th December 2007<br></br>Issue public:
+     2nd January 2008<br></br>Update released:
+     19th January 2008<br></br>
 :    Affected: 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52,
      2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44,
      2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -322,9 +322,9 @@ A flaw was found in the mod_imap module.
 and an imagemap file is publicly available, a cross-site scripting attack
 is possible.
 
-:    Reported to security team: 23rd October 2007<br></br>Issue public:
-     11th December 2007<br></br>Update released:
-     19th January 2008<br></br>
+:    Reported to security team: 23rd October 2007<br></br>Issue public:
+     11th December 2007<br></br>Update released:
+     19th January 2008<br></br>
 :    Affected: 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52,
      2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44,
      2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -341,8 +341,8 @@ could cause a similar crash if a user co
 malicious site using the proxy. This could lead to a denial of service if
 using a threaded Multi-Processing Module.
 
-:    Issue public: 10th December 2006<br></br>Update released:
-     7th September 2007<br></br>
+:    Issue public: 10th December 2006<br></br>Update released:
+     7th September 2007<br></br>
 :    Affected: 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51,
      2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43,
      2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -356,9 +356,9 @@ to a cross-site scripting attack. Note t
 enabled by default and it is best practice to not make this publicly
 available.
 
-:    Reported to security team: 19th October 2006<br></br>Issue public:
-     20th June 2007<br></br>Update released:
-     7th September 2007<br></br>
+:    Reported to security team: 19th October 2006<br></br>Issue public:
+     20th June 2007<br></br>Update released:
+     7th September 2007<br></br>
 :    Affected: 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51,
      2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43,
      2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -372,9 +372,9 @@ scripts on the HTTP server could manipul
 arbitrary processes to be terminated which could lead to a denial of
 service.
 
-:    Reported to security team: 15th May 2006<br></br>Issue public:
-     19th June 2007<br></br>Update released:
-     7th September 2007<br></br>
+:    Reported to security team: 15th May 2006<br></br>Issue public:
+     19th June 2007<br></br>Update released:
+     7th September 2007<br></br>
 :    Affected: 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51,
      2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43,
      2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -387,9 +387,9 @@ a remote attacker could send a carefully
 the Apache child process handling that request to crash. This could lead to
 a denial of service if using a threaded Multi-Processing Module.
 
-:    Reported to security team: 2nd May 2007<br></br>Issue public:
-     18th June 2007<br></br>Update released:
-     7th September 2007<br></br>
+:    Reported to security team: 2nd May 2007<br></br>Issue public:
+     18th June 2007<br></br>Update released:
+     7th September 2007<br></br>
 :    Affected: 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51,
      2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43,
      2.0.42, 2.0.40, 2.0.39, 2.0.37
@@ -407,8 +407,8 @@ remotely. For vulnerable builds, the nat
 denial of service (crashing of web server processes) or potentially allow
 arbitrary code execution.
 
-:    Reported to security team: 21st July 2006<br></br>Issue public:
-     27th July 2006<br></br>Update released: 27th July 2006<br></br>
+:    Reported to security team: 21st July 2006<br></br>Issue public:
+     27th July 2006<br></br>Update released: 27th July 2006<br></br>
 :    Affected: 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50,
      2.0.49, 2.0.48, 2.0.47, 2.0.46
 
@@ -423,8 +423,8 @@ and a custom 400 error document. A remot
 crafted request to trigger this issue which would lead to a crash. This
 crash would only be a denial of service if using the worker MPM.
 
-:    Reported to security team: 5th December 2005<br></br>Issue public:
-     12th December 2005<br></br>Update released: 1st May 2006<br></br>
+:    Reported to security team: 5th December 2005<br></br>Issue public:
+     12th December 2005<br></br>Update released: 1st May 2006<br></br>
 :    Affected: 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49,
      2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40,
      2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -437,8 +437,8 @@ certain site configurations a remote att
 scripting attack if a victim can be forced to visit a malicious URL using
 certain web browsers.
 
