You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2018/08/14 07:46:44 UTC
svn commit: r1837991 -
/httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Author: mjc
Date: Tue Aug 14 07:46:43 2018
New Revision: 1837991
URL: http://svn.apache.org/viewvc?rev=1837991&view=rev
Log:
Add missing details for CVE-2016-4975 which was mitigated by other changes
Modified:
httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1837991&r1=1837990&r2=1837991&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Tue Aug 14 07:46:43 2018
@@ -1,4 +1,4 @@
-<security updated="20180718">
+<security updated="20180814">
<issue reported="20180629" public="20180718">
<cve name="CVE-2018-8011"/>
@@ -738,6 +738,66 @@ as well as Régis Leroy for each repor
</acknowledgements>
<affects prod="httpd" version="2.4.23"/>
<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+<affects prod="httpd" version="2.2.31"/>
+<affects prod="httpd" version="2.2.29"/>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue reported="20160724" public="20180814">
+<fixed base="2.4" version="2.4.25" date="20161220"/>
+<fixed base="2.2" version="2.2.32" date="20170113"/>
+<cve name="CVE-2016-4975"/>
+<severity level="3">moderate</severity>
+<title>mod_userdir CRLF injection</title>
+<description><p>
+Possible CRLF injection allowing HTTP response splitting attacks
+for sites which use mod_userdir. This issue was
+mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF
+injection into the "Location" or other outbound
+header key or value.
+</p></description>
+<acknowledgements>
+The issue was discovered by Sergey Bobrov
+</acknowledgements>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
<affects prod="httpd" version="2.4.18"/>
<affects prod="httpd" version="2.4.17"/>
<affects prod="httpd" version="2.4.16"/>