You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2007/07/17 16:31:12 UTC
svn commit: r556932 - in /httpd/site/trunk:
docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html
xdocs/security/vulnerabilities-httpd.xml
xdocs/security/vulnerabilities_22.xml
Author: mjc
Date: Tue Jul 17 07:31:10 2007
New Revision: 556932
URL: http://svn.apache.org/viewvc?view=rev&rev=556932
Log:
Add CVE-2007-1862 details, only 2.2.4 was affected
Modified:
httpd/site/trunk/docs/security/vulnerabilities-oval.xml
httpd/site/trunk/docs/security/vulnerabilities_22.html
httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
httpd/site/trunk/xdocs/security/vulnerabilities_22.xml
Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?view=diff&rev=556932&r1=556931&r2=556932
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Tue Jul 17 07:31:10 2007
@@ -5,6 +5,28 @@
<oval:timestamp>2005-10-12T18:13:45</oval:timestamp>
</generator>
<definitions>
+<definition id="oval:org.apache.httpd:def:20071862" version="1" class="vulnerability">
+<metadata>
+<title>mod_cache information leak</title>
+<reference source="CVE" ref_id="CVE-2007-1862" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862"/>
+<description>The recall_headers function in mod_mem_cache in Apache 2.2.4 did not
+properly copy all levels of header data, which can cause Apache to
+return HTTP headers containing previously used data, which could be
+used by remote attackers to obtain potentially sensitive information.
+</description>
+<apache_httpd_repository>
+<public>20070601</public>
+<reported>20070426</reported>
+<released/>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
+</criteria>
+</criteria>
+</definition>
<definition id="oval:org.apache.httpd:def:20071863" version="1" class="vulnerability">
<metadata>
<title>mod_cache proxy DoS</title>
@@ -2286,6 +2308,10 @@
</definition>
</definitions>
<tests>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:224" version="1" comment="the version of httpd is 2.2.4" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:224"/>
+</httpd_test>
<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:2059" version="1" comment="the version of httpd is 2.0.59" check="at least one">
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:2059"/>
@@ -2362,10 +2388,6 @@
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:2037"/>
</httpd_test>
-<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:224" version="1" comment="the version of httpd is 2.2.4" check="at least one">
-<object object_ref="oval:org.apache.httpd:obj:1"/>
-<state state_ref="oval:org.apache.httpd:ste:224"/>
-</httpd_test>
<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:223" version="1" comment="the version of httpd is 2.2.3" check="at least one">
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:223"/>
@@ -2495,6 +2517,9 @@
</httpd_object>
</objects>
<states>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:224" version="1" comment="the version of httpd is 2.2.4">
+<version operation="equals" datatype="version">2.2.4</version>
+</httpd_state>
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2059" version="1" comment="the version of httpd is 2.0.59">
<version operation="equals" datatype="version">2.0.59</version>
</httpd_state>
@@ -2551,9 +2576,6 @@
</httpd_state>
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2037" version="1" comment="the version of httpd is 2.0.37">
<version operation="equals" datatype="version">2.0.37</version>
-</httpd_state>
-<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:224" version="1" comment="the version of httpd is 2.2.4">
-<version operation="equals" datatype="version">2.2.4</version>
</httpd_state>
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:223" version="1" comment="the version of httpd is 2.2.3">
<version operation="equals" datatype="version">2.2.3</version>
Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?view=diff&rev=556932&r1=556931&r2=556932
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html Tue Jul 17 07:31:10 2007
@@ -90,6 +90,23 @@
<dd>
<b>moderate: </b>
<b>
+<name name="CVE-2007-1862">mod_cache information leak</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862">CVE-2007-1862</a>
+<p>The recall_headers function in mod_mem_cache in Apache 2.2.4 did not
+properly copy all levels of header data, which can cause Apache to
+return HTTP headers containing previously used data, which could be
+used by remote attackers to obtain potentially sensitive information.
+</p>
+</dd>
+<dd />
+<dd>
+ Affects:
+ 2.2.4<p />
+</dd>
+<dd>
+<b>moderate: </b>
+<b>
<name name="CVE-2007-1863">mod_cache proxy DoS</name>
</b>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863">CVE-2007-1863</a>
Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?view=diff&rev=556932&r1=556931&r2=556932
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml Tue Jul 17 07:31:10 2007
@@ -1,5 +1,18 @@
<security updated="20070717">
+<issue fixed="2.2.5-dev" public="20070601" reported="20070426">
+<cve name="CVE-2007-1862"/>
+<severity level="3">moderate</severity>
+<title>mod_cache information leak</title>
+<description>
+<p>The recall_headers function in mod_mem_cache in Apache 2.2.4 did not
+properly copy all levels of header data, which can cause Apache to
+return HTTP headers containing previously used data, which could be
+used by remote attackers to obtain potentially sensitive information.
+</p></description>
+<affects prod="httpd" version="2.2.4"/>
+</issue>
+
<issue fixed="2.0.60-dev" public="20070618" reported="20070502">
<cve name="CVE-2007-1863"/>
<severity level="3">moderate</severity>
Modified: httpd/site/trunk/xdocs/security/vulnerabilities_22.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities_22.xml?view=diff&rev=556932&r1=556931&r2=556932
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities_22.xml (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities_22.xml Tue Jul 17 07:31:10 2007
@@ -25,6 +25,23 @@
<dd>
<b>moderate: </b>
<b>
+<name name="CVE-2007-1862">mod_cache information leak</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862">CVE-2007-1862</a>
+<p>The recall_headers function in mod_mem_cache in Apache 2.2.4 did not
+properly copy all levels of header data, which can cause Apache to
+return HTTP headers containing previously used data, which could be
+used by remote attackers to obtain potentially sensitive information.
+</p>
+</dd>
+<dd/>
+<dd>
+ Affects:
+ 2.2.4<p/>
+</dd>
+<dd>
+<b>moderate: </b>
+<b>
<name name="CVE-2007-1863">mod_cache proxy DoS</name>
</b>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863">CVE-2007-1863</a>