-:    Reported to security team: 1st November 2005<br></br>Issue public:
-     12th December 2005<br></br>Update released: 1st May 2006<br></br>
+:    Reported to security team: 1st November 2005<br></br>Issue public:
+     12th December 2005<br></br>Update released: 1st May 2006<br></br>
 :    Affected: 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49,
      2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40,
      2.0.39, 2.0.37, 2.0.36, 2.0.35
@@ -455,8 +455,8 @@ required" is set for a specific location
 fashion, an attacker may be able to access resources that should otherwise
 be protected, by not supplying a client certificate when connecting.
 
-:    Issue public: 30th August 2005<br></br>Update released:
-     14th October 2005<br></br>
+:    Issue public: 30th August 2005<br></br>Update released:
+     14th October 2005<br></br>
 :    Affected: 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48,
      2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
      2.0.37, 2.0.36, 2.0.35
@@ -470,7 +470,7 @@ prevents the memory for the transaction 
 connections. This issue was downgraded in severity to low (from moderate)
 as sucessful exploitation of the race condition would be difficult.
 
-:    Update released: 14th October 2005<br></br>
+:    Update released: 14th October 2005<br></br>
 :    Affected: 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48,
      2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
      2.0.37, 2.0.36
@@ -483,8 +483,8 @@ to create.htaccess files could create a 
 expression in such as way that they could gain the privileges of a httpd
 child.
 
-:    Issue public: 1st August 2005<br></br>Update released:
-     14th October 2005<br></br>
+:    Issue public: 1st August 2005<br></br>Update released:
+     14th October 2005<br></br>
 :    Affected: 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48,
      2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
      2.0.37, 2.0.36, 2.0.35
@@ -496,8 +496,8 @@ An off-by-one stack overflow was discove
 callback. In order to exploit this issue the Apache server would need to be
 configured to use a malicious certificate revocation list (CRL)
 
-:    Issue public: 8th June 2005<br></br>Update released:
-     14th October 2005<br></br>
+:    Issue public: 8th June 2005<br></br>Update released:
+     14th October 2005<br></br>
 :    Affected: 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48,
      2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
      2.0.37, 2.0.36, 2.0.35
@@ -511,8 +511,8 @@ script which generates a large amount of
 carefully crafted requests in order to consume resources, potentially
 leading to a Denial of Service.
 
-:    Issue public: 7th July 2005<br></br>Update released:
-     14th October 2005<br></br>
+:    Issue public: 7th July 2005<br></br>Update released:
+     14th October 2005<br></br>
 :    Affected: 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48,
      2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
      2.0.37, 2.0.36, 2.0.35
@@ -528,8 +528,8 @@ server to process it as a separate HTTP 
 bypass of web application firewall protection or lead to cross-site
 scripting (XSS) attacks.
 
-:    Issue public: 11th June 2005<br></br>Update released:
-     14th October 2005<br></br>
+:    Issue public: 11th June 2005<br></br>Update released:
+     14th October 2005<br></br>
 :    Affected: 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48,
      2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
      2.0.37, 2.0.36, 2.0.35
@@ -545,9 +545,9 @@ to send large amounts of data to a serve
 children to consume proportional amounts of memory, leading to a denial of
 service.
 
-:    Reported to security team: 28th October 2004<br></br>Issue public:
-     1st November 2004<br></br>Update released:
-     8th February 2005<br></br>
+:    Reported to security team: 28th October 2004<br></br>Issue public:
+     1st November 2004<br></br>Update released:
+     8th February 2005<br></br>
 :    Affected: 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46,
      2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -558,9 +558,9 @@ The experimental mod_disk_cache module s
 credentials for cached objects such as proxy authentication credentials and
 Basic Authentication passwords on disk.
 
-:    Reported to security team: 2nd March 2004<br></br>Issue public:
-     20th March 2004<br></br>Update released:
-     8th February 2005<br></br>
+:    Reported to security team: 2nd March 2004<br></br>Issue public:
+     20th March 2004<br></br>Update released:
+     8th February 2005<br></br>
 :    Affected: 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46,
      2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -573,8 +573,8 @@ particular location context has been con
 of cipher suites, then a client will be able to access that location using
 any cipher suite allowed by the virtual host configuration.
 
