You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2019/08/15 06:00:31 UTC
svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./
security/vulnerabilities-httpd.xml security/vulnerabilities_13.html
security/vulnerabilities_20.html security/vulnerabilities_22.html
security/vulnerabilities_24.html
Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_24.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_24.html Thu Aug 15 06:00:30 2019
@@ -97,7 +97,2312 @@ h2:hover > .headerlink, h3:hover > .head
<!-- RIGHT SIDE INFORMATION -->
<div id="apcontents">
-
+ <h1 id="top">Apache HTTP Server 2.4 vulnerabilities</h1><p>This page lists all security vulnerabilities fixed in released
+versions of Apache HTTP Server 2.4. Each
+vulnerability is given a security <a href="/security/impact_levels.html">impact rating</a> by the Apache
+security team - please note that this rating may well vary from
+platform to platform. We also list the versions of Apache httpd the
+flaw is known to affect, and where a flaw has not been verified list
+the version with a question mark. </p><p> Please note that if a vulnerability is shown below as being fixed
+in a "-dev" release then this means that a fix has been applied to
+the development source tree and will be part of an upcoming full release.</p><p> Please send comments or corrections for
+these vulnerabilities to the <a href="/security_report.html">Security
+Team</a>. </p><p><em>The initial GA release, Apache httpd 2.4.1, includes fixes for all vulnerabilities which have been resolved in Apache httpd 2.2.22 and all older releases. Consult the <a href="vulnerabilities_22.html">Apache httpd 2.2 vulnerabilities list</a> for more information.</em></p><br/><h1 id="2.4.40">
+Fixed in Apache httpd 2.4.40</h1><dl>
+ <dt>
+ <h3 id="CVE-2019-10092">low:
+ <name name="CVE-2019-10092">Limited cross-site scripting in mod_proxy error page</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10092">CVE-2019-10092</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p> A limited cross-site scripting issue was reported affecting
+ the mod_proxy error page. An attacker could cause the link on
+ the error page to be malfomed and instead point to a page of
+ their choice. This would only be exploitable where a server was
+ set up with proxying enabled but was misconfigured in such a way
+ that the Proxy Error page was displayed.</p>
+ <p>We have taken this opportunity to also remove request data
+ from many other in-built error messages. Note however this issue
+ did not affect them directly and their output was already escaped
+ to prevent cross-site scripting attacks.</p>
+ <p>Acknowledgements:
+ This issue was reported by Matei "Mal" Badanoiu
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">9th July 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-10082">moderate:
+ <name name="CVE-2019-10082">mod_http2, read-after-free in h2 connection shutdown</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10082">CVE-2019-10082</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>Using fuzzed network input, the http/2 session
+ handling could be made to read memory after being freed,
+ during connection shutdown.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered by Craig Young of Tripwire VERT, <vuln-report@secur3.us>.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">12th April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.32, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-10081">moderate:
+ <name name="CVE-2019-10081">mod_http2, memory corruption on early pushes</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10081">CVE-2019-10081</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ HTTP/2 very early pushes, for example configured with "H2PushResource",
+ could lead to an overwrite of memory in the pushing request's pool,
+ leading to crashes. The memory copied is that of the configured push
+ link header values, not data supplied by the client.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered by Craig Young of Tripwire VERT, <vuln-report@secur3.us>.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">10th April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.32, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-9517">moderate:
+ <name name="CVE-2019-9517">mod_http2, DoS attack by exhausting h2 workers.</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517">CVE-2019-9517</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ A malicious client could perform a DoS attack by flooding
+ a connection with requests and basically never reading responses
+ on the TCP connection. Depending on h2 worker dimensioning, it was
+ possible to block those with relatively few connections.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered by Jonathan Looney of Netflix.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">10th April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.32, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.41">
+Fixed in Apache httpd 2.4.41</h1><dl>
+ <dt>
+ <h3 id="CVE-2019-10097">moderate:
+ <name name="CVE-2019-10097">CVE-2019-10097 mod_remoteip: Stack buffer overflow and NULL pointer dereference</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10097">CVE-2019-10097</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>When mod_remoteip was configured to use a trusted intermediary proxy
+server using the "PROXY" protocol, a specially crafted PROXY header
+could trigger a stack buffer overflow or NULL pointer deference.
