You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2009/10/06 11:43:37 UTC
svn commit: r822179 - in /httpd/site/trunk:
docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html
xdocs/security/vulnerabilities-httpd.xml
Author: mjc
Date: Tue Oct 6 09:43:36 2009
New Revision: 822179
URL: http://svn.apache.org/viewvc?rev=822179&view=rev
Log:
Update for 2.2.14 release and add solaris DoS
Modified:
httpd/site/trunk/docs/security/vulnerabilities-oval.xml
httpd/site/trunk/docs/security/vulnerabilities_22.html
httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=822179&r1=822178&r2=822179&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Tue Oct 6 09:43:36 2009
@@ -5,6 +5,39 @@
<oval:timestamp>2005-10-12T18:13:45</oval:timestamp>
</generator>
<definitions>
+<definition id="oval:org.apache.httpd:def:20092699" version="1" class="vulnerability">
+<metadata>
+<title>Solaris pollset DoS</title>
+<reference source="CVE" ref_id="CVE-2009-2699" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2699"/>
+<description>
+Faulty error handling was found affecting Solaris pollset support
+(Event Port backend) caused by a bug in APR. A remote attacker
+could trigger this issue on Solaris servers which used prefork or
+event MPMs, resulting in a denial of service.
+</description>
+<apache_httpd_repository>
+<public>20090923</public>
+<reported>20090805</reported>
+<released>20091005</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2213" comment="the version of httpd is 2.2.13"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2212" comment="the version of httpd is 2.2.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2211" comment="the version of httpd is 2.2.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:229" comment="the version of httpd is 2.2.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:228" comment="the version of httpd is 2.2.8"/>
+<criterion test_ref="oval:org.apache.httpd:tst:226" comment="the version of httpd is 2.2.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:225" comment="the version of httpd is 2.2.5"/>
+<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+</criteria>
+</definition>
<definition id="oval:org.apache.httpd:def:20093094" version="1" class="vulnerability">
<metadata>
<title>mod_proxy_ftp DoS</title>
@@ -19,7 +52,7 @@
<apache_httpd_repository>
<public>20090802</public>
<reported>20090904</reported>
-<released/>
+<released>20091005</released>
<severity level="4">low</severity>
</apache_httpd_repository>
</metadata>
@@ -53,7 +86,7 @@
<apache_httpd_repository>
<public>20090803</public>
<reported>20090903</reported>
-<released/>
+<released>20091005</released>
<severity level="4">low</severity>
</apache_httpd_repository>
</metadata>
Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=822179&r1=822178&r2=822179&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Tue Oct 6 09:43:36 2009
@@ -88,7 +88,7 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="2.2.14-dev"><strong>Fixed in Apache httpd 2.2.14-dev</strong></a>
+ <a name="2.2.14"><strong>Fixed in Apache httpd 2.2.14</strong></a>
</font>
</td>
</tr>
@@ -109,7 +109,9 @@
service.
</p>
</dd>
-<dd />
+<dd>
+ Update Released: 5th October 2009<br />
+</dd>
<dd>
Affects:
2.2.13, 2.2.12, 2.2.11, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
@@ -128,7 +130,29 @@
to the FTP server.
</p>
</dd>
-<dd />
+<dd>
+ Update Released: 5th October 2009<br />
+</dd>
+<dd>
+ Affects:
+ 2.2.13, 2.2.12, 2.2.11, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
+</dd>
+<dd>
+<b>moderate: </b>
+<b>
+<name name="CVE-2009-2699">Solaris pollset DoS</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2699">CVE-2009-2699</a>
+<p>
+Faulty error handling was found affecting Solaris pollset support
+(Event Port backend) caused by a bug in APR. A remote attacker
+could trigger this issue on Solaris servers which used prefork or
+event MPMs, resulting in a denial of service.
+</p>
+</dd>
+<dd>
+ Update Released: 5th October 2009<br />
+</dd>
<dd>
Affects:
2.2.13, 2.2.12, 2.2.11, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=822179&r1=822178&r2=822179&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Tue Oct 6 09:43:36 2009
@@ -1,6 +1,29 @@
-<security updated="20090925">
+<security updated="20091006">
-<issue fixed="2.2.14-dev" reported="20090904" public="20090802">
+<issue fixed="2.2.14" reported="20090805" public="20090923" released="20091005">
+<cve name="CVE-2009-2699"/>
+<severity level="3">moderate</severity>
+<title>Solaris pollset DoS</title>
+<description><p>
+Faulty error handling was found affecting Solaris pollset support
+(Event Port backend) caused by a bug in APR. A remote attacker
+could trigger this issue on Solaris servers which used prefork or
+event MPMs, resulting in a denial of service.
+</p></description>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.2.14" reported="20090904" public="20090802" released="20091005">
<cve name="CVE-2009-3094"/>
<severity level="4">low</severity>
<title>mod_proxy_ftp DoS</title>
@@ -24,7 +47,7 @@
<affects prod="httpd" version="2.2.0"/>
</issue>
-<issue fixed="2.2.14-dev" reported="20090903" public="20090803">
+<issue fixed="2.2.14" reported="20090903" public="20090803" released="20091005">
<cve name="CVE-2009-3095"/>
<severity level="4">low</severity>
<title>mod_proxy_ftp FTP command injection</title>