You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2008/06/15 14:56:33 UTC
svn commit: r667956 - in /httpd/site/trunk:
docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html
xdocs/security/vulnerabilities-httpd.xml
Author: mjc
Date: Sun Jun 15 05:56:32 2008
New Revision: 667956
URL: http://svn.apache.org/viewvc?rev=667956&view=rev
Log:
Add the two cves fixed in 2.2.9 to vuln pages
Modified:
httpd/site/trunk/docs/security/vulnerabilities-oval.xml
httpd/site/trunk/docs/security/vulnerabilities_22.html
httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=667956&r1=667955&r2=667956&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Sun Jun 15 05:56:32 2008
@@ -5,6 +5,60 @@
<oval:timestamp>2005-10-12T18:13:45</oval:timestamp>
</generator>
<definitions>
+<definition id="oval:org.apache.httpd:def:20082364" version="1" class="vulnerability">
+<metadata>
+<title>mod_proxy_http DoS</title>
+<reference source="CVE" ref_id="CVE-2008-2364" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364"/>
+<description>
+A flaw was found in the handling of excessive interim responses
+from an origin server when using mod_proxy_http. A remote attacker
+could cause a denial of service or high memory usage.</description>
+<apache_httpd_repository>
+<public>20080610</public>
+<reported>20080529</reported>
+<released>20080614</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:228" comment="the version of httpd is 2.2.8"/>
+<criterion test_ref="oval:org.apache.httpd:tst:226" comment="the version of httpd is 2.2.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:225" comment="the version of httpd is 2.2.5"/>
+<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20076420" version="1" class="vulnerability">
+<metadata>
+<title>mod_proxy_balancer CSRF</title>
+<reference source="CVE" ref_id="CVE-2007-6420" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420"/>
+<description>
+The mod_proxy_balancer provided an administrative interface that could be
+vulnerable to cross-site request forgery (CSRF) attacks.
+</description>
+<apache_httpd_repository>
+<public>20080109</public>
+<reported>20071012</reported>
+<released>20080614</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:228" comment="the version of httpd is 2.2.8"/>
+<criterion test_ref="oval:org.apache.httpd:tst:226" comment="the version of httpd is 2.2.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:225" comment="the version of httpd is 2.2.5"/>
+<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+</criteria>
+</definition>
<definition id="oval:org.apache.httpd:def:20076388" version="1" class="vulnerability">
<metadata>
<title>mod_status XSS</title>
@@ -719,7 +773,7 @@
</description>
<apache_httpd_repository>
<public>20060508</public>
-<reported/>
+<reported></reported>
<released>20060501</released>
<severity level="3">moderate</severity>
</apache_httpd_repository>
@@ -2775,6 +2829,10 @@
</definition>
</definitions>
<tests>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:228" version="1" comment="the version of httpd is 2.2.8" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:228"/>
+</httpd_test>
<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:226" version="1" comment="the version of httpd is 2.2.6" check="at least one">
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:226"/>
@@ -3004,6 +3062,9 @@
</httpd_object>
</objects>
<states>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:228" version="1" comment="the version of httpd is 2.2.8">
+<version operation="equals" datatype="version">2.2.8</version>
+</httpd_state>
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:226" version="1" comment="the version of httpd is 2.2.6">
<version operation="equals" datatype="version">2.2.6</version>
</httpd_state>
Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=667956&r1=667955&r2=667956&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html Sun Jun 15 05:56:32 2008
@@ -91,6 +91,57 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+ <a name="2.2.9"><strong>Fixed in Apache httpd 2.2.9</strong></a>
+ </font>
+ </td>
+ </tr>
+ <tr><td>
+ <blockquote>
+<dl>
+<dd>
+<b>low: </b>
+<b>
+<name name="CVE-2007-6420">mod_proxy_balancer CSRF</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420">CVE-2007-6420</a>
+<p>
+The mod_proxy_balancer provided an administrative interface that could be
+vulnerable to cross-site request forgery (CSRF) attacks.
+</p>
+</dd>
+<dd>
+ Update Released: 14th June 2008<br />
+</dd>
+<dd>
+ Affects:
+ 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
+</dd>
+<dd>
+<b>moderate: </b>
+<b>
+<name name="CVE-2008-2364">mod_proxy_http DoS</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364">CVE-2008-2364</a>
+<p>
+A flaw was found in the handling of excessive interim responses
+from an origin server when using mod_proxy_http. A remote attacker
+could cause a denial of service or high memory usage.</p>
+</dd>
+<dd>
+ Update Released: 14th June 2008<br />
+</dd>
+<dd>
+ Affects:
+ 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
+</dd>
+</dl>
+ </blockquote>
+ </td></tr>
+</table>
+ <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr>
+ <td bgcolor="#525D76">
+ <font color="#ffffff" face="arial,helvetica,sanserif">
<a name="2.2.8"><strong>Fixed in Apache httpd 2.2.8</strong></a>
</font>
</td>
Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=667956&r1=667955&r2=667956&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml Sun Jun 15 05:56:32 2008
@@ -1,4 +1,38 @@
-<security updated="20080119">
+<security updated="20080615">
+
+<issue fixed="2.2.9" public="20080610" reported="20080529" released="20080614">
+<cve name="CVE-2008-2364"/>
+<severity level="3">moderate</severity>
+<title>mod_proxy_http DoS</title>
+<description><p>
+A flaw was found in the handling of excessive interim responses
+from an origin server when using mod_proxy_http. A remote attacker
+could cause a denial of service or high memory usage.</p></description>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.2.9" public="20080109" reported="20071012" released="20080614">
+<cve name="CVE-2007-6420"/>
+<severity level="4">low</severity>
+<title>mod_proxy_balancer CSRF</title>
+<description><p>
+The mod_proxy_balancer provided an administrative interface that could be
+vulnerable to cross-site request forgery (CSRF) attacks.
+</p></description>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
<issue fixed="2.2.8" public="20080102" reported="20071215" released="20080119">
<cve name="CVE-2007-6388"/>