You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2021/03/30 14:42:56 UTC

svn commit: r1888222 - in /httpd/site/trunk/content/security/json: CVE-2010-2068.json CVE-2010-2791.json CVE-2011-0419.json CVE-2011-3368.json

Author: mjc
Date: Tue Mar 30 14:42:56 2021
New Revision: 1888222

URL: http://svn.apache.org/viewvc?rev=1888222&view=rev
Log:
Add a few new paragraphs to some earlier CVE

Modified:
    httpd/site/trunk/content/security/json/CVE-2010-2068.json
    httpd/site/trunk/content/security/json/CVE-2010-2791.json
    httpd/site/trunk/content/security/json/CVE-2011-0419.json
    httpd/site/trunk/content/security/json/CVE-2011-3368.json

Modified: httpd/site/trunk/content/security/json/CVE-2010-2068.json
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/json/CVE-2010-2068.json?rev=1888222&r1=1888221&r2=1888222&view=diff
==============================================================================
--- httpd/site/trunk/content/security/json/CVE-2010-2068.json (original)
+++ httpd/site/trunk/content/security/json/CVE-2010-2068.json Tue Mar 30 14:42:56 2021
@@ -61,7 +61,7 @@
     "description_data": [
       {
         "lang": "eng",
-        "value": "An information disclosure flaw was found in mod_proxy_http in versions 2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha. Under certain timeout conditions, the server could return a response intended for another user. Only Windows, Netware and OS2 operating systems are affected. Only those configurations which trigger the use of proxy worker pools are affected. There was no vulnerability on earlier versions, as proxy pools were not yet introduced. The simplest workaround is to globally configure; SetEnv proxy-nokeepalive 1 Source code patches are at; 2.2.15: CVE-2010-2068-r953616.patch 2.3.5: CVE-2010-2068-r953418.patch Binary replacement modules are at mod_proxy_http-CVE-2010-2068.zip"
+        "value": "An information disclosure flaw was found in mod_proxy_http in versions 2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha. Under certain timeout conditions, the server could return a response intended for another user. Only Windows, Netware and OS2 operating systems are affected. Only those configurations which trigger the use of proxy worker pools are affected. There was no vulnerability on earlier versions, as proxy pools were not yet introduced.\nThe simplest workaround is to globally configure;\nSetEnv proxy-nokeepalive 1"
       }
     ]
   },
@@ -135,4 +135,4 @@
       ]
     }
   }
-}
\ No newline at end of file
+}

Modified: httpd/site/trunk/content/security/json/CVE-2010-2791.json
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/json/CVE-2010-2791.json?rev=1888222&r1=1888221&r2=1888222&view=diff
==============================================================================
--- httpd/site/trunk/content/security/json/CVE-2010-2791.json (original)
+++ httpd/site/trunk/content/security/json/CVE-2010-2791.json Tue Mar 30 14:42:56 2021
@@ -55,7 +55,7 @@
     "description_data": [
       {
         "lang": "eng",
-        "value": "An information disclosure flaw was found in mod_proxy_http in version 2.2.9 only, on Unix platforms. Under certain timeout conditions, the server could return a response intended for another user. Only those configurations which trigger the use of proxy worker pools are affected. There was no vulnerability on earlier versions, as proxy pools were not yet introduced. The simplest workaround is to globally configure: SetEnv proxy-nokeepalive 1"
+        "value": "An information disclosure flaw was found in mod_proxy_http in version 2.2.9 only, on Unix platforms. Under certain timeout conditions, the server could return a response intended for another user. Only those configurations which trigger the use of proxy worker pools are affected. There was no vulnerability on earlier versions, as proxy pools were not yet introduced. The simplest workaround is to globally configure:\nSetEnv proxy-nokeepalive 1"
       }
     ]
   },
@@ -89,4 +89,4 @@
       ]
     }
   }
-}
\ No newline at end of file
+}

Modified: httpd/site/trunk/content/security/json/CVE-2011-0419.json
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/json/CVE-2011-0419.json?rev=1888222&r1=1888221&r2=1888222&view=diff
==============================================================================
--- httpd/site/trunk/content/security/json/CVE-2011-0419.json (original)
+++ httpd/site/trunk/content/security/json/CVE-2011-0419.json Tue Mar 30 14:42:56 2021
@@ -66,7 +66,7 @@
     "description_data": [
       {
         "lang": "eng",
-        "value": "A flaw was found in the apr_fnmatch() function of the bundled APR library. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a remote attacker could send a carefully crafted request which would cause excessive CPU usage. This could be used in a denial of service attack. Workaround: Setting the 'IgnoreClient' option to the 'IndexOptions' directive disables processing of the client-supplied request query arguments, preventing this attack. Resolution: Update APR to release 1.4.5 (bundled with httpd 2.2.19) or release 0.9.20 (bundled with httpd 2.0.65)"
+        "value": "A flaw was found in the apr_fnmatch() function of the bundled APR library. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a remote attacker could send a carefully crafted request which would cause excessive CPU usage. This could be used in a denial of service attack.\nWorkaround: Setting the 'IgnoreClient' option to the 'IndexOptions' directive disables processing of the client-supplied request query arguments, preventing this attack.\nResolution: Update APR to release 1.4.5 (bundled with httpd 2.2.19) or release 0.9.20 (bundled with httpd 2.0.65)"
       }
     ]
   },
@@ -300,4 +300,4 @@
       ]
     }
   }
-}
\ No newline at end of file
+}

Modified: httpd/site/trunk/content/security/json/CVE-2011-3368.json
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/json/CVE-2011-3368.json?rev=1888222&r1=1888221&r2=1888222&view=diff
==============================================================================
--- httpd/site/trunk/content/security/json/CVE-2011-3368.json (original)
+++ httpd/site/trunk/content/security/json/CVE-2011-3368.json Tue Mar 30 14:42:56 2021
@@ -71,7 +71,7 @@
     "description_data": [
       {
         "lang": "eng",
-        "value": "An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. No update of 1.3 will be released. Patches will be published to https://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/"
+        "value": "An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. No update of 1.3 will be released.\nPatches will be published to https://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/"
       }
     ]
   },
@@ -455,4 +455,4 @@
       ]
     }
   }
-}
\ No newline at end of file
+}