+This vulnerability could only be triggered by a trusted proxy and not
+by untrusted HTTP clients.</p>
+ <p>Acknowledgements:
+ The issue was discovered by Daniel McCarney <cpu@letsencrypt.org> Let's Encrypt / Internet Security Research Group (ISRG)@FIXME
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">23rd July 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.40FIXME">
+Fixed in Apache httpd 2.4.40FIXME</h1><dl>
+ <dt>
+ <h3 id="CVE-2019-10098">low:
+ <name name="CVE-2019-10098">mod_rewrite potential open redirect</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10098">CVE-2019-10098</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Redirects configured with mod_rewrite that were intended to be self-referential
+might be fooled by encoded newlines and redirect instead to an an unexpected
+URL within the request URL.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered by Yukitsugu Sasaki
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">26th March 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">14th August 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.39">
+Fixed in Apache httpd 2.4.39</h1><dl>
+ <dt>
+ <h3 id="CVE-2019-0211">important:
+ <name name="CVE-2019-0211">Apache HTTP Server privilege escalation from modules' scripts</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211">CVE-2019-0211</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM
+ event, worker or prefork, code executing in less-privileged
+ child processes or threads (including scripts executed by an
+ in-process scripting interpreter) could execute arbitrary code
+ with the privileges of the parent process (usually root) by
+ manipulating the scoreboard. Non-Unix systems are not
+ affected.</p>
+ <p>Acknowledgements:
+ The issue was discovered by Charles Fol.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">22nd February 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-0217">important:
+ <name name="CVE-2019-0217">mod_auth_digest access control bypass</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0217">CVE-2019-0217</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p> In Apache HTTP Server 2.4 release 2.4.38 and prior, a
+ race condition in mod_auth_digest when running in a threaded
+ server could allow a user with valid credentials to authenticate
+ using another username, bypassing configured access control
+ restrictions.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered by Simon Kappel.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">29th January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-0215">important:
+ <name name="CVE-2019-0215">mod_ssl access control bypass</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0215">CVE-2019-0215</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in
+ mod_ssl when using per-location client certificate verification
+ with TLSv1.3 allowed a client supporting Post-Handshake
+ Authentication to bypass configured access control restrictions.</p>
+ <p>Acknowledgements:
+ The issue was discovered by Michael Kaufmann.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">23rd January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-0197">low:
+ <name name="CVE-2019-0197">mod_http2, possible crash on late upgrade</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0197">CVE-2019-0197</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for
+ h2 on a https: host, an Upgrade request from http/1.1 to http/2 that
+ was not the first request on a connection could lead to a misconfiguration
+ and crash. A server that never enabled the h2 protocol or that only enabled
+ it for https: and did not configure the "H2Upgrade on" is unaffected by this.
+ </p>
+ <p>Acknowledgements:
+The issue was discovered by Stefan Eissing, greenbytes.de.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">29th January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-0196">low:
+ <name name="CVE-2019-0196">mod_http2, read-after-free on a string compare</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0196">CVE-2019-0196</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>Using fuzzed network input, the http/2 request
+ handling could be made to access freed memory in string
+ comparision when determining the method of a request and
+ thus process the request incorrectly.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered by Craig Young, <vuln-report@secur3.us>.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">29th January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-0220">low:
+ <name name="CVE-2019-0220">Apache httpd URL normalization inconsistincy</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0220">CVE-2019-0220</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p> When the path component of a request URL contains multiple
+ consecutive slashes ('/'), directives such as LocationMatch
+ and RewriteRule must account for duplicates in regular
+ expressions while other aspects of the servers processing will
+ implicitly collapse them.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">20th January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.38">
+Fixed in Apache httpd 2.4.38</h1><dl>
+ <dt>
+ <h3 id="CVE-2019-0190">important:
+ <name name="CVE-2019-0190">mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190">CVE-2019-0190</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>A bug exists in the way mod_ssl handled client renegotiations.
+ A remote attacker could send a carefully crafted request that
+ would cause mod_ssl to enter a loop leading to a denial of
+ service. This bug can be only triggered with Apache HTTP Server
+ version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
+ an interaction in changes to handling of renegotiation attempts.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered through user bug reports.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">1st January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">22nd January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.37</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2018-17199">low:
+ <name name="CVE-2018-17199">mod_session_cookie does not respect expiry time</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199">CVE-2018-17199</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session
+ checks the session expiry time before decoding the session.
+ This causes session expiry time to be ignored for
+ mod_session_cookie sessions since the expiry time is loaded
+ when the session is decoded.</p>
+ <p>Acknowledgements:
+ The issue was discovered by Diego Angulo from ImExHS.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">8th October 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">22nd January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2018-17189">low:
+ <name name="CVE-2018-17189">DoS for HTTP/2 connections via slow request bodies</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189">CVE-2018-17189</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>By sending request bodies in a slow loris way to plain
+ resources, the h2 stream for that request unnecessarily
+ occupied a server thread cleaning up that incoming data.
+ This affects only HTTP/2 connections. A possible mitigation
+ is to not enable the h2 protocol.
