httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Rumph <mike.ru...@oracle.com>
Subject Re: [users@httpd] Need confirmation of Issue Fix in Apache HTTP server 2.2.29
Date Fri, 26 Dec 2014 15:53:04 GMT
Hello Kesavan,

Errors 1 and 4 were reported fixed in Apache httpd 2.2.28:
- 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?revision=1619851&view=markup

Error 1 (CVE-2014-0231) was fixed for 2.2.28 in SVN revision 1611185:
- http://svn.apache.org/viewvc?view=revision&revision=1611185

Error 4 (CVE-2014-0118) was fixed for 2.2.28 in SVN revision 1611426:
- http://svn.apache.org/viewvc?view=revision&revision=1611426

Errors 2 and 3 were reported fixed in Apache httpd 2.4.10:
- 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?revision=1646179&view=markup
Both of these vulnerabilities were only relevant to Apache httpd 2.4.x.

Error 2 (CVE-2014-3523) was fixed for 2.4.10 in SVN revisions 1610653 
and 1610661:
- http://svn.apache.org/viewvc?view=revision&revision=1610653
- http://svn.apache.org/viewvc?view=revision&revision=1610661

Error 3 (CVE-2014-0117) was fixed for 2.4.10 in SVN revision 1610737:
- http://svn.apache.org/viewvc?view=revision&revision=1610737

Thanks,

Mike Rumph

On 12/26/2014 12:01 AM, Sengodan, Kesavan wrote:
>
> Hi
>
> I would like to confirm whether the following issues are fixed in 
> Apache HTTP server 2.2.29 or not?
>
> ======================
>
> *_Description of vulnerabilities_
> *Multiple vulnerabilities have been reported in Apache HTTP Server, 
> which can be exploited by malicious people to cause a DoS (Denial of 
> Service).
>
> 1) An error within the mod_cgid module when handling certain input can 
> be exploited to cause a hang of a child process.
> 2) An error within WinNT MPM can be exploited to trigger a memory leak 
> by sending specially crafted requests. Successful exploitation 
> requires the server is configured using the default AcceptFilter 
> setting. Note: This vulnerability only affects Apache HTTP Server 
> running on Windows NT operating systems.
> 3) An error when handling HTTP headers within the mod_proxy module can 
> be exploited to cause a crash of the worker by sending a specially 
> crafted request. Successful exploitation requires the server to be 
> configured as a reverse proxy.
> 4) An error when within mod_deflate module can be exploited to consume 
> memory and CPU resources. Successful exploitation requires the server 
> to be configured to use request body decompression.
>
> The vulnerabilities are reported in 2.4.x versions prior to 2.4.9 and 
> 2.2.x versions prior to 2.2.27 and 2.x versions prior to 2.0.65
>
> ======================
>
> Pl. confirm me ASAP.
>
> Thanks
>
> Kesavan Sengodan
>


Mime
View raw message