You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2017/07/11 15:12:32 UTC
svn commit: r1015273 - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html

Author: buildbot
Date: Tue Jul 11 15:12:32 2017
New Revision: 1015273

Log:
Staging update by buildbot for httpd

Modified:
    websites/staging/httpd/trunk/content/   (props changed)
    websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml
    websites/staging/httpd/trunk/content/security/vulnerabilities_22.html
    websites/staging/httpd/trunk/content/security/vulnerabilities_24.html

Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Jul 11 15:12:32 2017
@@ -1 +1 @@
-1801623
+1801625

Modified: websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml Tue Jul 11 15:12:32 2017
@@ -9,7 +9,7 @@ Use of the ap_get_basic_auth_pw() by thi
 authentication phase may lead to authentication requirements being bypassed.
 </p><p>
 Third-party module writers SHOULD use ap_get_basic_auth_components(), available
-in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().  Modules which call the
+in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw().  Modules which call the
 legacy ap_get_basic_auth_pw() during the authentication phase MUST either
 immediately authenticate the user after the call, or else stop the request
 immediately with an error response, to avoid incorrectly authenticating the
@@ -33,6 +33,26 @@ We would like to thank Emmanuel Dreyfus
 <affects prod="httpd" version="2.4.3"/>
 <affects prod="httpd" version="2.4.2"/>
 <affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.2.34" reported="20170206" public="20170619" released="20170711">
+<cve name="CVE-2017-3167"/>
+<severity level="2">important</severity>
+<title>ap_get_basic_auth_pw() Authentication Bypass</title>
+<description><p>
+Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+authentication phase may lead to authentication requirements being bypassed.
+</p><p>
+Third-party module writers SHOULD use ap_get_basic_auth_components(), available
+in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw().  Modules which call the
+legacy ap_get_basic_auth_pw() during the authentication phase MUST either
+immediately authenticate the user after the call, or else stop the request
+immediately with an error response, to avoid incorrectly authenticating the
+current request.
+</p></description>
+<acknowledgements>
+We would like to thank Emmanuel Dreyfus for reporting this issue.
+</acknowledgements>
 <affects prod="httpd" version="2.2.32"/>
 <affects prod="httpd" version="2.2.31"/>
 <affects prod="httpd" version="2.2.29"/>
@@ -91,6 +111,20 @@ reporting this issue.
 <affects prod="httpd" version="2.4.3"/>
 <affects prod="httpd" version="2.4.2"/>
 <affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.2.34" reported="20161205" public="20170619" released="20170711">
+<cve name="CVE-2017-3169"/>
+<severity level="2">important</severity>
+<title>mod_ssl Null Pointer Dereference</title>
+<description><p>
+mod_ssl may dereference a NULL pointer when third-party modules call
+ap_hook_process_connection() during an HTTP request to an HTTPS port.
+</p></description>
+<acknowledgements>
+We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for
+reporting this issue.
+</acknowledgements>
 <affects prod="httpd" version="2.2.32"/>
 <affects prod="httpd" version="2.2.31"/>
 <affects prod="httpd" version="2.2.29"/>
@@ -152,6 +186,23 @@ We would like to thank Javier JimÃ©nez
 issue.
 </acknowledgements>
 <affects prod="httpd" version="2.4.25"/>
+</issue>
+
+<issue fixed="2.2.34" reported="20170506" public="20170619" released="20170711">
+<cve name="CVE-2017-7668"/>
+<severity level="2">important</severity>
+<title>ap_find_token() Buffer Overread</title>
+<description><p>
+The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
+token list parsing, which allows ap_find_token() to search past the end of its
+input string. By maliciously crafting a sequence of request headers, an attacker
+may be able to cause a segmentation fault, or to force ap_find_token() to return
+an incorrect value.
+</p></description>
+<acknowledgements>
+We would like to thank Javier JimÃ©nez (javijmor@gmail.com) for reporting this
+issue.
+</acknowledgements>
 <affects prod="httpd" version="2.2.32"/>
 </issue>
 
