You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2005/10/14 21:46:41 UTC

svn commit: r321197 - in /httpd/site/trunk: docs/security/vulnerabilities_20.html xdocs/security/vulnerabilities-httpd.xml

Author: mjc
Date: Fri Oct 14 12:46:36 2005
New Revision: 321197

URL: http://svn.apache.org/viewcvs?rev=321197&view=rev
Log:
2.0.55 is out, so update the vulnerability database

Modified:
    httpd/site/trunk/docs/security/vulnerabilities_20.html
    httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/docs/security/vulnerabilities_20.html
URL: http://svn.apache.org/viewcvs/httpd/site/trunk/docs/security/vulnerabilities_20.html?rev=321197&r1=321196&r2=321197&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_20.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_20.html Fri Oct 14 12:46:36 2005
@@ -83,13 +83,35 @@
            <table border="0" cellspacing="0" cellpadding="2" width="100%">
  <tr><td bgcolor="#525D76">
   <font color="#ffffff" face="arial,helvetica,sanserif">
-   <a name="2.0.55-dev"><strong>Fixed in Apache httpd 2.0.55-dev</strong></a>
+   <a name="2.0.55"><strong>Fixed in Apache httpd 2.0.55</strong></a>
   </font>
  </td></tr>
  <tr><td>
   <blockquote>
 <dl>
 <dd>
+<b>important: </b>
+<b>
+<name name="CAN-2005-2700">SSLVerifyClient bypass</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700">CAN-2005-2700</a>
+<p>
+A flaw in the mod_ssl handling of the "SSLVerifyClient"
+directive. This flaw would occur if a virtual host has been configured
+using "SSLVerifyClient optional" and further a directive "SSLVerifyClient
+required" is set for a specific location.  For servers configured in this
+fashion, an attacker may be able to access resources that should otherwise
+be protected, by not supplying a client certificate when connecting.
+</p>
+</dd>
+<dd>
+  Update Released: 14th October 2005<br />
+</dd>
+<dd>
+      Affects: 
+    2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p />
+</dd>
+<dd>
 <b>low: </b>
 <b>
 <name name="CAN-2005-2491">PCRE overflow</name>
@@ -103,7 +125,9 @@
 of a httpd child.
 </p>
 </dd>
-<dd />
+<dd>
+  Update Released: 14th October 2005<br />
+</dd>
 <dd>
       Affects: 
     2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p />
@@ -121,7 +145,9 @@
 revocation list (CRL)
 </p>
 </dd>
-<dd />
+<dd>
+  Update Released: 14th October 2005<br />
+</dd>
 <dd>
       Affects: 
     2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p />
@@ -140,7 +166,9 @@
 potentially leading to a Denial of Service. 
 </p>
 </dd>
-<dd />
+<dd>
+  Update Released: 14th October 2005<br />
+</dd>
 <dd>
       Affects: 
     2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p />
@@ -161,7 +189,9 @@
 lead to cross-site scripting (XSS) attacks.
 </p>
 </dd>
-<dd />
+<dd>
+  Update Released: 14th October 2005<br />
+</dd>
 <dd>
       Affects: 
     2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p />

Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewcvs/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=321197&r1=321196&r2=321197&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml Fri Oct 14 12:46:36 2005
@@ -1,6 +1,6 @@
-<security updated="20050926">
+<security updated="20051014">
 
-<issue fixed="2.0.55-dev" public="20050707" reported="20050707">
+<issue fixed="2.0.55" public="20050707" reported="20050707" released="20051014">
 <cve name="CAN-2005-2728"/>
 <severity level="3">moderate</severity>
 <title>Byterange filter DoS</title>
@@ -33,7 +33,41 @@
 <affects prod="httpd" version="2.0.35"/>
 </issue>
 
-<issue fixed="2.0.55-dev" public="20050801">
+<issue fixed="2.0.55" public="20050830" reported="20050830" released="20051014">
+<cve name="CAN-2005-2700"/>
+<severity level="2">important</severity>
+<title>SSLVerifyClient bypass</title>
+<description>
+<p>
+A flaw in the mod_ssl handling of the "SSLVerifyClient"
+directive. This flaw would occur if a virtual host has been configured
+using "SSLVerifyClient optional" and further a directive "SSLVerifyClient
+required" is set for a specific location.  For servers configured in this
+fashion, an attacker may be able to access resources that should otherwise
+be protected, by not supplying a client certificate when connecting.
+</p>
+</description>
+<affects prod="httpd" version="2.0.54"/>
+<affects prod="httpd" version="2.0.53"/>
+<affects prod="httpd" version="2.0.52"/>
+<affects prod="httpd" version="2.0.51"/>
+<affects prod="httpd" version="2.0.50"/>
+<affects prod="httpd" version="2.0.49"/>
+<affects prod="httpd" version="2.0.48"/>
+<affects prod="httpd" version="2.0.47"/>
+<affects prod="httpd" version="2.0.46"/>
+<affects prod="httpd" version="2.0.45"/>
+<affects prod="httpd" version="2.0.44"/>
+<affects prod="httpd" version="2.0.43"/>
+<affects prod="httpd" version="2.0.42"/>
+<affects prod="httpd" version="2.0.40"/>
+<affects prod="httpd" version="2.0.39"/>
+<affects prod="httpd" version="2.0.37"/>
+<affects prod="httpd" version="2.0.36"/>
+<affects prod="httpd" version="2.0.35"/>
+</issue>
+
+<issue fixed="2.0.55" public="20050801" released="20051014">
 <cve name="CAN-2005-2491"/>
 <severity level="4">low</severity>
 <title>PCRE overflow</title>
@@ -66,7 +100,7 @@
 <affects prod="httpd" version="2.0.35"/>
 </issue>
 
-<issue fixed="2.0.55-dev" public="20050611">
+<issue fixed="2.0.55" public="20050611" released="20051014">
 <cve name="CAN-2005-2088"/>
 <severity level="3">moderate</severity>
 <title>HTTP Request Spoofing</title>
@@ -101,7 +135,7 @@
 <affects prod="httpd" version="2.0.35"/>
 </issue>
 
-<issue fixed="2.0.55-dev" public="20050608">
+<issue fixed="2.0.55" public="20050608" released="20051014">
 <cve name="CAN-2005-1268"/>
 <severity level="4">low</severity>
 <title>Malicious CRL off-by-one</title>