-:    Issue public: 1st October 2004<br></br>Update released:
-     8th February 2005<br></br>
+:    Issue public: 1st October 2004<br></br>Update released:
+     8th February 2005<br></br>
 :    Affected: 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46,
      2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -587,8 +587,8 @@ A flaw in Apache 2.0.51 (only) broke the
 which could result in access being granted to resources despite any
 configured authentication
 
-:    Issue public: 18th September 2004<br></br>Update released:
-     28th September 2004<br></br>
+:    Issue public: 18th September 2004<br></br>Update released:
+     28th September 2004<br></br>
 :    Affected: 2.0.51
 
 # Fixed in Apache httpd 2.0.51 # {#2.0.51}
@@ -603,9 +603,9 @@ If a remote attacker sent a request incl
 httpd child process could be made to crash. One some BSD systems it is
 believed this flaw may be able to lead to remote code execution.
 
-:    Reported to security team: 25th August 2004<br></br>Issue public:
-     15th September 2004<br></br>Update released:
-     15th September 2004<br></br>
+:    Reported to security team: 25th August 2004<br></br>Issue public:
+     15th September 2004<br></br>Update released:
+     15th September 2004<br></br>
 :    Affected: 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44,
      2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -617,8 +617,8 @@ attacker who forces an SSL connection to
 may cause an Apache child process to enter an infinite loop, consuming CPU
 resources.
 
-:    Issue public: 7th July 2004<br></br>Update released:
-     15th September 2004<br></br>
+:    Issue public: 7th July 2004<br></br>Update released:
+     15th September 2004<br></br>
 :    Affected: 2.0.50, 2.0.49?, 2.0.48?, 2.0.47?, 2.0.46?, 2.0.45?,
      2.0.44?, 2.0.43?, 2.0.42?, 2.0.40?, 2.0.39?, 2.0.37?, 2.0.36?, 2.0.35?
 
@@ -633,9 +633,9 @@ carefully crafted.htaccess file written 
 Acknowledgements: We would like to thank the Swedish IT Incident Centre
 (SITIC) for reporting this issue.
 
-:    Reported to security team: 5th August 2004<br></br>Issue public:
-     15th September 2004<br></br>Update released:
-     15th September 2004<br></br>
+:    Reported to security team: 5th August 2004<br></br>Issue public:
+     15th September 2004<br></br>Update released:
+     15th September 2004<br></br>
 :    Affected: 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44,
      2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -649,8 +649,8 @@ process to crash by sending a carefully 
 is not believed to allow execution of arbitrary code and will only result
 in a denial of service where a threaded process model is in use.
 
-:    Issue public: 7th July 2004<br></br>Update released:
-     15th September 2004<br></br>
+:    Issue public: 7th July 2004<br></br>Update released:
+     15th September 2004<br></br>
 :    Affected: 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44
 
 :     **low:**	**<name name="CVE-2004-0809">WebDAV remote crash</name>** 
@@ -663,8 +663,8 @@ requests. This issue does not allow exec
 only result in a denial of service where a threaded process model is in
 use.
 
-:    Issue public: 12th September 2004<br></br>Update released:
-     15th September 2004<br></br>
+:    Issue public: 12th September 2004<br></br>Update released:
+     15th September 2004<br></br>
 :    Affected: 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44,
      2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -676,8 +676,8 @@ use.
 A memory leak in parsing of HTTP headers which can be triggered remotely
 may allow a denial of service attack due to excessive memory consumption.
 
-:    Reported to security team: 13th June 2004<br></br>Issue public:
-     1st July 2004<br></br>Update released: 1st July 2004<br></br>
+:    Reported to security team: 13th June 2004<br></br>Issue public:
+     1st July 2004<br></br>Update released: 1st July 2004<br></br>
 :    Affected: 2.0.49, 2.0.48?, 2.0.47?, 2.0.46?, 2.0.45?, 2.0.44?,
      2.0.43?, 2.0.42?, 2.0.40?, 2.0.39?, 2.0.37?, 2.0.36?, 2.0.35?
 
@@ -688,8 +688,8 @@ A buffer overflow in the mod_ssl FakeBas
 an attacker using a (trusted) client certificate with a subject DN field
 which exceeds 6K in length.
 