+</p>
+ <p>Acknowledgements:
+The issue was discovered by Gal Goldshtein of F5 Networks.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">16th October 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">22nd January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.35">
+Fixed in Apache httpd 2.4.35</h1><dl>
+ <dt>
+ <h3 id="CVE-2018-11763">low:
+ <name name="CVE-2018-11763">DoS for HTTP/2 connections by continuous SETTINGS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763">CVE-2018-11763</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>By sending continous SETTINGS frames of maximum size an ongoing HTTP/2
+connection could be kept busy and would never time out. This can be abused
+for a DoS on the server. This only affect a server that has enabled the h2
+protocol.</p>
+ <p>Acknowledgements:
+The issue was discovered by Gal Goldshtein of F5 Networks.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">18th July 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">25th September 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.34">
+Fixed in Apache httpd 2.4.34</h1><dl>
+ <dt>
+ <h3 id="CVE-2018-1333">low:
+ <name name="CVE-2018-1333">DoS for HTTP/2 connections by crafted requests</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1333">CVE-2018-1333</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>By specially crafting HTTP/2 requests, workers would be
+allocated 60 seconds longer than necessary, leading to
+worker exhaustion and a denial of service.</p>
+ <p>This issue only affects servers that have configured and enabled HTTP/2 support,
+which is not the default</p>
+ <p>Acknowledgements:
+The issue was discovered by Craig Young of Tripwire VERT.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">8th May 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">18th July 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.33, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2018-8011">moderate:
+ <name name="CVE-2018-8011">mod_md, DoS via Coredumps on specially crafted requests</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8011">CVE-2018-8011</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>By specially crafting HTTP requests, the mod_md challenge
+handler would dereference a NULL pointer and cause the child
+process to segfault. This could be used to DoS the server.</p>
+ <p>Acknowledgements:
+The issue was discovered by Daniel Caminada <daniel.caminada@ergon.ch>.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">29th June 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">18th July 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.33</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.33">
+Fixed in Apache httpd 2.4.33</h1><dl>
+ <dt>
+ <h3 id="CVE-2018-1303">low:
+ <name name="CVE-2018-1303">Possible out of bound read in mod_cache_socache</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1303">CVE-2018-1303</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>A specially crafted HTTP request header could have crashed the Apache HTTP
+Server prior to version 2.4.33 due to an out of bound read while preparing data
+to be cached in shared memory. It could be used as a Denial of Service attack
+against users of mod_cache_socache.</p>
+ <p>Acknowledgements:
+The issue was discovered by Robert Swiecki, bug found by honggfuzz.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">23rd January 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2018-1302">low:
+ <name name="CVE-2018-1302">Possible write of after free on HTTP/2 stream shutdown</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1302">CVE-2018-1302</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server
+prior to version 2.4.33 could have written a NULL pointer potentially to an
+already freed memory.</p>
+ <p>The memory pools maintained by the server make this
+vulnerabilty hard to trigger in usual configurations, the reporter and the team
+could not reproduce it outside debug builds, so it is classified as low risk.</p>
+ <p>Acknowledgements:
+The issue was discovered by Robert Swiecki, bug found by honggfuzz.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">23rd January 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2018-1301">low:
+ <name name="CVE-2018-1301">Possible out of bound access after failure in reading the HTTP request</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1301">CVE-2018-1301</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>A specially crafted request could have crashed the Apache HTTP Server prior to
+version 2.4.33, due to an out of bound access after a size limit is reached by
+reading the HTTP header. This vulnerability is considered very hard if not
+impossible to trigger in non-debug mode (both log and build level), so it is
+classified as low risk for common server usage.</p>
+ <p>Acknowledgements:
+The issue was discovered by Robert Swiecki, bug found by honggfuzz.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">23rd January 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2018-1312">low:
+ <name name="CVE-2018-1312">Weak Digest auth nonce generation in mod_auth_digest</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1312">CVE-2018-1312</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>When generating an HTTP Digest authentication challenge, the nonce
+sent to prevent reply attacks was not correctly generated using a
+pseudo-random seed.</p>
+ <p>In a cluster of servers using a common Digest
+authentication configuration, HTTP requests could be replayed across
+servers by an attacker without detection.</p>
+ <p>Acknowledgements:
+The issue was discovered by Nicolas Daniels.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">5th March 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-15715">low:
+ <name name="CVE-2017-15715"><FilesMatch> bypass with a trailing newline in the file name</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15715">CVE-2017-15715</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>The expression specified in <FilesMatch> could match '$' to a newline character
+in a malicious filename, rather than matching only the end of the filename.</p>
+ <p>This could be exploited in environments where uploads of some files are are
+externally blocked, but only by matching the trailing portion of the filename.</p>
+ <p>Acknowledgements:
+The issue was discovered by Elar Lang - security.elarlang.eu
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">24th November 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-15710">low:
+ <name name="CVE-2017-15710">Out of bound write in mod_authnz_ldap when using too small Accept-Language values</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15710">CVE-2017-15710</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>mod_authnz_ldap, if configured with AuthLDAPCharsetConfig,
+uses the Accept-Language header value to lookup the right charset encoding
+when verifying the user's credentials.</p>
+ <p>If the header value is not present in the charset conversion
+table, a fallback mechanism is used to truncate it to a two
+characters value to allow a quick retry (for example, 'en-US' is truncated
+to 'en'). A header value of less than two characters forces an out of bound
+write of one NUL byte to a memory location that is not part of the string.
