You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2007/02/26 11:53:09 UTC

svn commit: r511780 [2/3] - in /httpd/site/trunk: build.xml docs/security/vulnerabilities-oval.xml xdocs/stylesheets/httpd-oval.xsl

Added: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?view=auto&rev=511780
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (added)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Feb 26 02:53:08 2007
@@ -0,0 +1,2582 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:apache-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#apache apache-definitions-schema.xsd">
+<generator>
+<oval:schema_version>5.1</oval:schema_version>
+<oval:timestamp>2005-10-12T18:13:45</oval:timestamp>
+</generator>
+<definitions>
+<definition id="oval:org.apache.httpd:def:20063747" version="1" class="vulnerability">
+<metadata>
+<title>mod_rewrite off-by-one error</title>
+<reference source="CVE" ref_id="CVE-2006-3747" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747"/>
+<description>
+An off-by-one flaw exists in the Rewrite module, mod_rewrite.
+Depending on the manner in which Apache httpd was compiled, this
+software defect may result in a vulnerability which, in combination
+with certain types of Rewrite rules in the web server configuration
+files, could be triggered remotely.  For vulnerable builds, the nature
+of the vulnerability can be denial of service (crashing of web server
+processes) or potentially allow arbitrary code execution.
+</description>
+<apache_httpd_repository>
+<public>20060727</public>
+<reported>20060721</reported>
+<released>20060727</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2058" comment="the version of httpd is 2.0.58"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2055" comment="the version of httpd is 2.0.55"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1336" comment="the version of httpd is 1.3.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1335" comment="the version of httpd is 1.3.35"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1334" comment="the version of httpd is 1.3.34"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1333" comment="the version of httpd is 1.3.33"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1332" comment="the version of httpd is 1.3.32"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1331" comment="the version of httpd is 1.3.31"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1329" comment="the version of httpd is 1.3.29"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20053357" version="1" class="vulnerability">
+<metadata>
+<title>mod_ssl access control DoS</title>
+<reference source="CVE" ref_id="CVE-2005-3357" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3357"/>
+<description>
+A NULL pointer dereference flaw in mod_ssl was discovered affecting server
+configurations where an SSL virtual host is configured with access control
+and a custom 400 error document. A remote attacker could send a carefully
+crafted request to trigger this issue which would lead to a crash. This
+crash would only be a denial of service if using the worker MPM.
+</description>
+<apache_httpd_repository>
+<public>20051212</public>
+<reported>20051205</reported>
+<released>20060501</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2055" comment="the version of httpd is 2.0.55"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20053352" version="1" class="vulnerability">
+<metadata>
+<title>mod_imap Referer Cross-Site Scripting</title>
+<reference source="CVE" ref_id="CVE-2005-3352" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352"/>
+<description>
+A flaw in mod_imap when using the Referer directive with image maps.
+In certain site configurations a remote attacker could perform a cross-site
+scripting attack if a victim can be forced to visit a malicious 
+URL using certain web browsers.  
+</description>
+<apache_httpd_repository>
+<public>20051212</public>
+<reported>20051101</reported>
+<released>20060501</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2055" comment="the version of httpd is 2.0.55"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1334" comment="the version of httpd is 1.3.34"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1333" comment="the version of httpd is 1.3.33"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1332" comment="the version of httpd is 1.3.32"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1331" comment="the version of httpd is 1.3.31"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1329" comment="the version of httpd is 1.3.29"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1324" comment="the version of httpd is 1.3.24"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1322" comment="the version of httpd is 1.3.22"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1320" comment="the version of httpd is 1.3.20"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1319" comment="the version of httpd is 1.3.19"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1317" comment="the version of httpd is 1.3.17"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1314" comment="the version of httpd is 1.3.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1312" comment="the version of httpd is 1.3.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1311" comment="the version of httpd is 1.3.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:139" comment="the version of httpd is 1.3.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:136" comment="the version of httpd is 1.3.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:134" comment="the version of httpd is 1.3.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:133" comment="the version of httpd is 1.3.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:132" comment="the version of httpd is 1.3.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:131" comment="the version of httpd is 1.3.1"/>
+<criterion test_ref="oval:org.apache.httpd:tst:130" comment="the version of httpd is 1.3.0"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20063918" version="1" class="vulnerability">
+<metadata>
+<title>Expect header Cross-Site Scripting</title>
+<reference source="CVE" ref_id="CVE-2006-3918" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918"/>
+<description>
+A flaw in the handling of invalid Expect headers.  If an attacker can
+influence the Expect header that a victim sends to a target site they
+could perform a cross-site scripting attack.  It is known that 
+some versions of Flash can set an arbitrary Expect header which can 
+trigger this flaw.  Not marked as a security issue for 2.0 or
+2.2 as the cross-site scripting is only returned to the victim after
+the server times out a connection.
