You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2011/10/06 22:26:15 UTC
svn commit: r1179826 - in /httpd/site/trunk:
docs/security/vulnerabilities_13.html
xdocs/security/vulnerabilities-httpd.xml
Author: wrowe
Date: Thu Oct 6 20:26:15 2011
New Revision: 1179826
URL: http://svn.apache.org/viewvc?rev=1179826&view=rev
Log:
Correct mis-ordered 1.3 patches, use 1.3-never for post-1.3.42 vulnerabilities?
Modified:
httpd/site/trunk/docs/security/vulnerabilities_13.html
httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/docs/security/vulnerabilities_13.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_13.html?rev=1179826&r1=1179825&r2=1179826&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_13.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_13.html [utf-8] Thu Oct 6 20:26:15 2011
@@ -93,6 +93,89 @@ Team</a>. </p>
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+ <a name="1.3-never"><strong>Fixed in Apache httpd 1.3-never</strong></a>
+ </font>
+ </td>
+ </tr>
+ <tr><td>
+ <blockquote>
+<dl>
+<dd>
+<b>moderate: </b>
+<b>
+<name name="CVE-2011-3368">mod_proxy reverse proxy exposure</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368">CVE-2011-3368</a>
+<p>
+An exposure was found when using mod_proxy in reverse proxy mode.
+In certain configurations using RewriteRule with proxy flag,
+a remote attacker could cause the reverse proxy to
+connect to an arbitrary server, possibly disclosing sensitive
+information from internal web servers not directly accessible to
+attacker.</p>
+<p>No update of 1.3 will be released. Patches will be published to
+<a href="http://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/">http://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/</a>
+</p>
+</dd>
+<dd>
+<p>Acknowledgements:
+This issue was reported by Context Information Security Ltd
+</p>
+</dd>
+<dd>
+ Reported to security team: 16th September 2011<br />
+ Issue public: 5th October 2011<br />
+</dd>
+<dd>
+ Affected:
+ 1.3.42, 1.3.41, 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2<p />
+</dd>
+</dl>
+ </blockquote>
+ </td></tr>
+</table>
+ <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr>
+ <td bgcolor="#525D76">
+ <font color="#ffffff" face="arial,helvetica,sanserif">
+ <a name="1.3.42"><strong>Fixed in Apache httpd 1.3.42</strong></a>
+ </font>
+ </td>
+ </tr>
+ <tr><td>
+ <blockquote>
+<dl>
+<dd>
+<b>moderate: </b>
+<b>
+<name name="CVE-2010-0010">mod_proxy overflow on 64-bit systems</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0010">CVE-2010-0010</a>
+<p>
+An incorrect conversion between numeric types flaw was found in the
+mod_proxy module which affects some 64-bit architecture systems. A
+malicious HTTP server to which requests are being proxied could use
+this flaw to trigger a heap buffer overflow in an httpd child process
+via a carefully crafted response.
+</p>
+</dd>
+<dd>
+ Reported to security team: 30th December 2009<br />
+ Issue public: 7th December 2010<br />
+ Update released: 3rd February 2010<br />
+</dd>
+<dd>
+ Affected:
+ 1.3.41, 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2<p />
+</dd>
+</dl>
+ </blockquote>
+ </td></tr>
+</table>
+ <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr>
+ <td bgcolor="#525D76">
+ <font color="#ffffff" face="arial,helvetica,sanserif">
<a name="1.3.41"><strong>Fixed in Apache httpd 1.3.41</strong></a>
</font>
</td>
@@ -170,44 +253,6 @@ cross-site scripting attack is possible.
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="1.3.42"><strong>Fixed in Apache httpd 1.3.42</strong></a>
- </font>
- </td>
- </tr>
- <tr><td>
- <blockquote>
-<dl>
-<dd>
-<b>moderate: </b>
-<b>
-<name name="CVE-2010-0010">mod_proxy overflow on 64-bit systems</name>
-</b>
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0010">CVE-2010-0010</a>
-<p>
-An incorrect conversion between numeric types flaw was found in the
-mod_proxy module which affects some 64-bit architecture systems. A
-malicious HTTP server to which requests are being proxied could use
-this flaw to trigger a heap buffer overflow in an httpd child process
-via a carefully crafted response.
-</p>
-</dd>
-<dd>
- Reported to security team: 30th December 2009<br />
- Issue public: 7th December 2010<br />
- Update released: 3rd February 2010<br />
-</dd>
-<dd>
- Affected:
- 1.3.41, 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2<p />
-</dd>
-</dl>
- </blockquote>
- </td></tr>
-</table>
- <table border="0" cellspacing="0" cellpadding="2" width="100%">
- <tr>
- <td bgcolor="#525D76">
- <font color="#ffffff" face="arial,helvetica,sanserif">
<a name="1.3.39"><strong>Fixed in Apache httpd 1.3.39</strong></a>
</font>
</td>
Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=1179826&r1=1179825&r2=1179826&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Thu Oct 6 20:26:15 2011
@@ -78,7 +78,7 @@ This issue was reported by Context Infor
<affects prod="httpd" version="2.0.35"/>
</issue>
-<issue fixed="" reported="20110916" public="20111005" released="">
+<issue fixed="1.3-never" reported="20110916" public="20111005" released="">
<cve name="CVE-2011-3368"/>
<severity level="3">moderate</severity>
<title>mod_proxy reverse proxy exposure</title>
@@ -125,43 +125,6 @@ This issue was reported by Context Infor
<affects prod="httpd" version="1.3.2"/>
</issue>
-<issue fixed="1.3.41" public="20080102" reported="20071215" released="20080119">
-<cve name="CVE-2007-6388"/>
-<severity level="3">moderate</severity>
-<title>mod_status XSS</title>
-<description><p>
-A flaw was found in the mod_status module. On sites where mod_status is
-enabled and the status pages were publicly accessible, a cross-site
-scripting attack is possible.
-Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.</p></description>
-<affects prod="httpd" version="1.3.39"/>
-<affects prod="httpd" version="1.3.37"/>
-<affects prod="httpd" version="1.3.36"/>
-<affects prod="httpd" version="1.3.35"/>
-<affects prod="httpd" version="1.3.34"/>
-<affects prod="httpd" version="1.3.33"/>
-<affects prod="httpd" version="1.3.32"/>
-<affects prod="httpd" version="1.3.31"/>
-<affects prod="httpd" version="1.3.29"/>
-<affects prod="httpd" version="1.3.28"/>
-<affects prod="httpd" version="1.3.27"/>
-<affects prod="httpd" version="1.3.26"/>
-<affects prod="httpd" version="1.3.24"/>
-<affects prod="httpd" version="1.3.22"/>
-<affects prod="httpd" version="1.3.20"/>
-<affects prod="httpd" version="1.3.19"/>
-<affects prod="httpd" version="1.3.17"/>
-<affects prod="httpd" version="1.3.14"/>
-<affects prod="httpd" version="1.3.12"/>
-<affects prod="httpd" version="1.3.11"/>
-<affects prod="httpd" version="1.3.9"/>
-<affects prod="httpd" version="1.3.6"/>
-<affects prod="httpd" version="1.3.4"/>
-<affects prod="httpd" version="1.3.3"/>
-<affects prod="httpd" version="1.3.2"/>
-</issue>
-
-
<issue fixed="2.2.21" reported="20110907" public="20110914" released="20110914">
<cve name="CVE-2011-3348"/>
<severity level="3">moderate</severity>
@@ -1370,6 +1333,45 @@ vulnerable to cross-site request forgery
<affects prod="httpd" version="2.2.0"/>
</issue>
+<issue fixed="1.3.42" public="2010127" reported="20091230" released="20100203">
+<cve name="CVE-2010-0010"/>
+<severity level="3">moderate</severity>
+<title>mod_proxy overflow on 64-bit systems</title>
+<description><p>
+An incorrect conversion between numeric types flaw was found in the
+mod_proxy module which affects some 64-bit architecture systems. A
+malicious HTTP server to which requests are being proxied could use
+this flaw to trigger a heap buffer overflow in an httpd child process
+via a carefully crafted response.
+</p></description>
+<affects prod="httpd" version="1.3.41"/>
+<affects prod="httpd" version="1.3.39"/>
+<affects prod="httpd" version="1.3.37"/>
+<affects prod="httpd" version="1.3.36"/>
+<affects prod="httpd" version="1.3.35"/>
+<affects prod="httpd" version="1.3.34"/>
+<affects prod="httpd" version="1.3.33"/>
+<affects prod="httpd" version="1.3.32"/>
+<affects prod="httpd" version="1.3.31"/>
+<affects prod="httpd" version="1.3.29"/>
+<affects prod="httpd" version="1.3.28"/>
+<affects prod="httpd" version="1.3.27"/>
+<affects prod="httpd" version="1.3.26"/>
+<affects prod="httpd" version="1.3.24"/>
+<affects prod="httpd" version="1.3.22"/>
+<affects prod="httpd" version="1.3.20"/>
+<affects prod="httpd" version="1.3.19"/>
+<affects prod="httpd" version="1.3.17"/>
+<affects prod="httpd" version="1.3.14"/>
+<affects prod="httpd" version="1.3.12"/>
+<affects prod="httpd" version="1.3.11"/>
+<affects prod="httpd" version="1.3.9"/>
+<affects prod="httpd" version="1.3.6"/>
+<affects prod="httpd" version="1.3.4"/>
+<affects prod="httpd" version="1.3.3"/>
+<affects prod="httpd" version="1.3.2"/>
+</issue>
+
<issue fixed="2.2.8" public="20080102" reported="20071215" released="20080119">
<cve name="CVE-2007-6388"/>
<severity level="3">moderate</severity>
@@ -1420,18 +1422,15 @@ Note that the server-status page is not
<affects prod="httpd" version="2.0.35"/>
</issue>
-<issue fixed="1.3.42" public="2010127" reported="20091230" released="20100203">
-<cve name="CVE-2010-0010"/>
+<issue fixed="1.3.41" public="20080102" reported="20071215" released="20080119">
+<cve name="CVE-2007-6388"/>
<severity level="3">moderate</severity>
-<title>mod_proxy overflow on 64-bit systems</title>
+<title>mod_status XSS</title>
<description><p>
-An incorrect conversion between numeric types flaw was found in the
-mod_proxy module which affects some 64-bit architecture systems. A
-malicious HTTP server to which requests are being proxied could use
-this flaw to trigger a heap buffer overflow in an httpd child process
-via a carefully crafted response.
-</p></description>
-<affects prod="httpd" version="1.3.41"/>
+A flaw was found in the mod_status module. On sites where mod_status is
+enabled and the status pages were publicly accessible, a cross-site
+scripting attack is possible.
+Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.</p></description>
<affects prod="httpd" version="1.3.39"/>
<affects prod="httpd" version="1.3.37"/>
<affects prod="httpd" version="1.3.36"/>