+In the worst case, quite unlikely, the process would crash which could
+be used as a Denial of Service attack. In the more likely case, this memory is
+already reserved for future use and the issue has no effect at all.</p>
+ <p>Acknowledgements:
+The Apache HTTP Server security team would like to thank Alex Nichols
+and Jakob Hirsch for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">7th December 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2018-1283">moderate:
+ <name name="CVE-2018-1283">Tampering of mod_session data for CGI applications</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1283">CVE-2018-1283</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>When mod_session is configured to forward its session data to CGI
+applications (SessionEnv on, not the default), a remote user may influence
+their content by using a "Session" header.</p>
+ <p>This comes from the "HTTP_SESSION"
+variable name used by mod_session to forward its data to CGIs, since the
+prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header
+fields, per CGI specifications.</p>
+ <p>The severity is set to Moderate because "SessionEnv on" is not a default nor
+common configuration, it should be considered more severe when this is the case
+though, because of the possible remote exploitation.</p>
+ <p>Acknowledgements:
+The issue was discovered internally by the Apache HTTP Server team.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">14th November 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">21st March 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.28">
+Fixed in Apache httpd 2.4.28</h1><dl>
+ <dt>
+ <h3 id="CVE-2017-9798">low:
+ <name name="CVE-2017-9798">Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed")</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798">CVE-2017-9798</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>When an unrecognized HTTP Method is given in an <Limit {method}>
+directive in an .htaccess file, and that .htaccess file is processed by the
+corresponding request, the global methods table is corrupted in the current
+worker process, resulting in erratic behaviour.</p>
+ <p>This behavior may be avoided by listing all unusual HTTP Methods in a global
+httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later.</p>
+ <p>To permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive.</p>
+ <p>Source code patch (2.4) is at;</p>
+ <ul>
+<li><a href="https://www.apache.org/dist/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch">CVE-2017-9798-patch-2.4.patch</a></li>
+</ul>
+ <p>Source code patch (2.2) is at;</p>
+ <ul>
+<li><a href="https://archive.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch">CVE-2017-9798-patch-2.2.patch</a></li>
+</ul>
+ <p>Note 2.2 is end-of-life, no further release with this fix is planned. Users
+are encouraged to migrate to 2.4.28 or later for this and other fixes.</p>
+ <p>Acknowledgements:
+We would like to thank Hanno Böck for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">12th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">18th September 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">5th October 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.27">
+Fixed in Apache httpd 2.4.27</h1><dl>
+ <dt>
+ <h3 id="CVE-2017-9789">important:
+ <name name="CVE-2017-9789">Read after free in mod_http2</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9789">CVE-2017-9789</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+When under stress, closing many connections, the HTTP/2
+handling code would sometimes access memory after it has
+been freed, resulting in potentially erratic behaviour.
+</p>
+ <p>Acknowledgements:
+We would like to thank Robert ÅwiÄcki for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">30th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">11th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">11th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.26</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-9788">important:
+ <name name="CVE-2017-9788">Uninitialized memory reflection in mod_auth_digest</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788">CVE-2017-9788</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+The value placeholder in [Proxy-]Authorization headers
+of type 'Digest' was not initialized or reset
+before or between successive key=value assignments.
+by mod_auth_digest.
+</p>
+ <p>
+Providing an initial key with no '=' assignment
+could reflect the stale value of uninitialized pool
+memory used by the prior request, leading to leakage
+of potentially confidential information, and a segfault.
+</p>
+ <p>Acknowledgements:
+We would like to thank Robert ÅwiÄcki for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">28th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">11th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">11th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.26">
+Fixed in Apache httpd 2.4.26</h1><dl>
+ <dt>
+ <h3 id="CVE-2017-3167">important:
+ <name name="CVE-2017-3167">ap_get_basic_auth_pw() Authentication Bypass</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167">CVE-2017-3167</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+authentication phase may lead to authentication requirements being bypassed.
+</p>
+ <p>
+Third-party module writers SHOULD use ap_get_basic_auth_components(), available
+in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the
+legacy ap_get_basic_auth_pw() during the authentication phase MUST either
+immediately authenticate the user after the call, or else stop the request
+immediately with an error response, to avoid incorrectly authenticating the
+current request.
+</p>
+ <p>Acknowledgements:
+We would like to thank Emmanuel Dreyfus for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">6th February 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-3169">important:
+ <name name="CVE-2017-3169">mod_ssl Null Pointer Dereference</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169">CVE-2017-3169</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+mod_ssl may dereference a NULL pointer when third-party modules call
+ap_hook_process_connection() during an HTTP request to an HTTPS port.