+</description>
+<apache_httpd_repository>
+<public>20060508</public>
+<reported></reported>
+<released>20060501</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1334" comment="the version of httpd is 1.3.34"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1333" comment="the version of httpd is 1.3.33"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1332" comment="the version of httpd is 1.3.32"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1331" comment="the version of httpd is 1.3.31"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1329" comment="the version of httpd is 1.3.29"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1324" comment="the version of httpd is 1.3.24"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1322" comment="the version of httpd is 1.3.22"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1320" comment="the version of httpd is 1.3.20"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1319" comment="the version of httpd is 1.3.19"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1317" comment="the version of httpd is 1.3.17"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1314" comment="the version of httpd is 1.3.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1312" comment="the version of httpd is 1.3.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1311" comment="the version of httpd is 1.3.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:139" comment="the version of httpd is 1.3.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:136" comment="the version of httpd is 1.3.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:134" comment="the version of httpd is 1.3.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:133" comment="the version of httpd is 1.3.3"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20052970" version="1" class="vulnerability">
+<metadata>
+<title>Worker MPM memory leak</title>
+<reference source="CVE" ref_id="CVE-2005-2970" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2970"/>
+<description>
+A memory leak in the worker MPM would allow remote attackers to cause
+a denial of service (memory consumption) via aborted connections,
+which prevents the memory for the transaction pool from being reused
+for other connections.  This issue was downgraded in severity to low
+(from moderate) as sucessful exploitation of the race condition would
+be difficult.
+</description>
+<apache_httpd_repository>
+<public/>
+<reported/>
+<released>20051014</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20052728" version="1" class="vulnerability">
+<metadata>
+<title>Byterange filter DoS</title>
+<reference source="CVE" ref_id="CVE-2005-2728" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2728"/>
+<description>
+A flaw in the byterange filter would cause some responses to be buffered
+into memory. If a server has a dynamic resource such as a CGI
+script or PHP script which generates a large amount of data, an attacker
+could send carefully crafted requests in order to consume resources,
+potentially leading to a Denial of Service. 
+</description>
+<apache_httpd_repository>
+<public>20050707</public>
+<reported>20050707</reported>
+<released>20051014</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20052700" version="1" class="vulnerability">
+<metadata>
+<title>SSLVerifyClient bypass</title>
+<reference source="CVE" ref_id="CVE-2005-2700" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2700"/>
+<description>
+A flaw in the mod_ssl handling of the "SSLVerifyClient"
+directive. This flaw would occur if a virtual host has been configured
+using "SSLVerifyClient optional" and further a directive "SSLVerifyClient
+required" is set for a specific location.  For servers configured in this
+fashion, an attacker may be able to access resources that should otherwise
+be protected, by not supplying a client certificate when connecting.
+</description>
+<apache_httpd_repository>
+<public>20050830</public>
+<reported>20050830</reported>
+<released>20051014</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20052491" version="1" class="vulnerability">
+<metadata>
+<title>PCRE overflow</title>
+<reference source="CVE" ref_id="CVE-2005-2491" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2491"/>
+<description>
+An integer overflow flaw was found in PCRE, a Perl-compatible regular
+expression library included within httpd.  A local user who has the
+ability to create .htaccess files could create a maliciously crafted
+regular expression in such as way that they could gain the privileges
+of a httpd child.
+</description>
+<apache_httpd_repository>
+<public>20050801</public>
+<reported/>
+<released>20051014</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20052088" version="1" class="vulnerability">
+<metadata>
+<title>HTTP Request Spoofing</title>
+<reference source="CVE" ref_id="CVE-2005-2088" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088"/>
+<description>
+A flaw occured when using the Apache server as a HTTP proxy. A remote
+attacker could send a HTTP request with both a "Transfer-Encoding:
+chunked" header and a Content-Length header, causing Apache to
+incorrectly handle and forward the body of the request in a way that
+causes the receiving server to process it as a separate HTTP request.
