You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2021/03/30 10:14:14 UTC
svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./
security/json/
Added: websites/staging/httpd/trunk/content/security/json/CVE-2016-0736.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2016-0736.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2016-0736.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,163 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2016-01-20",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2016-12-20",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2016-12-20",
+ "lang": "eng",
+ "value": "2.4.25 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2016-12-20",
+ "ID": "CVE-2016-0736",
+ "TITLE": "Padding Oracle in Apache mod_session_crypto"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Padding Oracle in Apache mod_session_crypto"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "We would like to thank individuals at the RedTeam Pentesting GmbH for reporting this issue."
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Prior to Apache HTTP release 2.4.25, mod_sessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC. An authentication tag (SipHash MAC) is now added to prevent such attacks."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.23"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2016-1546.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2016-1546.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2016-1546.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,103 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2016-02-02",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2016-04-11",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2016-04-11",
+ "lang": "eng",
+ "value": "2.4.20 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2016-04-11",
+ "ID": "CVE-2016-1546",
+ "TITLE": "mod_http2: denial of service by thread starvation"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "mod_http2: denial of service by thread starvation"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "This issue was reported by Noam Mazor."
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2016-2161.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2016-2161.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2016-2161.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,163 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2016-07-11",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2016-12-20",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2016-12-20",
+ "lang": "eng",
+ "value": "2.4.25 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2016-12-20",
+ "ID": "CVE-2016-2161",
+ "TITLE": "DoS vulnerability in mod_auth_digest"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "DoS vulnerability in mod_auth_digest"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "We would like to thank Maksim Malyutin for reporting this issue."
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.23"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2016-4975.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2016-4975.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2016-4975.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,308 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2016-07-24",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2018-08-14",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2016-12-20",
+ "lang": "eng",
+ "value": "2.4.25 released"
+ },
+ {
+ "time": "2017-01-13",
+ "lang": "eng",
+ "value": "2.2.32 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2018-08-14",
+ "ID": "CVE-2016-4975",
+ "TITLE": "mod_userdir CRLF injection"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "mod_userdir CRLF injection"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "The issue was discovered by Sergey Bobrov"
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the \"Location\" or other outbound header key or value."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "moderate"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.23"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.31"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.29"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.27"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.26"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.25"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.24"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.23"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.22"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.21"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.20"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.19"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.18"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.17"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.16"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.15"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.14"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.13"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.12"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.11"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.10"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.9"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.8"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.6"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.5"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.4"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.3"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.2"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2016-4979.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2016-4979.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2016-4979.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,103 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2016-06-30",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2016-07-05",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2016-07-05",
+ "lang": "eng",
+ "value": "2.4.23 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2016-07-05",
+ "ID": "CVE-2016-4979",
+ "TITLE": "TLS/SSL X.509 client certificate auth bypass with HTTP/2"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "TLS/SSL X.509 client certificate auth bypass with HTTP/2"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "This issue was reported by Erki Aring."
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "For configurations enabling support for HTTP/2, SSL client certificate validation was not enforced if configured, allowing clients unauthorized access to protected resources over HTTP/2. This issue affected releases 2.4.18 and 2.4.20 only."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "important"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2016-5387.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2016-5387.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2016-5387.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,308 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2016-07-02",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2016-07-18",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2016-12-20",
+ "lang": "eng",
+ "value": "2.4.25 released"
+ },
+ {
+ "time": "2016-07-18",
+ "lang": "eng",
+ "value": "2.2.32 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2016-07-18",
+ "ID": "CVE-2016-5387",
+ "TITLE": "HTTP_PROXY environment variable \"httpoxy\" mitigation"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "HTTP_PROXY environment variable \"httpoxy\" mitigation"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "We would like to thank Dominic Scheirlinck and Scott Geary of Vend for reporting and proposing a fix for this issue."
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "HTTP_PROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the \"HTTP_PROXY\" variable from a \"Proxy:\" header, which has never been registered by IANA. This workaround and patch are documented in the ASF Advisory at asf-httpoxy-response.txt and incorporated in the 2.4.25 and 2.2.32 releases. Note: This is not assigned an httpd severity, as it is a defect in other software which overloaded well-established CGI environment variables, and does not reflect an error in HTTP server software."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "n/a"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.23"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.31"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.29"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.27"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.26"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.25"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.24"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.23"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.22"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.21"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.20"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.19"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.18"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.17"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.16"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.15"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.14"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.13"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.12"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.11"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.10"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.9"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.8"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.6"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.5"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.4"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.3"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.2"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2016-8740.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2016-8740.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2016-8740.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,113 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2016-11-22",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2016-12-04",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2016-12-20",
+ "lang": "eng",
+ "value": "2.4.25 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2016-12-04",
+ "ID": "CVE-2016-8740",
+ "TITLE": "HTTP/2 CONTINUATION denial of service"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "HTTP/2 CONTINUATION denial of service"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "We would like to thank Naveen Tiwari and CDF/SEFCOM at Arizona State University to reporting this issue."
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "The HTTP/2 protocol implementation (mod_http2) had an incomplete handling of the LimitRequestFields directive. This allowed an attacker to inject unlimited request headers into the server, leading to eventual memory exhaustion."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.23"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2016-8743.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2016-8743.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2016-8743.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,308 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2016-02-10",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2016-12-20",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2016-12-20",
+ "lang": "eng",
+ "value": "2.4.25 released"
+ },
+ {
+ "time": "2017-01-13",
+ "lang": "eng",
+ "value": "2.2.32 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2016-12-20",
+ "ID": "CVE-2016-8743",
+ "TITLE": "Apache HTTP Request Parsing Whitespace Defects"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Apache HTTP Request Parsing Whitespace Defects"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "We would like to thank David Dennerline at IBM Security's X-Force Researchers as well as Régis Leroy for each reporting this issue."