+</p>
+ <p>Acknowledgements:
+We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for
+reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">5th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-7659">important:
+ <name name="CVE-2017-7659">mod_http2 Null Pointer Dereference</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7659">CVE-2017-7659</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a
+NULL pointer and crash the server process.
+</p>
+ <p>Acknowledgements:
+We would like to thank Robert ÅwiÄcki for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">18th November 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.25</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-7668">important:
+ <name name="CVE-2017-7668">ap_find_token() Buffer Overread</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668">CVE-2017-7668</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
+token list parsing, which allows ap_find_token() to search past the end of its
+input string. By maliciously crafting a sequence of request headers, an attacker
+may be able to cause a segmentation fault, or to force ap_find_token() to return
+an incorrect value.
+</p>
+ <p>Acknowledgements:
+We would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this
+issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">6th May 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.25</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-7679">important:
+ <name name="CVE-2017-7679">mod_mime Buffer Overread</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679">CVE-2017-7679</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+mod_mime can read one byte past the end of a buffer when sending a malicious
+Content-Type response header.
+</p>
+ <p>Acknowledgements:
+We would like to thank ChenQin and Hanno Böck for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">15th November 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.25">
+Fixed in Apache httpd 2.4.25</h1><dl>
+ <dt>
+ <h3 id="CVE-2016-8743">important:
+ <name name="CVE-2016-8743">Apache HTTP Request Parsing Whitespace Defects</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Apache HTTP Server, prior to release 2.4.25 (2.2.32), accepted a broad pattern
+of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB
+in parsing the request line and request header lines, as well as HTAB in
+parsing the request line. Any bare CR present in request lines was treated
+as whitespace and remained in the request field member "the_request", while
+a bare CR in the request header field name would be honored as whitespace,
+and a bare CR in the request header field value was retained the input headers
+array. Implied additional whitespace was accepted in the request line and prior
+to the ':' delimiter of any request header lines.
+</p>
+ <p>
+RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section
+3.2.3 eliminated and clarified the role of implied whitespace in the grammer
+of this specification. Section 3.1.1 requires exactly one single SP between the
+method and request-target, and between the request-target and HTTP-version,
+followed immediately by a CRLF sequence. None of these fields permit any
+(unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed
+any whitespace from the request header field prior to the ':' character, while
+Section 3.2 disallows all CTL characters in the request header line other than
+the HTAB character as whitespace.
+</p>
+ <p>
+These defects represent a security concern when httpd is participating in any
+chain of proxies or interacting with back-end application servers, either
+through mod_proxy or using conventional CGI mechanisms. In each case where one
+agent accepts such CTL characters and does not treat them as whitespace, there
+is the possiblity in a proxy chain of generating two responses from a server
+behind the uncautious proxy agent. In a sequence of two requests, this results
+in request A to the first proxy being interpreted as requests A + A' by the
+backend server, and if requests A and B were submitted to the first proxy in
+a keepalive connection, the proxy may interpret response A' as the response
+to request B, polluting the cache or potentially serving the A' content to
+a different downstream user-agent.
+</p>
+ <p>
+These defects are addressed with the release of Apache HTTP Server 2.4.25
+and coordinated by a new directive;
+</p>
+ <ul>
+ <li>
+<a href="http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions">HttpProtocolOptions Strict</a></li>
+ </ul>
+ <p>
+which is the default behavior of 2.4.25 and later. By toggling from 'Strict'
+behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow
+some invalid HTTP/1.1 clients to communicate with the server, but this will
+reintroduce the possibility of the problems described in this assessment.
+Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs
+other than HTAB (where permitted), but will allow other RFC requirements to
+not be enforced, such as exactly two SP characters in the request line.
+</p>
+ <p>Acknowledgements:
+We would like to thank David Dennerline at IBM Security's X-Force Researchers
+as well as Régis Leroy for each reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">10th February 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">20th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">20th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2016-8740">low:
+ <name name="CVE-2016-8740">HTTP/2 CONTINUATION denial of service</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740">CVE-2016-8740</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ The HTTP/2 protocol implementation (mod_http2) had an incomplete handling
+ of the
+ <a href="https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields">LimitRequestFields</a>
+ directive. This allowed an attacker to inject unlimited request headers into
+ the server, leading to eventual memory exhaustion.
+</p>
+ <p>Acknowledgements:
+We would like to thank Naveen Tiwari
+and CDF/SEFCOM at Arizona State University to reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">22nd November 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">4th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">20th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2016-2161">low:
+ <name name="CVE-2016-2161">DoS vulnerability in mod_auth_digest</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161">CVE-2016-2161</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ Malicious input to mod_auth_digest will cause the server to crash, and
+ each instance continues to crash even for subsequently valid requests.
