You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2011/10/06 22:26:15 UTC
svn commit: r1179826 - in /httpd/site/trunk: docs/security/vulnerabilities_13.html xdocs/security/vulnerabilities-httpd.xml

Author: wrowe
Date: Thu Oct  6 20:26:15 2011
New Revision: 1179826

URL: http://svn.apache.org/viewvc?rev=1179826&view=rev
Log:
Correct mis-ordered 1.3 patches, use 1.3-never for post-1.3.42 vulnerabilities?

Modified:
    httpd/site/trunk/docs/security/vulnerabilities_13.html
    httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/docs/security/vulnerabilities_13.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_13.html?rev=1179826&r1=1179825&r2=1179826&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_13.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_13.html [utf-8] Thu Oct  6 20:26:15 2011
@@ -93,6 +93,89 @@ Team</a>.  </p>
  <tr>
  <td bgcolor="#525D76">
   <font color="#ffffff" face="arial,helvetica,sanserif">
+   <a name="1.3-never"><strong>Fixed in Apache httpd 1.3-never</strong></a>
+  </font>
+ </td>
+ </tr>
+ <tr><td>
+  <blockquote>
+<dl>
+<dd>
+<b>moderate: </b>
+<b>
+<name name="CVE-2011-3368">mod_proxy reverse proxy exposure</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368">CVE-2011-3368</a>
+<p>
+An exposure was found when using mod_proxy in reverse proxy mode.
+In certain configurations using RewriteRule with proxy flag,
+a remote attacker could cause the reverse proxy to
+connect to an arbitrary server, possibly disclosing sensitive
+information from internal web servers not directly accessible to
+attacker.</p>
+<p>No update of 1.3 will be released.  Patches will be published to
+<a href="http://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/">http://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/</a>
+</p>
+</dd>
+<dd>
+<p>Acknowledgements: 
+This issue was reported by Context Information Security Ltd
+</p>
+</dd>
+<dd>
+  Reported to security team: 16th September 2011<br />
+  Issue public: 5th October 2011<br />
+</dd>
+<dd>
+      Affected: 
+    1.3.42, 1.3.41, 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2<p />
+</dd>
+</dl>
+  </blockquote>
+ </td></tr>
+</table>
+           <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr>
+ <td bgcolor="#525D76">
+  <font color="#ffffff" face="arial,helvetica,sanserif">
+   <a name="1.3.42"><strong>Fixed in Apache httpd 1.3.42</strong></a>
+  </font>
+ </td>
+ </tr>
+ <tr><td>
+  <blockquote>
+<dl>
+<dd>
+<b>moderate: </b>
+<b>
+<name name="CVE-2010-0010">mod_proxy overflow on 64-bit systems</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0010">CVE-2010-0010</a>
+<p>
+An incorrect conversion between numeric types flaw was found in the
+mod_proxy module which affects some 64-bit architecture systems.  A
+malicious HTTP server to which requests are being proxied could use
+this flaw to trigger a heap buffer overflow in an httpd child process
+via a carefully crafted response.
+</p>
+</dd>
+<dd>
+  Reported to security team: 30th December 2009<br />
+  Issue public: 7th December 2010<br />
+  Update released: 3rd February 2010<br />
+</dd>
+<dd>
+      Affected: 
+    1.3.41, 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2<p />
+</dd>
+</dl>
+  </blockquote>
+ </td></tr>
+</table>
+           <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr>
+ <td bgcolor="#525D76">
+  <font color="#ffffff" face="arial,helvetica,sanserif">
    <a name="1.3.41"><strong>Fixed in Apache httpd 1.3.41</strong></a>
   </font>
  </td>
@@ -170,44 +253,6 @@ cross-site scripting attack is possible.
  <tr>
  <td bgcolor="#525D76">
   <font color="#ffffff" face="arial,helvetica,sanserif">
-   <a name="1.3.42"><strong>Fixed in Apache httpd 1.3.42</strong></a>
-  </font>
- </td>
- </tr>
- <tr><td>
-  <blockquote>
-<dl>
-<dd>
-<b>moderate: </b>
-<b>
-<name name="CVE-2010-0010">mod_proxy overflow on 64-bit systems</name>
-</b>
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0010">CVE-2010-0010</a>
-<p>
-An incorrect conversion between numeric types flaw was found in the
-mod_proxy module which affects some 64-bit architecture systems.  A
-malicious HTTP server to which requests are being proxied could use
-this flaw to trigger a heap buffer overflow in an httpd child process
-via a carefully crafted response.
-</p>
-</dd>
-<dd>
-  Reported to security team: 30th December 2009<br />
-  Issue public: 7th December 2010<br />
-  Update released: 3rd February 2010<br />
-</dd>
-<dd>
-      Affected: 
-    1.3.41, 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2<p />
-</dd>
-</dl>
-  </blockquote>
- </td></tr>
-</table>
-           <table border="0" cellspacing="0" cellpadding="2" width="100%">
- <tr>
- <td bgcolor="#525D76">
-  <font color="#ffffff" face="arial,helvetica,sanserif">
    <a name="1.3.39"><strong>Fixed in Apache httpd 1.3.39</strong></a>
   </font>
  </td>

Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=1179826&r1=1179825&r2=1179826&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Thu Oct  6 20:26:15 2011
@@ -78,7 +78,7 @@ This issue was reported by Context Infor
 <affects prod="httpd" version="2.0.35"/>
 </issue>
 
-<issue fixed="" reported="20110916" public="20111005" released="">
+<issue fixed="1.3-never" reported="20110916" public="20111005" released="">
 <cve name="CVE-2011-3368"/>
 <severity level="3">moderate</severity>
 <title>mod_proxy reverse proxy exposure</title>
@@ -125,43 +125,6 @@ This issue was reported by Context Infor
 <affects prod="httpd" version="1.3.2"/>
 </issue>
 
