You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2021/03/30 17:44:59 UTC
svn commit: r1073171 - in /websites/staging/httpd/trunk/content: ./
security/json/CVE-2020-11984.json security/json/CVE-2020-11993.json
security/vulnerabilities_24.html
Author: buildbot
Date: Tue Mar 30 17:44:58 2021
New Revision: 1073171
Log:
Staging update by buildbot for httpd
Modified:
websites/staging/httpd/trunk/content/ (props changed)
websites/staging/httpd/trunk/content/security/json/CVE-2020-11984.json
websites/staging/httpd/trunk/content/security/json/CVE-2020-11993.json
websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Mar 30 17:44:58 2021
@@ -1 +1 @@
-1888227
+1888228
Modified: websites/staging/httpd/trunk/content/security/json/CVE-2020-11984.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2020-11984.json (original)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2020-11984.json Tue Mar 30 17:44:58 2021
@@ -61,7 +61,7 @@
"description_data": [
{
"lang": "eng",
- "value": "Apache HTTP Server versions 2.4.32 to 2.4.43 mod_proxy_uwsgi info disclosure and possible RCE"
+ "value": "In Apache HTTP Server versions 2.4.32 to 2.4.43, mod_proxy_uwsgi has a information disclosure and possible RCE"
}
]
},
@@ -120,4 +120,4 @@
]
}
}
-}
\ No newline at end of file
+}
Modified: websites/staging/httpd/trunk/content/security/json/CVE-2020-11993.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2020-11993.json (original)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2020-11993.json Tue Mar 30 17:44:58 2021
@@ -61,7 +61,7 @@
"description_data": [
{
"lang": "eng",
- "value": "Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above \"info\" will mitigate this vulnerability for unpatched servers."
+ "value": "In Apache HTTP Server versions 2.4.20 to 2.4.43, when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.\nConfiguring the LogLevel of mod_http2 above \"info\" will mitigate this vulnerability for unpatched servers."
}
]
},
@@ -165,4 +165,4 @@
]
}
}
-}
\ No newline at end of file
+}
Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_24.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_24.html Tue Mar 30 17:44:58 2021
@@ -118,7 +118,7 @@ h2:hover > .headerlink, h3:hover > .head
</table></dd>
<dt><h3 id="CVE-2020-11984">moderate: <name name="CVE-2020-11984">mod_proxy_uwsgi buffer overflow</name>
(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984">CVE-2020-11984</a>)</h3></dt>
-<dd><p>Apache HTTP Server versions 2.4.32 to 2.4.43 mod_proxy_uwsgi info disclosure and possible RCE</p>
+<dd><p>In Apache HTTP Server versions 2.4.32 to 2.4.43, mod_proxy_uwsgi has a information disclosure and possible RCE</p>
<p>Acknowledgements: Discovered by Felix Wilhelm of Google Project Zero</p>
<table class="cve"><tr><td class="cve-header">Reported to security team</td><td class="cve-value">2020-07-22</td></tr>
<tr><td class="cve-header">Issue public</td><td class="cve-value">2020-08-07</td></tr>
@@ -127,7 +127,7 @@ h2:hover > .headerlink, h3:hover > .head
</table></dd>
<dt><h3 id="CVE-2020-11993">moderate: <name name="CVE-2020-11993">Push Diary Crash on Specifically Crafted HTTP/2 Header</name>
(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11993">CVE-2020-11993</a>)</h3></dt>
-<dd><p>Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.</p>
+<dd><p>In Apache HTTP Server versions 2.4.20 to 2.4.43, when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.</p><p>Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.</p>
<p>Acknowledgements: Felix Wilhelm of Google Project Zero</p>
<table class="cve"><tr><td class="cve-header">Reported to security team</td><td class="cve-value">2020-06-16</td></tr>
<tr><td class="cve-header">Issue public</td><td class="cve-value">2020-08-07</td></tr>