httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r871554 - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_20.html
Date Sun, 28 Jul 2013 11:22:33 GMT
Author: buildbot
Date: Sun Jul 28 11:22:32 2013
New Revision: 871554

Log:
Staging update by buildbot for httpd

Modified:
    websites/staging/httpd/trunk/content/   (props changed)
    websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml
    websites/staging/httpd/trunk/content/security/vulnerabilities_20.html

Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sun Jul 28 11:22:32 2013
@@ -1 +1 @@
-1507782
+1507783

Modified: websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml Sun Jul 28 11:22:32
2013
@@ -91,6 +91,45 @@ This issue was reported by Ramiro Molina
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
+<issue fixed="2.0.65" reported="20130313" public="20130419" released="20130722">
+<cve name="CVE-2013-1862"/>
+<severity level="4">low</severity>
+<title>mod_rewrite log escape filtering</title>
+<description><p>
+mod_rewrite does not filter terminal escape sequences from logs,
+which could make it easier for attackers to insert those sequences
+into terminal emulators containing vulnerabilities related to escape
+sequences.
+</p></description>
+<acknowledgements>
+This issue was reported by Ramiro Molina
+</acknowledgements>
+<affects prod="httpd" version="2.0.64"/>
+<affects prod="httpd" version="2.0.63"/>
+<affects prod="httpd" version="2.0.61"/>
+<affects prod="httpd" version="2.0.59"/>
+<affects prod="httpd" version="2.0.58"/>
+<affects prod="httpd" version="2.0.55"/>
+<affects prod="httpd" version="2.0.54"/>
+<affects prod="httpd" version="2.0.53"/>
+<affects prod="httpd" version="2.0.52"/>
+<affects prod="httpd" version="2.0.51"/>
+<affects prod="httpd" version="2.0.50"/>
+<affects prod="httpd" version="2.0.49"/>
+<affects prod="httpd" version="2.0.48"/>
+<affects prod="httpd" version="2.0.47"/>
+<affects prod="httpd" version="2.0.46"/>
+<affects prod="httpd" version="2.0.45"/>
+<affects prod="httpd" version="2.0.44"/>
+<affects prod="httpd" version="2.0.43"/>
+<affects prod="httpd" version="2.0.42"/>
+<affects prod="httpd" version="2.0.40"/>
+<affects prod="httpd" version="2.0.39"/>
+<affects prod="httpd" version="2.0.37"/>
+<affects prod="httpd" version="2.0.36"/>
+<affects prod="httpd" version="2.0.35"/>
+</issue>
+
 <issue fixed="2.4.6" reported="20130529" public="20130722" released="20130722">
 <cve name="CVE-2013-2249"/>
 <severity level="3">moderate</severity>
@@ -383,6 +422,46 @@ This issue was reported by halfdog
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
+
+<issue fixed="2.0.65" reported="20111004" public="20111102" released="20130722">
+<cve name="CVE-2011-3607"/>
+<severity level="4">low</severity>
+<title>mod_setenvif .htaccess privilege escalation</title>
+<description><p>
+An integer overflow flaw was found which, when the mod_setenvif module
+is enabled, could allow local users to gain privileges via a .htaccess
+file.
+</p>
+</description>
+<acknowledgements>
+This issue was reported by halfdog
+</acknowledgements>
+<affects prod="httpd" version="2.0.64"/>
+<affects prod="httpd" version="2.0.63"/>
+<affects prod="httpd" version="2.0.61"/>
+<affects prod="httpd" version="2.0.59"/>
+<affects prod="httpd" version="2.0.58"/>
+<affects prod="httpd" version="2.0.55"/>
+<affects prod="httpd" version="2.0.54"/>
+<affects prod="httpd" version="2.0.53"/>
+<affects prod="httpd" version="2.0.52"/>
+<affects prod="httpd" version="2.0.51"/>
+<affects prod="httpd" version="2.0.50"/>
+<affects prod="httpd" version="2.0.49"/>
+<affects prod="httpd" version="2.0.48"/>
+<affects prod="httpd" version="2.0.47"/>
+<affects prod="httpd" version="2.0.46"/>
+<affects prod="httpd" version="2.0.45"/>
+<affects prod="httpd" version="2.0.44"/>
+<affects prod="httpd" version="2.0.43"/>
+<affects prod="httpd" version="2.0.42"/>
+<affects prod="httpd" version="2.0.40"/>
+<affects prod="httpd" version="2.0.39"/>
+<affects prod="httpd" version="2.0.37"/>
+<affects prod="httpd" version="2.0.36"/>
+<affects prod="httpd" version="2.0.35"/>
+</issue>
+
