You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/07/13 13:01:43 UTC

svn commit: r1801835 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Author: wrowe
Date: Thu Jul 13 13:01:43 2017
New Revision: 1801835

URL: http://svn.apache.org/viewvc?rev=1801835&view=rev
Log:
Announce vulnerabilites

Modified:
    httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1801835&r1=1801834&r2=1801835&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Thu Jul 13 13:01:43 2017
@@ -1,5 +1,105 @@
 <security updated="20170619">
 
+<issue fixed="2.4.27" reported="20170630" public="20170711" released="20170711">
+<cve name="CVE-2017-9789"/>
+<severity level="2">important</severity>
+<title>Read after free in mod_http2</title>
+<description><p>
+When under stress, closing many connections, the HTTP/2
+handling code would sometimes access memory after it has
+been freed, resulting in potentially erratic behaviour.
+</p></description>
+<acknowledgements>
+We would like to thank Robert Święcki for reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.26"/>
+</issue>
+
+<issue fixed="2.4.27" reported="20170628" public="20170711" released="20170711">
+<cve name="CVE-2017-9788"/>
+<severity level="2">important</severity>
+<title>Uninitialized memory reflection in mod_auth_digest</title>
+<description><p>
+The value placeholder in [Proxy-]Authorization headers
+of type 'Digest' was not initialized or reset
+before or between successive key=value assignments.
+by mod_auth_digest.
+</p><p>
+Providing an initial key with no '=' assignment
+could reflect the stale value of uninitialized pool
+memory used by the prior request, leading to leakage
+of potentially confidential information, and a segfault.
+</p></description>
+<acknowledgements>
+We would like to thank Robert Święcki for reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.26"/>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.2.34" reported="20170628" public="20170711" released="20170711">
+<cve name="CVE-2017-9788"/>
+<severity level="2">important</severity>
+<title>Uninitialized memory reflection in mod_auth_digest</title>
+<description><p>
+The value placeholder in [Proxy-]Authorization headers
+of type 'Digest' was not initialized or reset
+before or between successive key=value assignments.
+by mod_auth_digest.
+</p><p>
+Providing an initial key with no '=' assignment
+could reflect the stale value of uninitialized pool
+memory used by the prior request, leading to leakage
+of potentially confidential information, and a segfault.
+</p></description>
+<acknowledgements>
+We would like to thank Robert Święcki for reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.2.32"/>
+<affects prod="httpd" version="2.2.31"/>
+<affects prod="httpd" version="2.2.29"/>
+<affects prod="httpd" version="2.2.27"/>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
 <issue fixed="2.4.26" reported="20170206" public="20170619" released="20170619">
 <cve name="CVE-2017-3167"/>
 <severity level="2">important</severity>