You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2014/03/26 23:02:54 UTC
svn commit: r1582084 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Author: wrowe
Date: Wed Mar 26 22:02:54 2014
New Revision: 1582084

URL: http://svn.apache.org/r1582084
Log:
These impact 2.2 as well as 2.4

Modified:
    httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1582084&r1=1582083&r2=1582084&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Wed Mar 26 22:02:54 2014
@@ -19,6 +19,44 @@ denial of service if using a threaded MP
 This issue was reported by Rainer M Canavan
 </acknowledgements>
 </issue>
+<issue fixed="2.2.27" reported="20140225" public="20140317" released="20140326">
+<cve name="CVE-2014-0098"/>
+<severity level="4">low</severity>
+<title>mod_log_config crash</title>
+<description><p>
+A flaw was found in mod_log_config.  A remote attacker could send a
+specific truncated cookie causing a crash.  This crash would only be a
+denial of service if using a threaded MPM.
+</p></description>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+<acknowledgements>
+This issue was reported by Rainer M Canavan
+</acknowledgements>
+</issue>
 
 <issue fixed="2.4.9" reported="20131210" public="20140317" released="20140317">
 <cve name="CVE-2013-6438"/>
@@ -41,6 +79,46 @@ This issue was reported by Ning Zhang &a
 </acknowledgements>
 </issue>
 
+<issue fixed="2.2.27" reported="20131210" public="20140317" released="20140326">
+<cve name="CVE-2013-6438"/>
+<severity level="3">moderate</severity>
+<title>mod_dav crash</title>
+<description><p>
+XML parsing code in mod_dav incorrectly calculates the end of the string when
+removing leading spaces and places a NUL character outside the buffer, causing
+random crashes. This XML parsing code is only used with DAV provider modules
+that support DeltaV, of which the only publicly released provider is mod_dav_svn.
+</p></description>
+<affects prod="httpd" version="2.2.26"/>
+<affects prod="httpd" version="2.2.25"/>
+<affects prod="httpd" version="2.2.24"/>
+<affects prod="httpd" version="2.2.23"/>
+<affects prod="httpd" version="2.2.22"/>
+<affects prod="httpd" version="2.2.21"/>
+<affects prod="httpd" version="2.2.20"/>
+<affects prod="httpd" version="2.2.19"/>
+<affects prod="httpd" version="2.2.18"/>
+<affects prod="httpd" version="2.2.17"/>
+<affects prod="httpd" version="2.2.16"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+<acknowledgements>
+This issue was reported by Ning Zhang &amp; Amin Tora of Neustar
+</acknowledgements>
+</issue>
+
 <issue fixed="2.4.6" reported="20130307" public="20130523" released="20130722">
 <cve name="CVE-2013-1896"/>
 <severity level="3">moderate</severity>