You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2010/03/12 12:44:52 UTC

svn commit: r922225 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_20.html docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml

Author: mjc
Date: Fri Mar 12 11:44:51 2010
New Revision: 922225

URL: http://svn.apache.org/viewvc?rev=922225&view=rev
Log:
Remove vulnerable 2.0.x versions from 2.2.x entries,
fix another acknowledgement

Modified:
    httpd/site/trunk/docs/security/vulnerabilities-oval.xml
    httpd/site/trunk/docs/security/vulnerabilities_20.html
    httpd/site/trunk/docs/security/vulnerabilities_22.html
    httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=922225&r1=922224&r2=922225&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Fri Mar 12 11:44:51 2010
@@ -46,6 +46,8 @@ fix for this issue.
 <criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
 <criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
 <criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+<criteria operator="OR">
 <criterion test_ref="oval:org.apache.httpd:tst:2063" comment="the version of httpd is 2.0.63"/>
 <criterion test_ref="oval:org.apache.httpd:tst:2061" comment="the version of httpd is 2.0.61"/>
 <criterion test_ref="oval:org.apache.httpd:tst:2059" comment="the version of httpd is 2.0.59"/>
@@ -134,27 +136,6 @@ proposing a patch fix for this issue.
 <criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
 <criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
 <criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2063" comment="the version of httpd is 2.0.63"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2061" comment="the version of httpd is 2.0.61"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2059" comment="the version of httpd is 2.0.59"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2058" comment="the version of httpd is 2.0.58"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2055" comment="the version of httpd is 2.0.55"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
 </criteria>
 <criteria operator="OR">
 <criterion test_ref="oval:org.apache.httpd:tst:2063" comment="the version of httpd is 2.0.63"/>
@@ -1972,11 +1953,14 @@ is believed this flaw may be able to lea
 <title>Environment variable expansion flaw</title>
 <reference source="CVE" ref_id="CVE-2004-0747" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0747"/>
 <description>
-The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the
+A buffer overflow was found in the
 expansion of environment variables during configuration file parsing. This
 issue could allow a local user to gain the privileges of a httpd
 child if a server can be forced to parse a carefully crafted .htaccess file 
 written by a local user.
+
+We would like to thank the Swedish IT Incident Centre (SITIC) for reporting
+this issue.
 </description>
 <apache_httpd_repository>
 <public>20040915</public>

Modified: httpd/site/trunk/docs/security/vulnerabilities_20.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_20.html?rev=922225&r1=922224&r2=922225&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_20.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_20.html [utf-8] Fri Mar 12 11:44:51 2010
@@ -768,7 +768,7 @@ enter an infinite loop, consuming CPU re
 </b>
 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0747">CVE-2004-0747</a>
 <p>
-The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the
+A buffer overflow was found in the
 expansion of environment variables during configuration file parsing. This
 issue could allow a local user to gain the privileges of a httpd
 child if a server can be forced to parse a carefully crafted .htaccess file 
@@ -776,6 +776,12 @@ written by a local user.
 </p>
 </dd>
 <dd>
+<p>Acknowledgements: 
+We would like to thank the Swedish IT Incident Centre (SITIC) for reporting
+this issue.
+</p>
+</dd>
+<dd>
   Update Released: 15th September 2004<br />
 </dd>
 <dd>

Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=922225&r1=922224&r2=922225&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Fri Mar 12 11:44:51 2010
@@ -124,7 +124,7 @@ proposing a patch fix for this issue.
 </dd>
 <dd>
       Affects: 
-    2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37<p />
+    2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
 </dd>
 <dd>
 <b>low: </b>
@@ -156,7 +156,7 @@ fix for this issue.
 </dd>
 <dd>
       Affects: 
-    2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p />
+    2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
 </dd>
 <dd>
 <b>moderate: </b>

Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=922225&r1=922224&r2=922225&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Fri Mar 12 11:44:51 2010
@@ -34,29 +34,6 @@ fix for this issue.
 <affects prod="httpd" version="2.2.3"/>
 <affects prod="httpd" version="2.2.2"/>
 <affects prod="httpd" version="2.2.0"/>
-<affects prod="httpd" version="2.0.63"/>
-<affects prod="httpd" version="2.0.61"/>
-<affects prod="httpd" version="2.0.59"/>
-<affects prod="httpd" version="2.0.58"/>
-<affects prod="httpd" version="2.0.55"/>
-<affects prod="httpd" version="2.0.54"/>
-<affects prod="httpd" version="2.0.53"/>
-<affects prod="httpd" version="2.0.52"/>
-<affects prod="httpd" version="2.0.51"/>
-<affects prod="httpd" version="2.0.50"/>
-<affects prod="httpd" version="2.0.49"/>
-<affects prod="httpd" version="2.0.48"/>
-<affects prod="httpd" version="2.0.47"/>
-<affects prod="httpd" version="2.0.46"/>
-<affects prod="httpd" version="2.0.45"/>
-<affects prod="httpd" version="2.0.44"/>
-<affects prod="httpd" version="2.0.43"/>
-<affects prod="httpd" version="2.0.42"/>
-<affects prod="httpd" version="2.0.40"/>
-<affects prod="httpd" version="2.0.39"/>
-<affects prod="httpd" version="2.0.37"/>
-<affects prod="httpd" version="2.0.36"/>
-<affects prod="httpd" version="2.0.35"/>
 </issue>
 
 <issue fixed="2.2.15" reported="20100209" public="20100302" released="20100305">
@@ -88,27 +65,6 @@ proposing a patch fix for this issue.
 <affects prod="httpd" version="2.2.3"/>
 <affects prod="httpd" version="2.2.2"/>
 <affects prod="httpd" version="2.2.0"/>
-<affects prod="httpd" version="2.0.63"/>
-<affects prod="httpd" version="2.0.61"/>
-<affects prod="httpd" version="2.0.59"/>
-<affects prod="httpd" version="2.0.58"/>
-<affects prod="httpd" version="2.0.55"/>
-<affects prod="httpd" version="2.0.54"/>
-<affects prod="httpd" version="2.0.53"/>
-<affects prod="httpd" version="2.0.52"/>
-<affects prod="httpd" version="2.0.51"/>
-<affects prod="httpd" version="2.0.50"/>
-<affects prod="httpd" version="2.0.49"/>
-<affects prod="httpd" version="2.0.48"/>
-<affects prod="httpd" version="2.0.47"/>
-<affects prod="httpd" version="2.0.46"/>
-<affects prod="httpd" version="2.0.45"/>
-<affects prod="httpd" version="2.0.44"/>
-<affects prod="httpd" version="2.0.43"/>
-<affects prod="httpd" version="2.0.42"/>
-<affects prod="httpd" version="2.0.40"/>
-<affects prod="httpd" version="2.0.39"/>
-<affects prod="httpd" version="2.0.37"/>
 </issue>
 
 <issue fixed="2.2.15" reported="20100202" public="20100302" released="20100305">
@@ -1798,13 +1754,17 @@ is believed this flaw may be able to lea
 <title>Environment variable expansion flaw</title>
 <description>
 <p>
-The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the
+A buffer overflow was found in the
 expansion of environment variables during configuration file parsing. This
 issue could allow a local user to gain the privileges of a httpd
 child if a server can be forced to parse a carefully crafted .htaccess file 
 written by a local user.
 </p>
 </description>
+<acknowledgements>
+We would like to thank the Swedish IT Incident Centre (SITIC) for reporting
+this issue.
+</acknowledgements>
 <affects prod="httpd" version="2.0.50"/>
 <affects prod="httpd" version="2.0.49"/>
 <affects prod="httpd" version="2.0.48"/>