+</p>
+ <p>Acknowledgements:
+We would like to thank Maksim Malyutin for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">11th July 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">20th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">20th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2016-0736">low:
+ <name name="CVE-2016-0736">Padding Oracle in Apache mod_session_crypto</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736">CVE-2016-0736</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ Prior to Apache HTTP release 2.4.25, mod_sessioncrypto was encrypting its
+ data/cookie using the configured ciphers with possibly either CBC or ECB
+ modes of operation (AES256-CBC by default), hence no selectable or builtin
+ authenticated encryption.
+ This made it vulnerable to padding oracle attacks, particularly with CBC.
+ An authentication tag (SipHash MAC) is now added to prevent such attacks.
+</p>
+ <p>Acknowledgements:
+We would like to thank individuals at the RedTeam Pentesting GmbH for reporting
+this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">20th January 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">20th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">20th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2016-4975">moderate:
+ <name name="CVE-2016-4975">mod_userdir CRLF injection</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4975">CVE-2016-4975</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Possible CRLF injection allowing HTTP response splitting attacks
+for sites which use mod_userdir. This issue was
+mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF
+injection into the "Location" or other outbound
+header key or value.
+</p>
+ <p>Acknowledgements:
+The issue was discovered by Sergey Bobrov
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">24th July 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th August 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">20th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2016-5387">n/a:
+ <name name="CVE-2016-5387">HTTP_PROXY environment variable "httpoxy" mitigation</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387">CVE-2016-5387</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ HTTP_PROXY is a well-defined environment variable in a CGI process,
+ which collided with a number of libraries which failed to avoid
+ colliding with this CGI namespace. A mitigation is provided for the
+ httpd CGI environment to avoid populating the "HTTP_PROXY" variable
+ from a "Proxy:" header, which has never been registered by IANA.
+</p>
+ <p>
+ This workaround and patch are documented in the ASF Advisory at
+ <a href="https://www.apache.org/security/asf-httpoxy-response.txt">asf-httpoxy-response.txt</a>
+ and incorporated in the 2.4.25 and 2.2.32 releases.
+</p>
+ <p>
+ Note: This is not assigned an httpd severity, as it is a defect in
+ other software which overloaded well-established CGI environment
+ variables, and does not reflect an error in HTTP server software.
+</p>
+ <p>Acknowledgements:
+We would like to thank Dominic Scheirlinck and Scott Geary of Vend
+for reporting and proposing a fix for this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">2nd July 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">18th July 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">20th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.23">
+Fixed in Apache httpd 2.4.23</h1><dl>
+ <dt>
+ <h3 id="CVE-2016-4979">important:
+ <name name="CVE-2016-4979">TLS/SSL X.509 client certificate auth bypass with HTTP/2</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4979">CVE-2016-4979</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ For configurations enabling support for HTTP/2, SSL client
+ certificate validation was not enforced if configured, allowing
+ clients unauthorized access to protected resources over HTTP/2.
+</p>
+ <p>
+ This issue affected releases 2.4.18 and 2.4.20 only.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Erki Aring.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">30th June 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">5th July 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">5th July 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.20, 2.4.18</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.20">
+Fixed in Apache httpd 2.4.20</h1><dl>
+ <dt>
+ <h3 id="CVE-2016-1546">low:
+ <name name="CVE-2016-1546">mod_http2: denial of service by thread starvation</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1546">CVE-2016-1546</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+
+ By manipulating the flow control windows on streams, a client was able to
+ block server threads for long times, causing starvation of worker threads.
+ Connections could still be opened, but no streams where processed for these.
+ This issue affected HTTP/2 support in 2.4.17 and 2.4.18.
+
+</p>
+ <p>Acknowledgements:
+This issue was reported by Noam Mazor.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">2nd February 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">11th April 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">11th April 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.18, 2.4.17</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.16">
+Fixed in Apache httpd 2.4.16</h1><dl>
+ <dt>
+ <h3 id="CVE-2015-0228">low:
+ <name name="CVE-2015-0228">mod_lua: Crash in websockets PING handling</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228">CVE-2015-0228</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ A stack recursion crash in the mod_lua module was found. A Lua
+ script executing the r:wsupgrade() function could crash the process
+ if a malicious client sent a carefully crafted PING request. This
+ issue affected releases 2.4.7 through 2.4.12 inclusive.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Guido Vranken.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">28th January 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">4th February 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.12, 2.4.10, 2.4.9, 2.4.7</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2015-0253">low:
+ <name name="CVE-2015-0253">Crash in ErrorDocument 400 handling</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0253">CVE-2015-0253</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ A crash in ErrorDocument handling was found. If ErrorDocument 400
+ was configured pointing to a local URL-path with the INCLUDES filter
+ active, a NULL dereference would occur when handling the error,
+ causing the child process to crash. This issue affected the 2.4.12
+ release only.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">3rd February 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">5th March 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.12</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2015-3183">low:
+ <name name="CVE-2015-3183">HTTP request smuggling attack against chunked request parser</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183">CVE-2015-3183</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ An HTTP request smuggling attack was possible due to a bug in parsing of
+ chunked requests. A malicious client could force the server to
+ misinterpret the request length, allowing cache poisoning or
+ credential hijacking if an intermediary proxy is in use.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Régis Leroy.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">4th April 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">9th June 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2015-3185">low:
+ <name name="CVE-2015-3185">ap_some_auth_required API unusable</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185">CVE-2015-3185</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ A design error in the "ap_some_auth_required" function renders the
+ API unusuable in httpd 2.4.x. In particular the API is documented
+ to answering if the request required authentication but only answers
+ if there are Require lines in the applicable configuration. Since
+ 2.4.x Require lines are used for authorization as well and can
+ appear in configurations even when no authentication is required and
+ the request is entirely unrestricted. This could lead to modules
+ using this API to allow access when they should otherwise not do so.