+This could allow the bypass of web application firewall protection or
+lead to cross-site scripting (XSS) attacks.
+</description>
+<apache_httpd_repository>
+<public>20050611</public>
+<reported/>
+<released>20051014</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20051268" version="1" class="vulnerability">
+<metadata>
+<title>Malicious CRL off-by-one</title>
+<reference source="CVE" ref_id="CVE-2005-1268" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1268"/>
+<description>
+An off-by-one stack overflow was discovered in the mod_ssl CRL
+verification callback. In order to exploit this issue the Apache
+server would need to be configured to use a malicious certificate
+revocation list (CRL)
+</description>
+<apache_httpd_repository>
+<public>20050608</public>
+<reported/>
+<released>20051014</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040942" version="1" class="vulnerability">
+<metadata>
+<title>Memory consumption DoS</title>
+<reference source="CVE" ref_id="CVE-2004-0942" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0942"/>
+<description>
+An issue was discovered where the field length limit was not enforced
+for certain malicious requests.  This could allow a remote attacker who
+is able to send large amounts of data to a server the ability to cause
+Apache children to consume proportional amounts of memory, leading to
+a denial of service.
+</description>
+<apache_httpd_repository>
+<public>20041101</public>
+<reported>20041028</reported>
+<released>20050208</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040940" version="1" class="vulnerability">
+<metadata>
+<title>mod_include overflow</title>
+<reference source="CVE" ref_id="CVE-2004-0940" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0940"/>
+<description>
+A buffer overflow in mod_include could allow a local user who
+is authorised to create server side include (SSI) files to gain
+the privileges of a httpd child.
+</description>
+<apache_httpd_repository>
+<public>20041021</public>
+<reported>20041021</reported>
+<released>20041028</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1332" comment="the version of httpd is 1.3.32"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1331" comment="the version of httpd is 1.3.31"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1329" comment="the version of httpd is 1.3.29"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1324" comment="the version of httpd is 1.3.24"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1322" comment="the version of httpd is 1.3.22"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1320" comment="the version of httpd is 1.3.20"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1319" comment="the version of httpd is 1.3.19"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1317" comment="the version of httpd is 1.3.17"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1314" comment="the version of httpd is 1.3.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1312" comment="the version of httpd is 1.3.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1311" comment="the version of httpd is 1.3.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:139" comment="the version of httpd is 1.3.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:136" comment="the version of httpd is 1.3.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:134" comment="the version of httpd is 1.3.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:133" comment="the version of httpd is 1.3.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:132" comment="the version of httpd is 1.3.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:131" comment="the version of httpd is 1.3.1"/>
+<criterion test_ref="oval:org.apache.httpd:tst:130" comment="the version of httpd is 1.3.0"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040885" version="1" class="vulnerability">
+<metadata>
+<title>SSLCipherSuite bypass</title>
+<reference source="CVE" ref_id="CVE-2004-0885" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0885"/>
+<description>
+An issue has been discovered in the mod_ssl module when configured to use
+the "SSLCipherSuite" directive in directory or location context. If a
+particular location context has been configured to require a specific set
+of cipher suites, then a client will be able to access that location using
+any cipher suite allowed by the virtual host configuration. 
+</description>
+<apache_httpd_repository>
+<public>20041001</public>
+<reported>20041001</reported>
+<released>20050208</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20041834" version="1" class="vulnerability">
+<metadata>
+<title>mod_disk_cache stores sensitive headers</title>
+<reference source="CVE" ref_id="CVE-2004-1834" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1834"/>
+<description>
+The experimental mod_disk_cache module stored client authentication
+credentials for cached objects such as proxy authentication credentials
+and Basic Authentication passwords on disk.  
+</description>
+<apache_httpd_repository>
+<public>20040320</public>
+<reported>20040302</reported>
+<released>20050208</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040811" version="1" class="vulnerability">
+<metadata>
+<title>Basic authentication bypass</title>
+<reference source="CVE" ref_id="CVE-2004-0811" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0811"/>
+<description>
+A flaw in Apache 2.0.51 (only) broke the merging of the Satisfy
+directive which could result in access being granted to
+resources despite any configured authentication
+</description>
+<apache_httpd_repository>
+<public>20040918</public>
+<reported>20040918</reported>
+<released>20040928</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040786" version="1" class="vulnerability">
+<metadata>
+<title>IPv6 URI parsing heap overflow</title>
+<reference source="CVE" ref_id="CVE-2004-0786" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0786"/>
+<description>
+Testing using the Codenomicon HTTP Test Tool performed by the Apache
+Software Foundation security group and Red Hat uncovered an input
+validation issue in the IPv6 URI parsing routines in the apr-util library.