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Apache HTTP Server, prior to release 2.4.25 (2.2.32), accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member \"the_request\", while a bare CR in the request header field name would be honored as whitespace, and a bare CR in the request header field value was retained the input headers array. Implied additional whitespace was accepted in the request line and prior to the ':' delimiter of any request header lines. RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section 3.2.3 eliminated and clarified the role of implied whitespace in the grammer of this specification. Section 3.1.1 requires exactly one single SP between the method and request-target, and between the request-target and HTTP-version
, followed immediately by a CRLF sequence. None of these fields permit any (unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the request header field prior to the ':' character, while Section 3.2 disallows all CTL characters in the request header line other than the HTAB character as whitespace. These defects represent a security concern when httpd is participating in any chain of proxies or interacting with back-end application servers, either through mod_proxy or using conventional CGI mechanisms. In each case where one agent accepts such CTL characters and does not treat them as whitespace, there is the possiblity in a proxy chain of generating two responses from a server behind the uncautious proxy agent. In a sequence of two requests, this results in request A to the first proxy being interpreted as requests A + A' by the backend server, and if requests A and B were submitted to the first proxy in a keepalive connection, the proxy may
interpret response A' as the response to request B, polluting the cache or potentially serving the A' content to a different downstream user-agent. These defects are addressed with the release of Apache HTTP Server 2.4.25 and coordinated by a new directive; HttpProtocolOptions Strict which is the default behavior of 2.4.25 and later. By toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but this will reintroduce the possibility of the problems described in this assessment. Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than HTAB (where permitted), but will allow other RFC requirements to not be enforced, such as exactly two SP characters in the request line."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "important"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.23"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.31"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.29"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.27"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.26"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.25"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.24"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.23"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.22"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.21"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.20"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.19"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.18"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.17"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.16"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.15"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.14"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.13"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.12"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.11"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.10"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.9"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.8"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.6"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.5"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.4"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.3"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.2"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2017-15710.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2017-15710.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2017-15710.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,188 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2017-12-07",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2018-03-21",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2018-03-21",
+ "lang": "eng",
+ "value": "2.4.33 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2018-03-21",
+ "ID": "CVE-2017-15710",
+ "TITLE": "Out of bound write in mod_authnz_ldap when using too small Accept-Language values"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Out of bound write in mod_authnz_ldap when using too small Accept-Language values"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "The Apache HTTP Server security team would like to thank Alex Nichols and Jakob Hirsch for reporting this issue."
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.29"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.28"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.27"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.26"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.25"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.23"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2017-15715.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2017-15715.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2017-15715.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,188 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2017-11-24",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2018-03-21",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2018-03-21",
+ "lang": "eng",
+ "value": "2.4.33 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2018-03-21",
+ "ID": "CVE-2017-15715",
+ "TITLE": "<FilesMatch> bypass with a trailing newline in the file name"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "<FilesMatch> bypass with a trailing newline in the file name"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "The issue was discovered by Elar Lang - security.elarlang.eu"
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "The expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.29"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.28"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.27"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.26"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.25"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.23"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2017-3167.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2017-3167.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2017-3167.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,318 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2017-02-06",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2017-06-19",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2017-06-19",
+ "lang": "eng",
+ "value": "2.4.26 released"
+ },
+ {
+ "time": "2017-07-11",
+ "lang": "eng",
+ "value": "2.2.34 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2017-06-19",
+ "ID": "CVE-2017-3167",
+ "TITLE": "ap_get_basic_auth_pw() Authentication Bypass"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "ap_get_basic_auth_pw() Authentication Bypass"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "We would like to thank Emmanuel Dreyfus for reporting this issue."
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "important"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.25"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.23"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.32"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.31"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.29"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.27"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.26"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.25"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.24"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.23"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.22"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.21"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.20"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.19"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.18"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.17"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.16"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.15"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.14"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.13"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.12"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.11"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.10"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.9"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.8"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.6"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.5"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.4"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.3"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.2"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
Added: websites/staging/httpd/trunk/content/security/json/CVE-2017-3169.json
==============================================================================
--- websites/staging/httpd/trunk/content/security/json/CVE-2017-3169.json (added)
+++ websites/staging/httpd/trunk/content/security/json/CVE-2017-3169.json Tue Mar 30 10:14:12 2021
@@ -0,0 +1,318 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2016-12-05",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2017-06-19",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2017-06-19",
+ "lang": "eng",
+ "value": "2.4.26 released"
+ },
+ {
+ "time": "2017-07-11",
+ "lang": "eng",
+ "value": "2.2.34 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2017-06-19",
+ "ID": "CVE-2017-3169",
+ "TITLE": "mod_ssl Null Pointer Dereference"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "mod_ssl Null Pointer Dereference"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for reporting this issue."
+ }
+ ],
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "important"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.25"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.23"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.32"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.31"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.29"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.27"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.26"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.25"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.24"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.23"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.22"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.21"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.20"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.19"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.18"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.17"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.16"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.15"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.14"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.13"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.12"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.11"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.10"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.9"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.8"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.6"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.5"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.4"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.3"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.2"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file