httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r1622194 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Date Wed, 03 Sep 2014 09:10:35 GMT
Author: wrowe
Date: Wed Sep  3 09:10:35 2014
New Revision: 1622194

URL: http://svn.apache.org/r1622194
Log:
Update vulnerabilities list, add CVE-2013-5704

Modified:
    httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1622194&r1=1622193&r2=1622194&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Wed Sep  3 09:10:35 2014
@@ -1,4 +1,69 @@
-<security updated="20140721">
+<security updated="20140903">
+
+<issue fixed="2.4.11-dev" reported="20130906" public="20131019" released="20140903">
+<cve name="CVE-2013-5704"/>
+<severity level="4">low</severity>
+<title>HTTP Trailers processing bypass</title>
+<description><p>
+HTTP trailers could be used to replace HTTP headers late during request
+processing, potentially undoing or otherwise confusing modules that
+examined or modified request headers earlier.</p>
+<p>This fix adds the "MergeTrailers" directive to restore legacy behavior.
+</p></description>
+<acknowledgements>
+This issue was reported by Martin Holst Swende.
+</acknowledgements>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.8"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.2.29" reported="20130906" public="20131019" released="20140903">
+<cve name="CVE-2013-5704"/>
+<severity level="4">low</severity>
+<title>HTTP Trailers processing bypass</title>
+<description><p>
+HTTP trailers could be used to replace HTTP headers late during request
+processing, potentially undoing or otherwise confusing modules that
+examined or modified request headers earlier.</p>
+<p>This fix adds the "MergeTrailers" directive to restore legacy behavior.
+</p></description>
+<acknowledgements>
+This issue was reported by Martin Holst Swende.
+</acknowledgements>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
 
 <issue fixed="2.4.10" reported="20140616" public="20140714" released="20140714">
 <cve name="CVE-2014-0231"/>
@@ -23,6 +88,47 @@ This issue was reported by Rainer Jung o
 <affects prod="httpd" version="2.4.1"/>
 </issue>
 
+<issue fixed="2.2.29" reported="20140616" public="20140714" released="20140903">
+<cve name="CVE-2014-0231"/>
+<severity level="2">important</severity>
+<title>mod_cgid denial of service</title>
+<description><p>
+A flaw was found in mod_cgid.  If a server using mod_cgid hosted CGI
+scripts which did not consume standard input, a remote attacker could
+cause child processes to hang indefinitely, leading to denial of
+service.
+</p></description>
+<acknowledgements>
+This issue was reported by Rainer Jung of the ASF
+</acknowledgements>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
 <issue fixed="2.4.10" reported="20140407" public="20140715" released="20140715">
 <cve name="CVE-2014-0117"/>
 <severity level="3">moderate</severity>
@@ -89,18 +195,62 @@ This issue was reported by Giancarlo Pel
 <affects prod="httpd" version="2.4.1"/>
 </issue>
 
-<issue fixed="2.4.10" reported="20140530" public="20140714" released="20140714">
+<issue fixed="2.2.29" reported="20140219" public="20140714" released="20140903">
+<cve name="CVE-2014-0118"/>
+<severity level="3">moderate</severity>
+<title>mod_deflate denial of service</title>
+<description><p>
+A resource consumption flaw was found in mod_deflate.  If request body
+decompression was configured (using the "DEFLATE" input filter), a
+remote attacker could cause the server to consume significant memory 
+and/or CPU resources.  The use of request body decompression is not a common
+configuration.
+</p></description>
+<acknowledgements>
+This issue was reported by Giancarlo Pellegrino and Davide Balzarotti
+</acknowledgements>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.2.29" reported="20140530" public="20140714" released="20140903">
 <cve name="CVE-2014-0226"/>
 <severity level="3">moderate</severity>
 <title>mod_status buffer overflow</title>
 <description><p>
 A race condition was found in mod_status.  An attacker able to access
-a public server status page on a server using a threaded MPM could send a carefully crafted

-request which could lead to a heap buffer overflow.  Note that it is not a default
-or recommended configuration to have a public accessible server status page.
+a public server status page on a server using a threaded MPM could send a
+carefully crafted request which could lead to a heap buffer overflow.  Note
+that it is not a default or recommended configuration to have a public
+accessible server status page.
 </p></description>
 <acknowledgements>
-This issue was reported by Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466
via HP ZDI
+This issue was reported by Marek Kroemeke, AKAT-1 and
+22733db72ab3ed94b5f8a1ffcde850251fe6f466 via HP ZDI
 </acknowledgements>
 <affects prod="httpd" version="2.4.9"/>
 <affects prod="httpd" version="2.4.8"/>



Mime
View raw message