@@ -181,6 +232,19 @@ We would like to thank ChenQin and Hanno
 <affects prod="httpd" version="2.4.3"/>
 <affects prod="httpd" version="2.4.2"/>
 <affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.2.34" reported="20151115" public="20170619" released="20170711">
+<cve name="CVE-2017-7679"/>
+<severity level="2">important</severity>
+<title>mod_mime Buffer Overread</title>
+<description><p>
+mod_mime can read one byte past the end of a buffer when sending a malicious
+Content-Type response header.
+</p></description>
+<acknowledgements>
+We would like to thank ChenQin and Hanno BÃ¶ck for reporting this issue.
+</acknowledgements>
 <affects prod="httpd" version="2.2.32"/>
 <affects prod="httpd" version="2.2.31"/>
 <affects prod="httpd" version="2.2.29"/>
@@ -432,220 +496,6 @@ this issue.
 <affects prod="httpd" version="2.4.1"/>
 </issue>
 
-<issue fixed="2.2.33-dev" reported="20170206" public="20170619" released="20170619">
-<cve name="CVE-2017-3167"/>
-<severity level="2">important</severity>
-<title>ap_get_basic_auth_pw() Authentication Bypass</title>
-<description><p>
-Use of the ap_get_basic_auth_pw() by third-party modules outside of the
-authentication phase may lead to authentication requirements being bypassed.
-</p><p>
-Third-party module writers SHOULD use ap_get_basic_auth_components(), available
-in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().  Modules which call the
-legacy ap_get_basic_auth_pw() during the authentication phase MUST either
-immediately authenticate the user after the call, or else stop the request
-immediately with an error response, to avoid incorrectly authenticating the
-current request.
-</p><p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch"
-   >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch</a>.
-</p></description>
-<acknowledgements>
-We would like to thank Emmanuel Dreyfus for reporting this issue.
-</acknowledgements>
-<affects prod="httpd" version="2.4.25"/>
-<affects prod="httpd" version="2.4.23"/>
-<affects prod="httpd" version="2.4.20"/>
-<affects prod="httpd" version="2.4.18"/>
-<affects prod="httpd" version="2.4.17"/>
-<affects prod="httpd" version="2.4.16"/>
-<affects prod="httpd" version="2.4.12"/>
-<affects prod="httpd" version="2.4.10"/>
-<affects prod="httpd" version="2.4.9"/>
-<affects prod="httpd" version="2.4.7"/>
-<affects prod="httpd" version="2.4.6"/>
-<affects prod="httpd" version="2.4.4"/>
-<affects prod="httpd" version="2.4.3"/>
-<affects prod="httpd" version="2.4.2"/>
-<affects prod="httpd" version="2.4.1"/>
-<affects prod="httpd" version="2.2.32"/>
-<affects prod="httpd" version="2.2.31"/>
-<affects prod="httpd" version="2.2.29"/>
-<affects prod="httpd" version="2.2.27"/>
-<affects prod="httpd" version="2.2.26"/>
-<affects prod="httpd" version="2.2.25"/>
-<affects prod="httpd" version="2.2.24"/>
-<affects prod="httpd" version="2.2.23"/>
-<affects prod="httpd" version="2.2.22"/>
-<affects prod="httpd" version="2.2.21"/>
-<affects prod="httpd" version="2.2.20"/>
-<affects prod="httpd" version="2.2.19"/>
-<affects prod="httpd" version="2.2.18"/>
-<affects prod="httpd" version="2.2.17"/>
-<affects prod="httpd" version="2.2.16"/>
-<affects prod="httpd" version="2.2.15"/>
-<affects prod="httpd" version="2.2.14"/>
-<affects prod="httpd" version="2.2.13"/>
-<affects prod="httpd" version="2.2.12"/>
-<affects prod="httpd" version="2.2.11"/>
-<affects prod="httpd" version="2.2.10"/>
-<affects prod="httpd" version="2.2.9"/>
-<affects prod="httpd" version="2.2.8"/>
-<affects prod="httpd" version="2.2.6"/>
-<affects prod="httpd" version="2.2.5"/>
-<affects prod="httpd" version="2.2.4"/>
-<affects prod="httpd" version="2.2.3"/>
-<affects prod="httpd" version="2.2.2"/>
-<affects prod="httpd" version="2.2.0"/>
-</issue>
-
-<issue fixed="2.2.33-dev" reported="20161205" public="20170619" released="20170619">
-<cve name="CVE-2017-3169"/>
-<severity level="2">important</severity>
-<title>mod_ssl Null Pointer Dereference</title>
-<description><p>
-mod_ssl may dereference a NULL pointer when third-party modules call
-ap_hook_process_connection() during an HTTP request to an HTTPS port.
-</p><p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch"
-   >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch</a>.
-</p></description>
-<acknowledgements>
-We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for
-reporting this issue.
-</acknowledgements>
-<affects prod="httpd" version="2.4.25"/>
-<affects prod="httpd" version="2.4.23"/>
-<affects prod="httpd" version="2.4.20"/>
-<affects prod="httpd" version="2.4.18"/>
-<affects prod="httpd" version="2.4.17"/>
-<affects prod="httpd" version="2.4.16"/>
-<affects prod="httpd" version="2.4.12"/>
-<affects prod="httpd" version="2.4.10"/>
-<affects prod="httpd" version="2.4.9"/>
-<affects prod="httpd" version="2.4.7"/>
-<affects prod="httpd" version="2.4.6"/>