+If a remote attacker sent a request including a carefully crafted URI, an
+httpd child process could be made to crash.  One some BSD systems it
+is believed this flaw may be able to lead to remote code execution.
+</description>
+<apache_httpd_repository>
+<public>20040915</public>
+<reported>20040825</reported>
+<released>20040915</released>
+<severity level="1">critical</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040747" version="1" class="vulnerability">
+<metadata>
+<title>Environment variable expansion flaw</title>
+<reference source="CVE" ref_id="CVE-2004-0747" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0747"/>
+<description>
+The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the
+expansion of environment variables during configuration file parsing. This
+issue could allow a local user to gain the privileges of a httpd
+child if a server can be forced to parse a carefully crafted .htaccess file 
+written by a local user.
+</description>
+<apache_httpd_repository>
+<public>20040915</public>
+<reported>20040805</reported>
+<released>20040915</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040751" version="1" class="vulnerability">
+<metadata>
+<title>Malicious SSL proxy can cause crash</title>
+<reference source="CVE" ref_id="CVE-2004-0751" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0751"/>
+<description>
+An issue was discovered in the mod_ssl module in Apache 2.0.44-2.0.50
+which could be triggered if
+the server is configured to allow proxying to a remote SSL server. A
+malicious remote SSL server could force an httpd child process to crash by
+sending a carefully crafted response header. This issue is not believed to
+allow execution of arbitrary code and will only result in a denial
+of service where a threaded process model is in use.
+</description>
+<apache_httpd_repository>
+<public>20040707</public>
+<reported>20040707</reported>
+<released>20040915</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040748" version="1" class="vulnerability">
+<metadata>
+<title>SSL connection infinite loop</title>
+<reference source="CVE" ref_id="CVE-2004-0748" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0748"/>
+<description>
+An issue was discovered in the mod_ssl module in Apache 2.0.  
+A remote attacker who forces an SSL connection to
+be aborted in a particular state may cause an Apache child process to
+enter an infinite loop, consuming CPU resources.
+</description>
+<apache_httpd_repository>
+<public>20040707</public>
+<reported>20040707</reported>
+<released>20040915</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040809" version="1" class="vulnerability">
+<metadata>
+<title>WebDAV remote crash</title>
+<reference source="CVE" ref_id="CVE-2004-0809" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0809"/>
+<description>
+An issue was discovered in the mod_dav module which could be triggered
+for a location where WebDAV authoring access has been configured. A
+malicious remote client which is authorized to use the LOCK method
+could force an httpd child process to crash by sending a particular
+sequence of LOCK requests. This issue does not allow execution of
+arbitrary code.  and will only result in a denial of service where a
+threaded process model is in use.
+</description>
+<apache_httpd_repository>
+<public>20040912</public>
+<reported>20040912</reported>
+<released>20040915</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040493" version="1" class="vulnerability">
+<metadata>
+<title>Header parsing memory leak</title>
+<reference source="CVE" ref_id="CVE-2004-0493" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0493"/>
+<description>
+A memory leak in parsing of HTTP headers which can be triggered
+remotely may allow a denial of service attack due to excessive memory
+consumption.
+</description>
+<apache_httpd_repository>
+<public>20040701</public>
+<reported>20040613</reported>
+<released>20040701</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040488" version="1" class="vulnerability">
+<metadata>
+<title>FakeBasicAuth overflow</title>
+<reference source="CVE" ref_id="CVE-2004-0488" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0488"/>
+<description>
+A buffer overflow in the mod_ssl FakeBasicAuth code could be exploited
+by an attacker using a (trusted) client certificate with a subject DN
+field which exceeds 6K in length.
