You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2015/07/17 15:46:52 UTC
svn commit: r1691561 -
/httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Author: jorton
Date: Fri Jul 17 13:46:52 2015
New Revision: 1691561
URL: http://svn.apache.org/r1691561
Log:
Document new 2.4 vulnerabilities (2/4).
Modified:
httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1691561&r1=1691560&r2=1691561&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Fri Jul 17 13:46:52 2015
@@ -1,4 +1,60 @@
-<security updated="20150130">
+<security updated="20150717">
+
+<issue fixed="2.4.16" reported="20150404" public="20150609" released="20150715">
+<cve name="CVE-2015-3183"/>
+<severity level="4">low</severity>
+<title>HTTP request smuggling attack against chunked request parser</title>
+<description><p>
+
+ An HTTP request smuggling attack was possible due to a bug in parsing of
+ chunked requests. A malicious client could force the server to
+ misinterpret the request length, allowing cache poisoning or
+ credential hijacking if an intermediary proxy is in use.
+
+</p></description>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.8"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.4.16" reported="20130805" public="20150609" released="20150715">
+<cve name="CVE-2015-3185"/>
+<severity level="4">low</severity>
+<title>ap_some_auth_required API unusable</title>
+<description><p>
+
+ A design error in the "ap_some_auth_required" function renders the
+ API unusuable in httpd 2.4.x. In particular the API is documented
+ to answering if the request required authentication but only answers
+ if there are Require lines in the applicable configuration. Since
+ 2.4.x Require lines are used for authorization as well and can
+ appear in configurations even when no authentication is required and
+ the request is entirely unrestricted. This could lead to modules
+ using this API to allow access when they should otherwise not do so
+ (e.g. mod_authz_svn in CVE-2015-3184). API users should use the new
+ ap_some_authn_required API added in 2.4.16 instead.
+
+ </p></description>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.8"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.5"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+<affects prod="httpd" version="2.4.0"/>
+</issue>
<issue fixed="2.4.12" reported="20141109" public="20141109" released="20150130">
<cve name="CVE-2014-8109"/>