-<affects prod="httpd" version="2.4.4"/>
-<affects prod="httpd" version="2.4.3"/>
-<affects prod="httpd" version="2.4.2"/>
-<affects prod="httpd" version="2.4.1"/>
-<affects prod="httpd" version="2.2.32"/>
-<affects prod="httpd" version="2.2.31"/>
-<affects prod="httpd" version="2.2.29"/>
-<affects prod="httpd" version="2.2.27"/>
-<affects prod="httpd" version="2.2.26"/>
-<affects prod="httpd" version="2.2.25"/>
-<affects prod="httpd" version="2.2.24"/>
-<affects prod="httpd" version="2.2.23"/>
-<affects prod="httpd" version="2.2.22"/>
-<affects prod="httpd" version="2.2.21"/>
-<affects prod="httpd" version="2.2.20"/>
-<affects prod="httpd" version="2.2.19"/>
-<affects prod="httpd" version="2.2.18"/>
-<affects prod="httpd" version="2.2.17"/>
-<affects prod="httpd" version="2.2.16"/>
-<affects prod="httpd" version="2.2.15"/>
-<affects prod="httpd" version="2.2.14"/>
-<affects prod="httpd" version="2.2.13"/>
-<affects prod="httpd" version="2.2.12"/>
-<affects prod="httpd" version="2.2.11"/>
-<affects prod="httpd" version="2.2.10"/>
-<affects prod="httpd" version="2.2.9"/>
-<affects prod="httpd" version="2.2.8"/>
-<affects prod="httpd" version="2.2.6"/>
-<affects prod="httpd" version="2.2.5"/>
-<affects prod="httpd" version="2.2.4"/>
-<affects prod="httpd" version="2.2.3"/>
-<affects prod="httpd" version="2.2.2"/>
-<affects prod="httpd" version="2.2.0"/>
-</issue>
-
-<issue fixed="2.2.33-dev" reported="20170506" public="20170619" released="20170619">
-<cve name="CVE-2017-7668"/>
-<severity level="2">important</severity>
-<title>ap_find_token() Buffer Overread</title>
-<description><p>
-The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
-token list parsing, which allows ap_find_token() to search past the end of its
-input string. By maliciously crafting a sequence of request headers, an attacker
-may be able to cause a segmentation fault, or to force ap_find_token() to return
-an incorrect value.
-</p><p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch"
-   >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch</a>.
-</p></description>
-<acknowledgements>
-We would like to thank Javier JimÃ©nez (javijmor@gmail.com) for reporting this
-issue.
-</acknowledgements>
-<affects prod="httpd" version="2.4.25"/>
-<affects prod="httpd" version="2.2.32"/>
-</issue>
-
-<issue fixed="2.2.33-dev" reported="20151115" public="20170619" released="20170619">
-<cve name="CVE-2017-7679"/>
-<severity level="2">important</severity>
-<title>mod_mime Buffer Overread</title>
-<description><p>
-mod_mime can read one byte past the end of a buffer when sending a malicious
-Content-Type response header.
-</p><p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch"
-   >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch</a>.
-</p></description>
-<acknowledgements>
-We would like to thank ChenQin and Hanno BÃ¶ck for reporting this issue.
-</acknowledgements>
-<affects prod="httpd" version="2.4.25"/>
-<affects prod="httpd" version="2.4.23"/>
-<affects prod="httpd" version="2.4.20"/>
-<affects prod="httpd" version="2.4.18"/>
-<affects prod="httpd" version="2.4.17"/>
-<affects prod="httpd" version="2.4.16"/>
-<affects prod="httpd" version="2.4.12"/>
-<affects prod="httpd" version="2.4.10"/>
-<affects prod="httpd" version="2.4.9"/>
-<affects prod="httpd" version="2.4.7"/>
-<affects prod="httpd" version="2.4.6"/>
-<affects prod="httpd" version="2.4.4"/>
-<affects prod="httpd" version="2.4.3"/>
-<affects prod="httpd" version="2.4.2"/>
-<affects prod="httpd" version="2.4.1"/>
-<affects prod="httpd" version="2.2.32"/>
-<affects prod="httpd" version="2.2.31"/>
-<affects prod="httpd" version="2.2.29"/>
-<affects prod="httpd" version="2.2.27"/>
-<affects prod="httpd" version="2.2.26"/>
-<affects prod="httpd" version="2.2.25"/>
-<affects prod="httpd" version="2.2.24"/>
-<affects prod="httpd" version="2.2.23"/>
-<affects prod="httpd" version="2.2.22"/>
-<affects prod="httpd" version="2.2.21"/>
-<affects prod="httpd" version="2.2.20"/>
-<affects prod="httpd" version="2.2.19"/>
-<affects prod="httpd" version="2.2.18"/>
-<affects prod="httpd" version="2.2.17"/>
-<affects prod="httpd" version="2.2.16"/>
-<affects prod="httpd" version="2.2.15"/>
-<affects prod="httpd" version="2.2.14"/>
-<affects prod="httpd" version="2.2.13"/>
-<affects prod="httpd" version="2.2.12"/>
-<affects prod="httpd" version="2.2.11"/>
-<affects prod="httpd" version="2.2.10"/>
-<affects prod="httpd" version="2.2.9"/>
-<affects prod="httpd" version="2.2.8"/>
-<affects prod="httpd" version="2.2.6"/>
-<affects prod="httpd" version="2.2.5"/>
-<affects prod="httpd" version="2.2.4"/>
-<affects prod="httpd" version="2.2.3"/>
-<affects prod="httpd" version="2.2.2"/>
-<affects prod="httpd" version="2.2.0"/>
-</issue>
-
 <issue fixed="2.2.32" reported="20160702" public="20160718" released="20160718">
 <cve name="CVE-2016-5387"/>
 <severity level="0">n/a</severity>

Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_22.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_22.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_22.html Tue Jul 11 15:12:32 2017
@@ -106,8 +106,8 @@ in a "-dev" release then this means that
 the development source tree and will be part of an upcoming full release.</p><p> This page is created from a database of vulnerabilities originally
 populated by Apache Week.  Please send comments or corrections for
 these vulnerabilities to the <a href="/security_report.html">Security
-Team</a>.  </p><h1 id="2.2.33-dev">
-Fixed in Apache httpd 2.2.33-dev</h1><dl>
+Team</a>.  </p><h1 id="2.2.34">
+Fixed in Apache httpd 2.2.34</h1><dl>
   <dd>
     <b>important: </b>
     <b>
@@ -120,16 +120,12 @@ authentication phase may lead to authent
 </p>
     <p>
 Third-party module writers SHOULD use ap_get_basic_auth_components(), available
-in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().  Modules which call the
+in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw().  Modules which call the
 legacy ap_get_basic_auth_pw() during the authentication phase MUST either
 immediately authenticate the user after the call, or else stop the request
 immediately with an error response, to avoid incorrectly authenticating the
 current request.
 </p>
-    <p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch">https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch</a>.
-</p>
   </dd>
   <dd>
     <p>Acknowledgements: 
@@ -140,10 +136,10 @@ We would like to thank Emmanuel Dreyfus
   Reported to security team: 6thÂ FebruaryÂ 2017<br/>
   Issue public: 19thÂ JuneÂ 2017<br/></dd>
   <dd>
-  Update Released: 19thÂ JuneÂ 2017<br/></dd>
+  Update Released: 11thÂ JulyÂ 2017<br/></dd>
   <dd>
       Affects: 
-    2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/></dd>
+    2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/></dd>
   <dd>
     <b>important: </b>
     <b>
@@ -154,10 +150,6 @@ We would like to thank Emmanuel Dreyfus
 mod_ssl may dereference a NULL pointer when third-party modules call
 ap_hook_process_connection() during an HTTP request to an HTTPS port.
 </p>
-    <p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch">https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch</a>.
-</p>
   </dd>
   <dd>
     <p>Acknowledgements: 
@@ -169,10 +161,10 @@ reporting this issue.
   Reported to security team: 5thÂ DecemberÂ 2016<br/>
   Issue public: 19thÂ JuneÂ 2017<br/></dd>
   <dd>
-  Update Released: 19thÂ JuneÂ 2017<br/></dd>
+  Update Released: 11thÂ JulyÂ 2017<br/></dd>
   <dd>
       Affects: 
-    2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/></dd>
+    2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/></dd>
   <dd>
     <b>important: </b>
     <b>
@@ -186,10 +178,6 @@ input string. By maliciously crafting a
 may be able to cause a segmentation fault, or to force ap_find_token() to return
 an incorrect value.
 </p>
-    <p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch">https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch</a>.
-</p>
   </dd>
   <dd>
     <p>Acknowledgements: 
@@ -201,10 +189,10 @@ issue.
   Reported to security team: 6thÂ MayÂ 2017<br/>
   Issue public: 19thÂ JuneÂ 2017<br/></dd>
   <dd>
-  Update Released: 19thÂ JuneÂ 2017<br/></dd>
+  Update Released: 11thÂ JulyÂ 2017<br/></dd>
   <dd>
       Affects: 
-    2.4.25, 2.2.32<p/></dd>
+    2.2.32<p/></dd>
   <dd>
     <b>important: </b>
     <b>
@@ -215,10 +203,6 @@ issue.
 mod_mime can read one byte past the end of a buffer when sending a malicious
 Content-Type response header.
 </p>
-    <p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch">https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch</a>.
-</p>
   </dd>
   <dd>
     <p>Acknowledgements: 
@@ -229,10 +213,10 @@ We would like to thank ChenQin and Hanno
   Reported to security team: 15thÂ NovemberÂ 2015<br/>
   Issue public: 19thÂ JuneÂ 2017<br/></dd>
   <dd>
-  Update Released: 19thÂ JuneÂ 2017<br/></dd>
+  Update Released: 11thÂ JulyÂ 2017<br/></dd>
   <dd>
       Affects: 
-    2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/></dd>
+    2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/></dd>
 </dl><h1 id="2.2.32">
 Fixed in Apache httpd 2.2.32</h1><dl>
   <dd>

Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_24.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_24.html Tue Jul 11 15:12:32 2017
@@ -120,7 +120,7 @@ authentication phase may lead to authent
 </p>
     <p>
 Third-party module writers SHOULD use ap_get_basic_auth_components(), available
-in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().  Modules which call the
+in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw().  Modules which call the
 legacy ap_get_basic_auth_pw() during the authentication phase MUST either
 immediately authenticate the user after the call, or else stop the request
 immediately with an error response, to avoid incorrectly authenticating the
@@ -139,7 +139,7 @@ We would like to thank Emmanuel Dreyfus
   Update Released: 19thÂ JuneÂ 2017<br/></dd>
   <dd>
       Affects: 
-    2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/></dd>
+    2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1<p/></dd>
   <dd>
     <b>important: </b>
     <b>
@@ -164,7 +164,7 @@ reporting this issue.
   Update Released: 19thÂ JuneÂ 2017<br/></dd>
   <dd>
       Affects: 
-    2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/></dd>
+    2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1<p/></dd>
   <dd>
     <b>important: </b>
     <b>
@@ -216,7 +216,7 @@ issue.
   Update Released: 19thÂ JuneÂ 2017<br/></dd>
   <dd>
       Affects: 
-    2.4.25, 2.2.32<p/></dd>
+    2.4.25<p/></dd>
   <dd>
     <b>important: </b>
     <b>
@@ -240,7 +240,7 @@ We would like to thank ChenQin and Hanno
   Update Released: 19thÂ JuneÂ 2017<br/></dd>
   <dd>
       Affects: 
-    2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/></dd>
+    2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1<p/></dd>
 </dl><h1 id="2.4.25">
 Fixed in Apache httpd 2.4.25</h1><dl>
   <dd>