-:    Issue public: 17th May 2004<br></br>Update released:
-     1st July 2004<br></br>
+:    Issue public: 17th May 2004<br></br>Update released:
+     1st July 2004<br></br>
 :    Affected: 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43,
      2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -705,8 +705,8 @@ arrives on that rarely-accessed listenin
 affect some versions of AIX, Solaris, and Tru64; it is known to not affect
 FreeBSD or Linux.
 
-:    Reported to security team: 25th February 2004<br></br>Issue public:
-     18th March 2004<br></br>Update released: 19th March 2004<br></br>
+:    Reported to security team: 25th February 2004<br></br>Issue public:
+     18th March 2004<br></br>Update released: 19th March 2004<br></br>
 :    Affected: 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42,
      2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -716,8 +716,8 @@ FreeBSD or Linux.
 A memory leak in mod_ssl allows a remote denial of service attack against
 an SSL-enabled server by sending plain HTTP requests to the SSL port.
 
-:    Issue public: 20th February 2004<br></br>Update released:
-     19th March 2004<br></br>
+:    Issue public: 20th February 2004<br></br>Update released:
+     19th March 2004<br></br>
 :    Affected: 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42,
      2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -728,8 +728,8 @@ Apache does not filter terminal escape s
 could make it easier for attackers to insert those sequences into terminal
 emulators containing vulnerabilities related to escape sequences.
 
-:    Issue public: 24th February 2003<br></br>Update released:
-     19th March 2004<br></br>
+:    Issue public: 24th February 2003<br></br>Update released:
+     19th March 2004<br></br>
 :    Affected: 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42,
      2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -743,9 +743,9 @@ can occur in mod_alias or mod_rewrite. T
 need to be able to create a carefully crafted configuration file (.htaccess
 or httpd.conf)
 
-:    Reported to security team: 4th August 2003<br></br>Issue public:
-     27th October 2003<br></br>Update released:
-     27th October 2003<br></br>
+:    Reported to security team: 4th August 2003<br></br>Issue public:
+     27th October 2003<br></br>Update released:
+     27th October 2003<br></br>
 :    Affected: 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40,
      2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -755,9 +755,9 @@ or httpd.conf)
 A bug in mod_cgid mishandling of CGI redirect paths can result in CGI
 output going to the wrong client when a threaded MPM is used.
 
-:    Reported to security team: 3rd October 2003<br></br>Issue public:
-     27th October 2003<br></br>Update released:
-     27th October 2003<br></br>
+:    Reported to security team: 3rd October 2003<br></br>Issue public:
+     27th October 2003<br></br>Update released:
+     27th October 2003<br></br>
 :    Affected: 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40,
      2.0.39, 2.0.37, 2.0.36, 2.0.35
 
@@ -770,8 +770,8 @@ In a server with multiple listening sock
 accept() on a rarely access port can cause a temporary denial of service,
 due to a bug in the prefork MPM.
 
-:    Reported to security team: 25th June 2003<br></br>Issue public:
-     9th July 2003<br></br>Update released: 9th July 2003<br></br>
+:    Reported to security team: 25th June 2003<br></br>Issue public:
+     9th July 2003<br></br>Update released: 9th July 2003<br></br>
 :    Affected: 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
      2.0.37, 2.0.36, 2.0.35
 
@@ -784,8 +784,8 @@ if optional renegotiation is used (SSLOp
 verification of client certificates and a change to the cipher suite over
 the renegotiation.
 
-:    Reported to security team: 30th April 2003<br></br>Issue public:
-     9th July 2003<br></br>Update released: 9th July 2003<br></br>
+:    Reported to security team: 30th April 2003<br></br>Issue public:
+     9th July 2003<br></br>Update released: 9th July 2003<br></br>
 :    Affected: 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
      2.0.37, 2.0.36, 2.0.35
 
@@ -796,8 +796,8 @@ When a client requests that proxy ftp co
 address, and the proxy is unable to create an IPv6 socket, an infinite loop
 occurs causing a remote Denial of Service.
 
