You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2010/03/12 12:44:52 UTC
svn commit: r922225 - in /httpd/site/trunk:
docs/security/vulnerabilities-oval.xml
docs/security/vulnerabilities_20.html docs/security/vulnerabilities_22.html
xdocs/security/vulnerabilities-httpd.xml
Author: mjc
Date: Fri Mar 12 11:44:51 2010
New Revision: 922225
URL: http://svn.apache.org/viewvc?rev=922225&view=rev
Log:
Remove vulnerable 2.0.x versions from 2.2.x entries,
fix another acknowledgement
Modified:
httpd/site/trunk/docs/security/vulnerabilities-oval.xml
httpd/site/trunk/docs/security/vulnerabilities_20.html
httpd/site/trunk/docs/security/vulnerabilities_22.html
httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=922225&r1=922224&r2=922225&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Fri Mar 12 11:44:51 2010
@@ -46,6 +46,8 @@ fix for this issue.
<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+<criteria operator="OR">
<criterion test_ref="oval:org.apache.httpd:tst:2063" comment="the version of httpd is 2.0.63"/>
<criterion test_ref="oval:org.apache.httpd:tst:2061" comment="the version of httpd is 2.0.61"/>
<criterion test_ref="oval:org.apache.httpd:tst:2059" comment="the version of httpd is 2.0.59"/>
@@ -134,27 +136,6 @@ proposing a patch fix for this issue.
<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2063" comment="the version of httpd is 2.0.63"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2061" comment="the version of httpd is 2.0.61"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2059" comment="the version of httpd is 2.0.59"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2058" comment="the version of httpd is 2.0.58"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2055" comment="the version of httpd is 2.0.55"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
</criteria>
<criteria operator="OR">
<criterion test_ref="oval:org.apache.httpd:tst:2063" comment="the version of httpd is 2.0.63"/>
@@ -1972,11 +1953,14 @@ is believed this flaw may be able to lea
<title>Environment variable expansion flaw</title>
<reference source="CVE" ref_id="CVE-2004-0747" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0747"/>
<description>
-The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the
+A buffer overflow was found in the
expansion of environment variables during configuration file parsing. This
issue could allow a local user to gain the privileges of a httpd
child if a server can be forced to parse a carefully crafted .htaccess file
written by a local user.
+
+We would like to thank the Swedish IT Incident Centre (SITIC) for reporting
+this issue.
</description>
<apache_httpd_repository>
<public>20040915</public>
Modified: httpd/site/trunk/docs/security/vulnerabilities_20.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_20.html?rev=922225&r1=922224&r2=922225&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_20.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_20.html [utf-8] Fri Mar 12 11:44:51 2010
@@ -768,7 +768,7 @@ enter an infinite loop, consuming CPU re
</b>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0747">CVE-2004-0747</a>
<p>
-The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the
+A buffer overflow was found in the
expansion of environment variables during configuration file parsing. This
issue could allow a local user to gain the privileges of a httpd
child if a server can be forced to parse a carefully crafted .htaccess file
@@ -776,6 +776,12 @@ written by a local user.
</p>
</dd>
<dd>
+<p>Acknowledgements:
+We would like to thank the Swedish IT Incident Centre (SITIC) for reporting
+this issue.
+</p>
+</dd>
+<dd>
Update Released: 15th September 2004<br />
</dd>
<dd>
Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=922225&r1=922224&r2=922225&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Fri Mar 12 11:44:51 2010
@@ -124,7 +124,7 @@ proposing a patch fix for this issue.
</dd>
<dd>
Affects:
- 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37<p />
+ 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
</dd>
<dd>
<b>low: </b>
@@ -156,7 +156,7 @@ fix for this issue.
</dd>
<dd>
Affects:
- 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p />
+ 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
</dd>
<dd>
<b>moderate: </b>
Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=922225&r1=922224&r2=922225&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Fri Mar 12 11:44:51 2010
@@ -34,29 +34,6 @@ fix for this issue.
<affects prod="httpd" version="2.2.3"/>
<affects prod="httpd" version="2.2.2"/>
<affects prod="httpd" version="2.2.0"/>
-<affects prod="httpd" version="2.0.63"/>
-<affects prod="httpd" version="2.0.61"/>
-<affects prod="httpd" version="2.0.59"/>
-<affects prod="httpd" version="2.0.58"/>
-<affects prod="httpd" version="2.0.55"/>
-<affects prod="httpd" version="2.0.54"/>
-<affects prod="httpd" version="2.0.53"/>
-<affects prod="httpd" version="2.0.52"/>
-<affects prod="httpd" version="2.0.51"/>
-<affects prod="httpd" version="2.0.50"/>
-<affects prod="httpd" version="2.0.49"/>
-<affects prod="httpd" version="2.0.48"/>
-<affects prod="httpd" version="2.0.47"/>
-<affects prod="httpd" version="2.0.46"/>
-<affects prod="httpd" version="2.0.45"/>
-<affects prod="httpd" version="2.0.44"/>
-<affects prod="httpd" version="2.0.43"/>
-<affects prod="httpd" version="2.0.42"/>
-<affects prod="httpd" version="2.0.40"/>
-<affects prod="httpd" version="2.0.39"/>
-<affects prod="httpd" version="2.0.37"/>
-<affects prod="httpd" version="2.0.36"/>
-<affects prod="httpd" version="2.0.35"/>
</issue>
<issue fixed="2.2.15" reported="20100209" public="20100302" released="20100305">
@@ -88,27 +65,6 @@ proposing a patch fix for this issue.
<affects prod="httpd" version="2.2.3"/>
<affects prod="httpd" version="2.2.2"/>
<affects prod="httpd" version="2.2.0"/>
-<affects prod="httpd" version="2.0.63"/>
-<affects prod="httpd" version="2.0.61"/>
-<affects prod="httpd" version="2.0.59"/>
-<affects prod="httpd" version="2.0.58"/>
-<affects prod="httpd" version="2.0.55"/>
-<affects prod="httpd" version="2.0.54"/>
-<affects prod="httpd" version="2.0.53"/>
-<affects prod="httpd" version="2.0.52"/>
-<affects prod="httpd" version="2.0.51"/>
-<affects prod="httpd" version="2.0.50"/>
-<affects prod="httpd" version="2.0.49"/>
-<affects prod="httpd" version="2.0.48"/>
-<affects prod="httpd" version="2.0.47"/>
-<affects prod="httpd" version="2.0.46"/>
-<affects prod="httpd" version="2.0.45"/>
-<affects prod="httpd" version="2.0.44"/>
-<affects prod="httpd" version="2.0.43"/>
-<affects prod="httpd" version="2.0.42"/>
-<affects prod="httpd" version="2.0.40"/>
-<affects prod="httpd" version="2.0.39"/>
-<affects prod="httpd" version="2.0.37"/>
</issue>
<issue fixed="2.2.15" reported="20100202" public="20100302" released="20100305">
@@ -1798,13 +1754,17 @@ is believed this flaw may be able to lea
<title>Environment variable expansion flaw</title>
<description>
<p>
-The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the
+A buffer overflow was found in the
expansion of environment variables during configuration file parsing. This
issue could allow a local user to gain the privileges of a httpd
child if a server can be forced to parse a carefully crafted .htaccess file
written by a local user.
</p>
</description>
+<acknowledgements>
+We would like to thank the Swedish IT Incident Centre (SITIC) for reporting
+this issue.
+</acknowledgements>
<affects prod="httpd" version="2.0.50"/>
<affects prod="httpd" version="2.0.49"/>
<affects prod="httpd" version="2.0.48"/>