+</description>
+<apache_httpd_repository>
+<public>20040517</public>
+<reported/>
+<released>20040701</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040492" version="1" class="vulnerability">
+<metadata>
+<title>mod_proxy buffer overflow</title>
+<reference source="CVE" ref_id="CVE-2004-0492" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0492"/>
+<description>
+A buffer overflow was found in the Apache proxy module, mod_proxy, which
+can be triggered by receiving an invalid Content-Length header. In order
+to exploit this issue an attacker would need to get an Apache installation
+that was configured as a proxy to connect to a malicious site. This would
+cause the Apache child processing the request to crash, although this does
+not represent a significant Denial of Service attack as requests will
+continue to be handled by other Apache child processes.  This issue may
+lead to remote arbitrary code execution on some BSD platforms.
+</description>
+<apache_httpd_repository>
+<public>20030610</public>
+<reported>20030608</reported>
+<released>20041020</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1331" comment="the version of httpd is 1.3.31"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1329" comment="the version of httpd is 1.3.29"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030020" version="1" class="vulnerability">
+<metadata>
+<title>Error log escape filtering</title>
+<reference source="CVE" ref_id="CVE-2003-0020" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020"/>
+<description>
+Apache does not filter terminal escape sequences from error logs,
+which could make it easier for attackers to insert those sequences
+into terminal emulators containing vulnerabilities related to escape
+sequences.
+</description>
+<apache_httpd_repository>
+<public>20030224</public>
+<reported>20030224</reported>
+<released>20040512</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1329" comment="the version of httpd is 1.3.29"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1324" comment="the version of httpd is 1.3.24"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1322" comment="the version of httpd is 1.3.22"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1320" comment="the version of httpd is 1.3.20"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1319" comment="the version of httpd is 1.3.19"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1317" comment="the version of httpd is 1.3.17"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1314" comment="the version of httpd is 1.3.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1312" comment="the version of httpd is 1.3.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1311" comment="the version of httpd is 1.3.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:139" comment="the version of httpd is 1.3.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:136" comment="the version of httpd is 1.3.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:134" comment="the version of httpd is 1.3.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:133" comment="the version of httpd is 1.3.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:132" comment="the version of httpd is 1.3.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:131" comment="the version of httpd is 1.3.1"/>
+<criterion test_ref="oval:org.apache.httpd:tst:130" comment="the version of httpd is 1.3.0"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030987" version="1" class="vulnerability">
+<metadata>
+<title>mod_digest nonce checking</title>
+<reference source="CVE" ref_id="CVE-2003-0987" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0987"/>
+<description>
+
+mod_digest does not properly verify the nonce of a client response by
+using a AuthNonce secret.  This could allow a malicious user who is
+able to sniff network traffic to conduct a replay attack against a
+website using Digest protection.  Note that mod_digest implements an
+older version of the MD5 Digest Authentication specification which
+is known not to work with modern browsers.  This issue does not affect
+mod_auth_digest.
+
+</description>
+<apache_httpd_repository>
+<public>20031218</public>
+<reported>20031218</reported>
+<released>20040512</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1329" comment="the version of httpd is 1.3.29"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1324" comment="the version of httpd is 1.3.24"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1322" comment="the version of httpd is 1.3.22"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1320" comment="the version of httpd is 1.3.20"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1319" comment="the version of httpd is 1.3.19"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1317" comment="the version of httpd is 1.3.17"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1314" comment="the version of httpd is 1.3.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1312" comment="the version of httpd is 1.3.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1311" comment="the version of httpd is 1.3.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:139" comment="the version of httpd is 1.3.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:136" comment="the version of httpd is 1.3.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:134" comment="the version of httpd is 1.3.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:133" comment="the version of httpd is 1.3.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:132" comment="the version of httpd is 1.3.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:131" comment="the version of httpd is 1.3.1"/>
+<criterion test_ref="oval:org.apache.httpd:tst:130" comment="the version of httpd is 1.3.0"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040174" version="1" class="vulnerability">
+<metadata>
+<title>listening socket starvation</title>
+<reference source="CVE" ref_id="CVE-2004-0174" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0174"/>
+<description>
+A starvation issue on listening sockets occurs when a short-lived
+connection on a rarely-accessed listening socket will cause a child to
+hold the accept mutex and block out new connections until another
+connection arrives on that rarely-accessed listening socket.  This
+issue is known to affect some versions of AIX, Solaris, and Tru64; it
+is known to not affect FreeBSD or Linux.