-:    Reported to security team: 25th June 2003<br></br>Issue public:
-     9th July 2003<br></br>Update released: 9th July 2003<br></br>
+:    Reported to security team: 25th June 2003<br></br>Issue public:
+     9th July 2003<br></br>Update released: 9th July 2003<br></br>
 :    Affected: 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
      2.0.37, 2.0.36, 2.0.35
 
@@ -811,8 +811,8 @@ A vulnerability in the apr_psprintf func
 and possibly execute arbitrary code via long strings, as demonstrated using
 XML objects to mod_dav, and possibly other vectors.
 
-:    Reported to security team: 9th April 2003<br></br>Issue public:
-     28th May 2003<br></br>Update released: 28th May 2003<br></br>
+:    Reported to security team: 9th April 2003<br></br>Issue public:
+     28th May 2003<br></br>Update released: 28th May 2003<br></br>
 :    Affected: 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37
 
 :     **important:**  **<name name="CVE-2003-0189">Basic Authentication
@@ -822,8 +822,8 @@ A build system problem in Apache 2.0.40 
 attackers to cause a denial of access to authenticated content when a
 threaded server is used.
 
-:    Reported to security team: 25th April 2003<br></br>Issue public:
-     28th May 2003<br></br>Update released: 28th May 2003<br></br>
+:    Reported to security team: 25th April 2003<br></br>Issue public:
+     28th May 2003<br></br>Update released: 28th May 2003<br></br>
 :    Affected: 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40
 
 :     **important:**  **<name name="CVE-2003-0134">OS2 device name
@@ -832,8 +832,8 @@ threaded server is used.
 Apache on OS2 up to and including Apache 2.0.45 have a Denial of Service
 vulnerability caused by device names.
 
-:    Issue public: 31st March 2003<br></br>Update released:
-     28th May 2003<br></br>
+:    Issue public: 31st March 2003<br></br>Update released:
+     28th May 2003<br></br>
 :    Affected: 2.0.45, 2.0.44?, 2.0.43?, 2.0.42?, 2.0.40?, 2.0.39?,
      2.0.37?, 2.0.36?, 2.0.35?
 
@@ -844,8 +844,8 @@ Apache did not filter terminal escape se
 could make it easier for attackers to insert those sequences into terminal
 emulators containing vulnerabilities related to escape sequences.
 
-:    Issue public: 24th February 2003<br></br>Update released:
-     2nd April 2004<br></br>
+:    Issue public: 24th February 2003<br></br>Update released:
+     2nd April 2004<br></br>
 :    Affected: 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37,
      2.0.36, 2.0.35
 
@@ -859,8 +859,8 @@ Service vulnerability. Remote attackers 
 (memory consumption) via large chunks of linefeed characters, which causes
 Apache to allocate 80 bytes for each linefeed.
 
-:    Issue public: 2nd April 2004<br></br>Update released:
-     2nd April 2004<br></br>
+:    Issue public: 2nd April 2004<br></br>Update released:
+     2nd April 2004<br></br>
 :    Affected: 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36,
      2.0.35
 
@@ -872,9 +872,9 @@ Apache to allocate 80 bytes for each lin
 On Windows platforms Apache did not correctly filter MS-DOS device names
 which could lead to denial of service attacks or remote code execution.
 
-:    Reported to security team: 4th December 2002<br></br>Issue public:
-     20th January 2003<br></br>Update released:
-     20th January 2003<br></br>
+:    Reported to security team: 4th December 2002<br></br>Issue public:
+     20th January 2003<br></br>Update released:
+     20th January 2003<br></br>
 :    Affected: 2.0.43, 2.0.42?, 2.0.40?, 2.0.39?, 2.0.37?, 2.0.36?, 2.0.35?
 
 :     **important:**  **<name name="CVE-2003-0017">Apache can serve
@@ -883,9 +883,9 @@ which could lead to denial of service at
 On Windows platforms Apache could be forced to serve unexpected files by
 appending illegal characters such as '&lt;' to the request URL
 
-:    Reported to security team: 15th November 2002<br></br>Issue public:
-     20th January 2003<br></br>Update released:
-     20th January 2003<br></br>
+:    Reported to security team: 15th November 2002<br></br>Issue public:
+     20th January 2003<br></br>Update released:
+     20th January 2003<br></br>
 :    Affected: 2.0.43, 2.0.42?, 2.0.40?, 2.0.39?, 2.0.37?, 2.0.36?, 2.0.35?
 
