You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by wr...@apache.org on 2016/12/20 21:26:36 UTC

svn commit: r1775358 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Author: wrowe
Date: Tue Dec 20 21:26:36 2016
New Revision: 1775358

URL: http://svn.apache.org/viewvc?rev=1775358&view=rev
Log:
Note CVE-2016-0736 - this wording could use substantial improvement

Modified:
    httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1775358&r1=1775357&r2=1775358&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Tue Dec 20 21:26:36 2016
@@ -184,6 +184,35 @@ We would like to thank Maksim Malyutin f
 <affects prod="httpd" version="2.4.1"/>
 </issue>
 
+<issue fixed="2.4.25" reported="20160120" public="20161220" released="20161220">
+<cve name="CVE-2016-0736"/>
+<severity level="4">low</severity>
+<title>Padding Oracle in Apache mod_session_crypto</title>
+<description><p>
+  Authenticate the session data/cookie presented to mod_session_crypto
+  with a MAC (SipHash) to prevent deciphering or tampering with a padding
+  oracle attack.
+</p></description>
+<acknowledgements>
+We would like to thank Alexander Neumann of RedTeam Pentesting for reporting 
+this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
+
 <issue fixed="2.2.32-dev" reported="20160702" public="20160718" released="20160718">
 <cve name="CVE-2016-5387"/>
 <severity level="0">n/a</severity>