+
+</description>
+<apache_httpd_repository>
+<public>20040318</public>
+<reported>20040225</reported>
+<released>20040512</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1329" comment="the version of httpd is 1.3.29"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1324" comment="the version of httpd is 1.3.24"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1322" comment="the version of httpd is 1.3.22"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1320" comment="the version of httpd is 1.3.20"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1319" comment="the version of httpd is 1.3.19"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1317" comment="the version of httpd is 1.3.17"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1314" comment="the version of httpd is 1.3.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1312" comment="the version of httpd is 1.3.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1311" comment="the version of httpd is 1.3.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:139" comment="the version of httpd is 1.3.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:136" comment="the version of httpd is 1.3.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:134" comment="the version of httpd is 1.3.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:133" comment="the version of httpd is 1.3.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:132" comment="the version of httpd is 1.3.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:131" comment="the version of httpd is 1.3.1"/>
+<criterion test_ref="oval:org.apache.httpd:tst:130" comment="the version of httpd is 1.3.0"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030993" version="1" class="vulnerability">
+<metadata>
+<title>Allow/Deny parsing on big-endian 64-bit platforms</title>
+<reference source="CVE" ref_id="CVE-2003-0993" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0993"/>
+<description>
+A bug in the parsing of Allow/Deny rules using IP addresses
+without a netmask on big-endian 64-bit platforms causes the rules
+to fail to match.
+</description>
+<apache_httpd_repository>
+<public>20031015</public>
+<reported>20031015</reported>
+<released>20040512</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1329" comment="the version of httpd is 1.3.29"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1324" comment="the version of httpd is 1.3.24"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1322" comment="the version of httpd is 1.3.22"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1320" comment="the version of httpd is 1.3.20"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1319" comment="the version of httpd is 1.3.19"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1317" comment="the version of httpd is 1.3.17"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1314" comment="the version of httpd is 1.3.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1312" comment="the version of httpd is 1.3.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1311" comment="the version of httpd is 1.3.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:139" comment="the version of httpd is 1.3.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:136" comment="the version of httpd is 1.3.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:134" comment="the version of httpd is 1.3.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:133" comment="the version of httpd is 1.3.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:132" comment="the version of httpd is 1.3.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:131" comment="the version of httpd is 1.3.1"/>
+<criterion test_ref="oval:org.apache.httpd:tst:130" comment="the version of httpd is 1.3.0"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20040113" version="1" class="vulnerability">
+<metadata>
+<title>mod_ssl memory leak</title>
+<reference source="CVE" ref_id="CVE-2004-0113" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0113"/>
+<description>
+A memory leak in mod_ssl allows a remote denial of service attack 
+against an SSL-enabled server by sending plain HTTP requests to the
+SSL port. 
+</description>
+<apache_httpd_repository>
+<public>20040220</public>
+<reported>20040220</reported>
+<released>20040319</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030789" version="1" class="vulnerability">
+<metadata>
+<title>CGI output information leak</title>
+<reference source="CVE" ref_id="CVE-2003-0789" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0789"/>
+<description>
+A bug in mod_cgid mishandling of CGI redirect paths can result in
+CGI output going to the wrong client when a threaded MPM
+is used.
+</description>
+<apache_httpd_repository>
+<public>20031027</public>
+<reported>20031003</reported>
+<released>20031027</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030542" version="1" class="vulnerability">
+<metadata>
+<title>Local configuration regular expression overflow</title>
+<reference source="CVE" ref_id="CVE-2003-0542" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0542"/>
+<description>
+By using a regular expression with more than 9 captures a buffer
+overflow can occur in mod_alias or mod_rewrite.  To exploit this an
+attacker would need to be able to create a carefully crafted configuration
+file (.htaccess or httpd.conf)
+</description>
+<apache_httpd_repository>
+<public>20031027</public>
+<reported>20030804</reported>
+<released>20031027</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1324" comment="the version of httpd is 1.3.24"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1322" comment="the version of httpd is 1.3.22"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1320" comment="the version of httpd is 1.3.20"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1319" comment="the version of httpd is 1.3.19"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1317" comment="the version of httpd is 1.3.17"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1314" comment="the version of httpd is 1.3.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1312" comment="the version of httpd is 1.3.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1311" comment="the version of httpd is 1.3.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:139" comment="the version of httpd is 1.3.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:136" comment="the version of httpd is 1.3.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:134" comment="the version of httpd is 1.3.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:133" comment="the version of httpd is 1.3.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:132" comment="the version of httpd is 1.3.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:131" comment="the version of httpd is 1.3.1"/>
+<criterion test_ref="oval:org.apache.httpd:tst:130" comment="the version of httpd is 1.3.0"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030460" version="1" class="vulnerability">
+<metadata>
+<title>RotateLogs DoS</title>
+<reference source="CVE" ref_id="CVE-2003-0460" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0460"/>
+<description>The rotatelogs support program on Win32 and OS/2 would quit logging
+and exit if it received special control characters such as 0x1A.