 # Fixed in Apache httpd 2.0.43 # {#2.0.43}
@@ -898,9 +898,9 @@ Apache 2.0 before 2.0.43, and 1.3.x up t
 "Off" and support for wildcard DNS is present, allows remote attackers to
 execute script as other web page visitors via the Host: header.
 
-:    Reported to security team: 20th September 2002<br></br>Issue public:
-     2nd October 2002<br></br>Update released:
-     3rd October 2002<br></br>
+:    Reported to security team: 20th September 2002<br></br>Issue public:
+     2nd October 2002<br></br>Update released:
+     3rd October 2002<br></br>
 :    Affected: 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
 :     **moderate:**  **<name name="CVE-2002-1156">CGI scripts source
@@ -910,7 +910,7 @@ In Apache 2.0.42 only, for a location wh
 enabled, a POST request to a CGI script would reveal the CGI source to a
 remote user.
 
-:    Update released: 3rd October 2002<br></br>
+:    Update released: 3rd October 2002<br></br>
 :    Affected: 2.0.42
 
 # Fixed in Apache httpd 2.0.42 # {#2.0.42}
@@ -922,8 +922,8 @@ could send a carefully crafted request i
 process handling the connection to crash. This issue will only result in a
 denial of service where a threaded process model is in use.
 
-:    Issue public: 19th September 2002<br></br>Update released:
-     24th September 2002<br></br>
+:    Issue public: 19th September 2002<br></br>Update released:
+     24th September 2002<br></br>
 :    Affected: 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
 # Fixed in Apache httpd 2.0.40 # {#2.0.40}
@@ -935,8 +935,8 @@ Certain URIs would bypass security and a
 file depending on the system configuration. Affects Windows, OS2, Netware
 and Cygwin platforms only.
 
-:    Reported to security team: 7th August 2002<br></br>Issue public:
-     9th August 2002<br></br>Update released: 9th August 2002<br></br>
+:    Reported to security team: 7th August 2002<br></br>Issue public:
+     9th August 2002<br></br>Update released: 9th August 2002<br></br>
 :    Affected: 2.0.39, 2.0.37, 2.0.36, 2.0.35
 
 :     **low:**	**<name name="CVE-2002-0654">Path revealing
@@ -950,8 +950,8 @@ Apache fails to invoke a script. The mod
 child process /path-to-script/script.pl" revealing the full path of the
 script.
 
-:    Reported to security team: 5th July 2002<br></br>Issue public:
-     9th August 2002<br></br>Update released: 9th August 2002<br></br>
+:    Reported to security team: 5th July 2002<br></br>Issue public:
+     9th August 2002<br></br>Update released: 9th August 2002<br></br>
 :    Affected: 2.0.39, 2.0.37?, 2.0.36?, 2.0.35?
 
 # Fixed in Apache httpd 2.0.37 # {#2.0.37}
@@ -963,8 +963,8 @@ Malicious requests can cause various eff
 harmless increase in system resources through to denial of service attacks
 and in some cases the ability to execute arbitrary remote code.
 
-:    Reported to security team: 27th May 2002<br></br>Issue public:
-     17th June 2002<br></br>Update released: 18th June 2002<br></br>
+:    Reported to security team: 27th May 2002<br></br>Issue public:
+     17th June 2002<br></br>Update released: 18th June 2002<br></br>
 :    Affected: 2.0.36, 2.0.35
 
 # Fixed in Apache httpd 2.0.36 # {#2.0.36}
@@ -976,7 +976,7 @@ In some cases warning messages could get
 to being recorded in the error log. This could reveal the path to a CGI
 script for example, a minor security exposure.
 
-:    Issue public: 22nd April 2002<br></br>Update released:
-     8th May 2002<br></br>
+:    Issue public: 22nd April 2002<br></br>Update released:
+     8th May 2002<br></br>
 :    Affected: 2.0.35
 



Mime
View raw message