+ API users should use the new ap_some_authn_required API added in
+ 2.4.16 instead.
+ </p>
+ <p>Acknowledgements:
+This issue was reported by Ben Reser.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">5th August 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">9th June 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.5, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.12">
+Fixed in Apache httpd 2.4.12</h1><dl>
+ <dt>
+ <h3 id="CVE-2014-8109">low:
+ <name name="CVE-2014-8109">mod_lua multiple "Require" directive handling is broken</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109">CVE-2014-8109</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Fix handling of the Require line in mod_lau when a LuaAuthzProvider is
+used in multiple Require directives with different arguments. This could
+lead to different authentication rules than expected.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">9th November 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">30th January 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2014-3583">low:
+ <name name="CVE-2014-3583">mod_proxy_fcgi out-of-bounds memory read</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3583">CVE-2014-3583</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+An out-of-bounds memory read was found in mod_proxy_fcgi. A malicious
+FastCGI server could send a carefully crafted response which could
+lead to a crash when reading past the end of a heap memory or stack
+buffer. This issue affects version 2.4.10 only.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Teguh P. Alko.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">17th September 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">12th November 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">30th January 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.10</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2014-3581">low:
+ <name name="CVE-2014-3581">mod_cache crash with empty Content-Type header</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581">CVE-2014-3581</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A NULL pointer deference was found in mod_cache. A malicious HTTP
+server could cause a crash in a caching forward proxy configuration.
+This crash would only be a denial of service if using a threaded MPM.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">8th September 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">30th January 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2013-5704">low:
+ <name name="CVE-2013-5704">HTTP Trailers processing bypass</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704">CVE-2013-5704</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+HTTP trailers could be used to replace HTTP headers late during request
+processing, potentially undoing or otherwise confusing modules that
+examined or modified request headers earlier.</p>
+ <p>This fix adds the "MergeTrailers" directive to restore legacy behavior.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Martin Holst Swende.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">6th September 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th October 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">30th January 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.10">
+Fixed in Apache httpd 2.4.10</h1><dl>
+ <dt>
+ <h3 id="CVE-2014-0231">important:
+ <name name="CVE-2014-0231">mod_cgid denial of service</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231">CVE-2014-0231</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI
+scripts which did not consume standard input, a remote attacker could
+cause child processes to hang indefinitely, leading to denial of
+service.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Rainer Jung of the ASF
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">16th June 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2014-3523">important:
+ <name name="CVE-2014-3523">WinNT MPM denial of service</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3523">CVE-2014-3523</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the WinNT MPM in httpd versions 2.4.1 to 2.4.9, when
+using the default AcceptFilter for that platform. A remote attacker
+could send carefully crafted requests that would leak memory and
+eventually lead to a denial of service against the server.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Jeff Trawick of the ASF
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">1st July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">15th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2014-0117">moderate:
+ <name name="CVE-2014-0117">mod_proxy denial of service</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117">CVE-2014-0117</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in mod_proxy in httpd versions 2.4.6 to 2.4.9. A remote attacker could send a carefully crafted request
+to a server configured as a reverse proxy, and cause the child process
+to crash. This could lead to a denial of service against a threaded MPM.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 via HP ZDI
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">7th April 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">15th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.9, 2.4.7, 2.4.6</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2014-0118">moderate:
+ <name name="CVE-2014-0118">mod_deflate denial of service</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118">CVE-2014-0118</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A resource consumption flaw was found in mod_deflate. If request body
+decompression was configured (using the "DEFLATE" input filter), a
+remote attacker could cause the server to consume significant memory
+and/or CPU resources. The use of request body decompression is not a common
+configuration.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Giancarlo Pellegrino and Davide Balzarotti
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">19th February 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2014-0226">moderate:
+ <name name="CVE-2014-0226">mod_status buffer overflow</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226">CVE-2014-0226</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A race condition was found in mod_status. An attacker able to access
+a public server status page on a server using a threaded MPM could send a
+carefully crafted request which could lead to a heap buffer overflow. Note
+that it is not a default or recommended configuration to have a public
+accessible server status page.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Marek Kroemeke, AKAT-1 and
+22733db72ab3ed94b5f8a1ffcde850251fe6f466 via HP ZDI
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">30th May 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">15th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.9">
+Fixed in Apache httpd 2.4.9</h1><dl>
+ <dt>
+ <h3 id="CVE-2014-0098">low:
+ <name name="CVE-2014-0098">mod_log_config crash</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098">CVE-2014-0098</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in mod_log_config. A remote attacker could send a