+</description>
+<apache_httpd_repository>
+<public>20030718</public>
+<reported>20030704</reported>
+<released>20030718</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1324" comment="the version of httpd is 1.3.24"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1322" comment="the version of httpd is 1.3.22"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1320" comment="the version of httpd is 1.3.20"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1319" comment="the version of httpd is 1.3.19"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1317" comment="the version of httpd is 1.3.17"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1314" comment="the version of httpd is 1.3.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1312" comment="the version of httpd is 1.3.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1311" comment="the version of httpd is 1.3.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:139" comment="the version of httpd is 1.3.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:136" comment="the version of httpd is 1.3.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:134" comment="the version of httpd is 1.3.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:133" comment="the version of httpd is 1.3.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:132" comment="the version of httpd is 1.3.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:131" comment="the version of httpd is 1.3.1"/>
+<criterion test_ref="oval:org.apache.httpd:tst:130" comment="the version of httpd is 1.3.0"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030254" version="1" class="vulnerability">
+<metadata>
+<title>Remote DoS via IPv6 ftp proxy</title>
+<reference source="CVE" ref_id="CVE-2003-0254" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0254"/>
+<description>
+When a client requests that proxy ftp connect to a ftp server with
+IPv6 address, and the proxy is unable to create an IPv6 socket,
+an infinite loop occurs causing a remote Denial of Service.
+</description>
+<apache_httpd_repository>
+<public>20030709</public>
+<reported>20030625</reported>
+<released>20030709</released>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030253" version="1" class="vulnerability">
+<metadata>
+<title>Remote DoS with multiple Listen directives</title>
+<reference source="CVE" ref_id="CVE-2003-0253" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0253"/>
+<description>
+In a server with multiple listening sockets a certain error returned
+by accept() on a rarely access port can cause a temporary denial of
+service, due to a bug in the prefork MPM.
+</description>
+<apache_httpd_repository>
+<public>20030709</public>
+<reported>20030625</reported>
+<released>20030709</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030192" version="1" class="vulnerability">
+<metadata>
+<title>mod_ssl renegotiation issue</title>
+<reference source="CVE" ref_id="CVE-2003-0192" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0192"/>
+<description>
+A bug in the optional renegotiation code in mod_ssl included with 
+Apache httpd can cause cipher suite restrictions to be ignored.
+This is triggered if optional renegotiation is used (SSLOptions
++OptRenegotiate) along with verification of client certificates
+and a change to the cipher suite over the renegotiation.
+</description>
+<apache_httpd_repository>
+<public>20030709</public>
+<reported>20030430</reported>
+<released>20030709</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030245" version="1" class="vulnerability">
+<metadata>
+<title>APR remote crash</title>
+<reference source="CVE" ref_id="CVE-2003-0245" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0245"/>
+<description>
+A vulnerability in the apr_psprintf function in the Apache Portable
+Runtime (APR) library allows remote 
+attackers to cause a denial of service (crash) and possibly execute
+arbitrary code via long strings, as demonstrated using XML objects to
+mod_dav, and possibly other vectors.
+</description>
+<apache_httpd_repository>
+<public>20030528</public>
+<reported>20030409</reported>
+<released>20030528</released>
+<severity level="1">critical</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030189" version="1" class="vulnerability">
+<metadata>
+<title>Basic Authentication DoS</title>
+<reference source="CVE" ref_id="CVE-2003-0189" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0189"/>
+<description>
+A build system problem in Apache 2.0.40 through 2.0.45 allows remote attackers
+to cause a denial of access to authenticated content when a threaded
+server is used. 
+</description>
+<apache_httpd_repository>
+<public>20030528</public>
+<reported>20030425</reported>
+<released>20030528</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+</criteria>
+</criteria>
+</definition>
+<definition id="oval:org.apache.httpd:def:20030134" version="1" class="vulnerability">
+<metadata>
+<title>OS2 device name DoS</title>

[... 1152 lines stripped ...]