 <issue fixed="2.2.22" reported="20111020" public="20120122" released="20120131">
 <cve name="CVE-2011-4317"/>
 <severity level="3">moderate</severity>
@@ -473,6 +552,45 @@ This issue was reported by halfdog
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
+<issue fixed="2.0.65" reported="20111230" public="20120111" released="20130722">
+<cve name="CVE-2012-0031"/>
+<severity level="4">low</severity>
+<title>scoreboard parent DoS</title>
+<description><p>
+A flaw was found in the handling of the scoreboard.  An 
+unprivileged child process could cause the parent process to crash at 
+shutdown rather than terminate cleanly. 
+</p>
+</description>
+<acknowledgements>
+This issue was reported by halfdog
+</acknowledgements>
+<affects prod="httpd" version="2.0.64"/>
+<affects prod="httpd" version="2.0.63"/>
+<affects prod="httpd" version="2.0.61"/>
+<affects prod="httpd" version="2.0.59"/>
+<affects prod="httpd" version="2.0.58"/>
+<affects prod="httpd" version="2.0.55"/>
+<affects prod="httpd" version="2.0.54"/>
+<affects prod="httpd" version="2.0.53"/>
+<affects prod="httpd" version="2.0.52"/>
+<affects prod="httpd" version="2.0.51"/>
+<affects prod="httpd" version="2.0.50"/>
+<affects prod="httpd" version="2.0.49"/>
+<affects prod="httpd" version="2.0.48"/>
+<affects prod="httpd" version="2.0.47"/>
+<affects prod="httpd" version="2.0.46"/>
+<affects prod="httpd" version="2.0.45"/>
+<affects prod="httpd" version="2.0.44"/>
+<affects prod="httpd" version="2.0.43"/>
+<affects prod="httpd" version="2.0.42"/>
+<affects prod="httpd" version="2.0.40"/>
+<affects prod="httpd" version="2.0.39"/>
+<affects prod="httpd" version="2.0.37"/>
+<affects prod="httpd" version="2.0.36"/>
+<affects prod="httpd" version="2.0.35"/>
+</issue>
+
 <issue fixed="2.2.22" reported="20120115" public="20120123" released="20120131">
 <cve name="CVE-2012-0053"/>
 <severity level="3">moderate</severity>
@@ -508,6 +626,45 @@ This issue was reported by Norman Hipper
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
+<issue fixed="2.0.65" reported="20120115" public="20120123" released="20130722">
+<cve name="CVE-2012-0053"/>
+<severity level="3">moderate</severity>
+<title>error responses can expose cookies</title>
+<description><p>
+A flaw was found in the default error response for status code 400.  This flaw could
+be used by an attacker to expose "httpOnly" cookies
+when no custom ErrorDocument is specified.
+</p>
+</description>
+<acknowledgements>
+This issue was reported by Norman Hippert
+</acknowledgements>
+<affects prod="httpd" version="2.0.64"/>
+<affects prod="httpd" version="2.0.63"/>
+<affects prod="httpd" version="2.0.61"/>
+<affects prod="httpd" version="2.0.59"/>
+<affects prod="httpd" version="2.0.58"/>
+<affects prod="httpd" version="2.0.55"/>
+<affects prod="httpd" version="2.0.54"/>
+<affects prod="httpd" version="2.0.53"/>
+<affects prod="httpd" version="2.0.52"/>
+<affects prod="httpd" version="2.0.51"/>
+<affects prod="httpd" version="2.0.50"/>
+<affects prod="httpd" version="2.0.49"/>
+<affects prod="httpd" version="2.0.48"/>
+<affects prod="httpd" version="2.0.47"/>
+<affects prod="httpd" version="2.0.46"/>
+<affects prod="httpd" version="2.0.45"/>
+<affects prod="httpd" version="2.0.44"/>
+<affects prod="httpd" version="2.0.43"/>
+<affects prod="httpd" version="2.0.42"/>
+<affects prod="httpd" version="2.0.40"/>
+<affects prod="httpd" version="2.0.39"/>
+<affects prod="httpd" version="2.0.37"/>
+<affects prod="httpd" version="2.0.36"/>
+<affects prod="httpd" version="2.0.35"/>
+</issue>
+
 <issue fixed="2.2.22" reported="20110916" public="20111005" released="20120131">
 <cve name="CVE-2011-3368"/>
 <severity level="3">moderate</severity>
@@ -770,7 +927,7 @@ This issue was reported by Maksymilian A
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
-<issue fixed="2.0.65-dev" reported="20110302" public="20110510" released="20110521">
+<issue fixed="2.0.65" reported="20110302" public="20110510" released="20110521">
 <cve name="CVE-2011-0419"/>
 <severity level="3">moderate</severity>
 <title>apr_fnmatch flaw leads to mod_autoindex remote DoS</title>

Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_20.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_20.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_20.html Sun Jul 28 11:22:32
2013
@@ -109,6 +109,107 @@ Advisory: <a href="CVE-2011-3192.txt">CV
       Affects: 
     2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50,
2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36,
2.0.35<p/></dd>
   <dd>
+    <b>low: </b>
+    <b>
+      <name name="CVE-2013-1862">mod_rewrite log escape filtering</name>
+    </b>
+    <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862">CVE-2013-1862</a>
+    <p>
+mod_rewrite does not filter terminal escape sequences from logs,
+which could make it easier for attackers to insert those sequences
+into terminal emulators containing vulnerabilities related to escape
+sequences.
+</p>
+  </dd>
+  <dd>
+    <p>Acknowledgements: 
+This issue was reported by Ramiro Molina
+</p>
+  </dd>
+  <dd>
+  Reported to security team: 13th March 2013<br/>
+  Issue public: 19th April 2013<br/></dd>
+  <dd>
+  Update Released: 22nd July 2013<br/></dd>
+  <dd>
+      Affects: 
+    2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50,
2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36,
2.0.35<p/></dd>
+  <dd>
+    <b>low: </b>
+    <b>
+      <name name="CVE-2011-3607">mod_setenvif .htaccess privilege escalation</name>
+    </b>
+    <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607">CVE-2011-3607</a>
+    <p>
+An integer overflow flaw was found which, when the mod_setenvif module
+is enabled, could allow local users to gain privileges via a .htaccess
+file.
+</p>
+  </dd>
+  <dd>
+    <p>Acknowledgements: 
+This issue was reported by halfdog
+</p>
+  </dd>
+  <dd>
+  Reported to security team: 4th October 2011<br/>
+  Issue public: 2nd November 2011<br/></dd>
+  <dd>
+  Update Released: 22nd July 2013<br/></dd>
+  <dd>
+      Affects: 
+    2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50,
2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36,
2.0.35<p/></dd>
+  <dd>
+    <b>low: </b>
+    <b>
+      <name name="CVE-2012-0031">scoreboard parent DoS</name>
+    </b>
+    <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031">CVE-2012-0031</a>
+    <p>
+A flaw was found in the handling of the scoreboard.  An 
+unprivileged child process could cause the parent process to crash at 
+shutdown rather than terminate cleanly. 
+</p>
+  </dd>
+  <dd>
+    <p>Acknowledgements: 
+This issue was reported by halfdog
+</p>
+  </dd>
+  <dd>
+  Reported to security team: 30th December 2011<br/>
+  Issue public: 11th January 2012<br/></dd>
+  <dd>
+  Update Released: 22nd July 2013<br/></dd>
+  <dd>
+      Affects: 
+    2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50,
2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36,
2.0.35<p/></dd>
+  <dd>
+    <b>moderate: </b>
+    <b>
+      <name name="CVE-2012-0053">error responses can expose cookies</name>
+    </b>
+    <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053">CVE-2012-0053</a>
+    <p>
+A flaw was found in the default error response for status code 400.  This flaw could
+be used by an attacker to expose "httpOnly" cookies
+when no custom ErrorDocument is specified.
+</p>
+  </dd>
+  <dd>
+    <p>Acknowledgements: 
+This issue was reported by Norman Hippert
+</p>
+  </dd>
+  <dd>
+  Reported to security team: 15th January 2012<br/>
+  Issue public: 23rd January 2012<br/></dd>
+  <dd>
+  Update Released: 22nd July 2013<br/></dd>
+  <dd>
+      Affects: 
+    2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50,
2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36,
2.0.35<p/></dd>
+  <dd>
     <b>moderate: </b>
     <b>
       <name name="CVE-2011-3368">mod_proxy reverse proxy exposure</name>
@@ -135,8 +236,6 @@ This issue was reported by Context Infor
   <dd>
       Affects: 
     2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50,
2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36,
2.0.35<p/></dd>
-</dl><h1 id="2.0.65-dev">
-Fixed in Apache httpd 2.0.65-dev</h1><dl>
   <dd>
     <b>moderate: </b>
     <b>



Mime
View raw message