+specific truncated cookie causing a crash. This crash would only be a
+denial of service if using a threaded MPM.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Rainer M Canavan
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">25th February 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">17th March 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">17th March 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2013-6438">moderate:
+ <name name="CVE-2013-6438">mod_dav crash</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438">CVE-2013-6438</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+XML parsing code in mod_dav incorrectly calculates the end of the string when
+removing leading spaces and places a NUL character outside the buffer, causing
+random crashes. This XML parsing code is only used with DAV provider modules
+that support DeltaV, of which the only publicly released provider is mod_dav_svn.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Ning Zhang & Amin Tora of Neustar
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">10th December 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">17th March 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">17th March 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.7">
+Fixed in Apache httpd 2.4.7</h1><dl>
+ <dt>
+ <h3 id="CVE-2013-4352">low:
+ <name name="CVE-2013-4352">mod_cache crash</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4352">CVE-2013-4352</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A NULL pointer dereference was found in mod_cache. A malicious HTTP
+server could cause a crash in a caching forward proxy configuration.
+(Note that this vulnerability was fixed in the 2.4.7 release, but the
+security impact was not disclosed at the time of the release.)
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">14th September 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">26th November 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.6</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.6">
+Fixed in Apache httpd 2.4.6</h1><dl>
+ <dt>
+ <h3 id="CVE-2013-1896">moderate:
+ <name name="CVE-2013-1896">mod_dav crash</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896">CVE-2013-1896</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Sending a MERGE request against a URI handled by mod_dav_svn with the
+source href (sent as part of the request body as XML) pointing to a
+URI that is not configured for DAV will trigger a segfault.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Ben Reser
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">7th March 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">23rd May 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">22nd July 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2013-2249">moderate:
+ <name name="CVE-2013-2249">mod_session_dbd session fixation flaw</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249">CVE-2013-2249</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw in mod_session_dbd caused it to proceed with save operations for a session
+without considering the dirty flag and the requirement for a new
+session ID.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Takashi Sato
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">29th May 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">22nd July 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">22nd July 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.4">
+Fixed in Apache httpd 2.4.4</h1><dl>
+ <dt>
+ <h3 id="CVE-2012-3499">low:
+ <name name="CVE-2012-3499">XSS due to unescaped hostnames</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499">CVE-2012-3499</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Various XSS flaws due to unescaped hostnames and URIs HTML output in
+mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Niels Heinen of Google
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">11th July 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">18th February 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">25th February 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2012-4558">moderate:
+ <name name="CVE-2012-4558">XSS in mod_proxy_balancer</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558">CVE-2012-4558</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A XSS flaw affected the mod_proxy_balancer manager interface.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Niels Heinen of Google
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">7th October 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">18th February 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">25th February 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.3, 2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.3">
+Fixed in Apache httpd 2.4.3</h1><dl>
+ <dt>
+ <h3 id="CVE-2012-3502">important:
+ <name name="CVE-2012-3502">Response mixup when using mod_proxy_ajp or mod_proxy_http</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3502">CVE-2012-3502</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+The modules mod_proxy_ajp and mod_proxy_http did not always close
+the connection to the back end server when necessary as part of error
+handling. This could lead to an information disclosure due to a response mixup
+between users.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">16th August 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">21st August 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2012-2687">low:
+ <name name="CVE-2012-2687">XSS in mod_negotiation when untrusted uploads are supported</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687">CVE-2012-2687</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Possible XSS for sites which use mod_negotiation and allow
+untrusted uploads to locations which have MultiViews enabled.
+</p>
+ <p>Note: This issue is also known as CVE-2008-0455.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">31st May 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">13th June 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">21st August 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.2, 2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.2">
+Fixed in Apache httpd 2.4.2</h1><dl>
+ <dt>
+ <h3 id="CVE-2012-0883">low:
+ <name name="CVE-2012-0883">insecure LD_LIBRARY_PATH handling</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883">CVE-2012-0883</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Insecure handling of LD_LIBRARY_PATH was found that could
+lead to the current working directory to be searched for DSOs.
+This could allow a local user to execute code as root if an
+administrator runs apachectl from an untrusted directory.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">14th February 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd March 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">17th April 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.1</td>
+ </tr>
+ </table>
+ </dd>
+</dl>
+
<!-- FOOTER -->
<div id="footer">