-<issue fixed="1.3.41" public="20080102" reported="20071215" released="20080119">
-<cve name="CVE-2007-6388"/>
-<severity level="3">moderate</severity>      
-<title>mod_status XSS</title>
-<description><p>
-A flaw was found in the mod_status module. On sites where mod_status is
-enabled and the status pages were publicly accessible, a cross-site
-scripting attack is possible.
-Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.</p></description>
-<affects prod="httpd" version="1.3.39"/>
-<affects prod="httpd" version="1.3.37"/>
-<affects prod="httpd" version="1.3.36"/>
-<affects prod="httpd" version="1.3.35"/>
-<affects prod="httpd" version="1.3.34"/>
-<affects prod="httpd" version="1.3.33"/>
-<affects prod="httpd" version="1.3.32"/>
-<affects prod="httpd" version="1.3.31"/>
-<affects prod="httpd" version="1.3.29"/>
-<affects prod="httpd" version="1.3.28"/>
-<affects prod="httpd" version="1.3.27"/>
-<affects prod="httpd" version="1.3.26"/>
-<affects prod="httpd" version="1.3.24"/>
-<affects prod="httpd" version="1.3.22"/>
-<affects prod="httpd" version="1.3.20"/>
-<affects prod="httpd" version="1.3.19"/>
-<affects prod="httpd" version="1.3.17"/>
-<affects prod="httpd" version="1.3.14"/>
-<affects prod="httpd" version="1.3.12"/>
-<affects prod="httpd" version="1.3.11"/>
-<affects prod="httpd" version="1.3.9"/>
-<affects prod="httpd" version="1.3.6"/>
-<affects prod="httpd" version="1.3.4"/>
-<affects prod="httpd" version="1.3.3"/>
-<affects prod="httpd" version="1.3.2"/>
-</issue>
-
-
 <issue fixed="2.2.21" reported="20110907" public="20110914" released="20110914">
 <cve name="CVE-2011-3348"/>
 <severity level="3">moderate</severity>
@@ -1370,6 +1333,45 @@ vulnerable to cross-site request forgery
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
+<issue fixed="1.3.42" public="2010127" reported="20091230" released="20100203">
+<cve name="CVE-2010-0010"/>
+<severity level="3">moderate</severity>      
+<title>mod_proxy overflow on 64-bit systems</title>
+<description><p>
+An incorrect conversion between numeric types flaw was found in the
+mod_proxy module which affects some 64-bit architecture systems.  A
+malicious HTTP server to which requests are being proxied could use
+this flaw to trigger a heap buffer overflow in an httpd child process
+via a carefully crafted response.
+</p></description>
+<affects prod="httpd" version="1.3.41"/>
+<affects prod="httpd" version="1.3.39"/>
+<affects prod="httpd" version="1.3.37"/>
+<affects prod="httpd" version="1.3.36"/>
+<affects prod="httpd" version="1.3.35"/>
+<affects prod="httpd" version="1.3.34"/>
+<affects prod="httpd" version="1.3.33"/>
+<affects prod="httpd" version="1.3.32"/>
+<affects prod="httpd" version="1.3.31"/>
+<affects prod="httpd" version="1.3.29"/>
+<affects prod="httpd" version="1.3.28"/>
+<affects prod="httpd" version="1.3.27"/>
+<affects prod="httpd" version="1.3.26"/>
+<affects prod="httpd" version="1.3.24"/>
+<affects prod="httpd" version="1.3.22"/>
+<affects prod="httpd" version="1.3.20"/>
+<affects prod="httpd" version="1.3.19"/>
+<affects prod="httpd" version="1.3.17"/>
+<affects prod="httpd" version="1.3.14"/>
+<affects prod="httpd" version="1.3.12"/>
+<affects prod="httpd" version="1.3.11"/>
+<affects prod="httpd" version="1.3.9"/>
+<affects prod="httpd" version="1.3.6"/>
+<affects prod="httpd" version="1.3.4"/>
+<affects prod="httpd" version="1.3.3"/>
+<affects prod="httpd" version="1.3.2"/>
+</issue>
+
 <issue fixed="2.2.8" public="20080102" reported="20071215" released="20080119">
 <cve name="CVE-2007-6388"/>
 <severity level="3">moderate</severity>      
@@ -1420,18 +1422,15 @@ Note that the server-status page is not 
 <affects prod="httpd" version="2.0.35"/>
 </issue>
 
-<issue fixed="1.3.42" public="2010127" reported="20091230" released="20100203">
-<cve name="CVE-2010-0010"/>
+<issue fixed="1.3.41" public="20080102" reported="20071215" released="20080119">
+<cve name="CVE-2007-6388"/>
 <severity level="3">moderate</severity>      
-<title>mod_proxy overflow on 64-bit systems</title>
+<title>mod_status XSS</title>
 <description><p>
-An incorrect conversion between numeric types flaw was found in the
-mod_proxy module which affects some 64-bit architecture systems.  A
-malicious HTTP server to which requests are being proxied could use
-this flaw to trigger a heap buffer overflow in an httpd child process
-via a carefully crafted response.
-</p></description>
-<affects prod="httpd" version="1.3.41"/>
+A flaw was found in the mod_status module. On sites where mod_status is
+enabled and the status pages were publicly accessible, a cross-site
+scripting attack is possible.
+Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.</p></description>
 <affects prod="httpd" version="1.3.39"/>
 <affects prod="httpd" version="1.3.37"/>
 <affects prod="httpd" version="1.3.36"/>