You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2018/03/25 18:33:12 UTC
svn commit: r1827731 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Author: ylavic
Date: Sun Mar 25 18:33:12 2018
New Revision: 1827731

URL: http://svn.apache.org/viewvc?rev=1827731&view=rev
Log:
Update security vulnerabitities' page for 2.4.30-33.

Modified:
    httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1827731&r1=1827730&r2=1827731&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Sun Mar 25 18:33:12 2018
@@ -1,4 +1,247 @@
-<security updated="20170921">
+<security updated="20180325">
+
+<issue fixed="2.4.30" reported="20171114" public="20180324" released="20180324">
+<cve name="CVE-2018-1283"/>
+<severity level="2">medium</severity>
+<title>Tampering of mod_session data for CGI applications</title>
+<description>
+<p>When mod_session is configured to forward its session data to CGI
+applications (SessionEnv on, not the default), a remote user may influence
+their content by using a "Session" header.</p>
+<p>This comes from the "HTTP_SESSION"
+variable name used by mod_session to forward its data to CGIs, since the
+prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header
+fields, per CGI specifications.</p>
+<p>The severity is set to Medium because "SessionEnv on" is not a default nor
+common configuration, it should be considered High when this is the case
+though, because of the possible remote exploitation.</p>
+</description>
+<acknowledgements>
+The issue was discovered internally by the Apache HTTP Server team.
+</acknowledgements>
+<affects prod="httpd" version="2.4.29"/>
+<affects prod="httpd" version="2.4.28"/>
+<affects prod="httpd" version="2.4.27"/>
+<affects prod="httpd" version="2.4.26"/>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.4.30" reported="20180123" public="20180324" released="20180324">
+<cve name="CVE-2018-1303"/>
+<severity level="2">low</severity>
+<title>Possible out of bound read in mod_cache_socache</title>
+<description>
+<p>A specially crafted HTTP request header could have crashed the Apache HTTP
+Server prior to version 2.4.30 due to an out of bound read while preparing data
+to be cached in shared memory. It could be used as a Denial of Service attack
+against users of mod_cache_socache.</p>
+</description>
+<acknowledgements>
+The issue was discovered by Robert Swiecki, bug found by honggfuzz.
+</acknowledgements>
+<affects prod="httpd" version="2.4.29"/>
+<affects prod="httpd" version="2.4.28"/>
+<affects prod="httpd" version="2.4.27"/>
+<affects prod="httpd" version="2.4.26"/>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+</issue>
+
+<issue fixed="2.4.30" reported="20180123" public="20180324" released="20180324">
+<cve name="CVE-2018-1302"/>
+<severity level="2">low</severity>
+<title>Possible write of after free on HTTP/2 stream shutdown</title>
+<description>
+<p>When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server
+prior to version 2.4.30 could have written a NULL pointer potentially to an
+already freed memory.</p>
+<p>The memory pools maintained by the server make this
+vulnerabilty hard to trigger in usual configurations, the reporter and the team
+could not reproduce it outside debug builds, so it is classified as low risk.</p>
+</description>
+<acknowledgements>
+The issue was discovered by Robert Swiecki, bug found by honggfuzz.
+</acknowledgements>
+<affects prod="httpd" version="2.4.29"/>
+<affects prod="httpd" version="2.4.28"/>
+<affects prod="httpd" version="2.4.27"/>
+<affects prod="httpd" version="2.4.26"/>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+</issue>
+
+<issue fixed="2.4.30" reported="20180123" public="20180324" released="20180324">
+<cve name="CVE-2018-1301"/>
+<severity level="2">low</severity>
+<title>Possible out of bound access after failure in reading the HTTP request</title>
+<description>
+<p>A specially crafted request could have crashed the Apache HTTP Server prior to
+version 2.4.30, due to an out of bound access after a size limit is reached by
+reading the HTTP header. This vulnerability is considered very hard if not
+impossible to trigger in non-debug mode (both log and build level), so it is
+classified as low risk for common server usage.</p>
+</description>
+<acknowledgements>
+The issue was discovered by Robert Swiecki, bug found by honggfuzz.
+</acknowledgements>
+<affects prod="httpd" version="2.4.29"/>
+<affects prod="httpd" version="2.4.28"/>
+<affects prod="httpd" version="2.4.27"/>
+<affects prod="httpd" version="2.4.26"/>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.4.30" reported="20130305" public="20180324" released="20180324">
+<cve name="CVE-2018-1312"/>
+<severity level="2">low</severity>
+<title>Weak Digest auth nonce generation in mod_auth_digest</title>
+<description>
+<p>When generating an HTTP Digest authentication challenge, the nonce
+sent to prevent reply attacks was not correctly generated using a
+pseudo-random seed.</p>
+<p>In a cluster of servers using a common Digest
+authentication configuration, HTTP requests could be replayed across
+servers by an attacker without detection.</p>
+</description>
+<acknowledgements>
+The issue was discovered by Nicolas Daniels.
+</acknowledgements>
+<affects prod="httpd" version="2.4.29"/>
+<affects prod="httpd" version="2.4.28"/>
+<affects prod="httpd" version="2.4.27"/>
+<affects prod="httpd" version="2.4.26"/>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.4.30" reported="20171124" public="20180324" released="20180324">
+<cve name="CVE-2017-15715"/>
+<severity level="2">low</severity>
+<title>&lt;FilesMatch&gt; bypass with a trailing newline in the file name</title>
+<description>
+<p>The expression specified in &lt;FilesMatch&gt; could match '$' to a newline character
+in a malicious filename, rather than matching only the end of the filename.</p>
+<p>This could be exploited in environments where uploads of some files are are
+externally blocked, but only by matching the trailing portion of the filename.</p>
+</description>
+<acknowledgements>
+The issue was discovered by Elar Lang - security.elarlang.eu
+</acknowledgements>
+<affects prod="httpd" version="2.4.29"/>
+<affects prod="httpd" version="2.4.28"/>
+<affects prod="httpd" version="2.4.27"/>
+<affects prod="httpd" version="2.4.26"/>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.4.30" reported="20171207" public="20180324" released="20180324">
+<cve name="CVE-2017-15710"/>
+<severity level="2">low</severity>
+<title>Out of bound write in mod_authnz_ldap when using too small Accept-Language values</title>
+<description>
+<p>mod_authnz_ldap, if configured with AuthLDAPCharsetConfig,
+uses the Accept-Language header value to lookup the right charset encoding
+when verifying the user's credentials.</p>
+<p>If the header value is not present in the charset conversion
+table, a fallback mechanism is used to truncate it to a two
+characters value to allow a quick retry (for example, 'en-US' is truncated
+to 'en'). A header value of less than two characters forces an out of bound
+write of one NUL byte to a memory location that is not part of the string.
+In the worst case, quite unlikely, the process would crash which could
+be used as a Denial of Service attack. In the more likely case, this memory is
+already reserved for future use and the issue has no effect at all.</p>
+</description>
+<acknowledgements>
+The Apache HTTP Server security team would like to thank Alex Nichols
+and Jakob Hirsch for reporting this issue.
+</acknowledgements>
+<affects prod="httpd" version="2.4.29"/>
+<affects prod="httpd" version="2.4.28"/>
+<affects prod="httpd" version="2.4.27"/>
+<affects prod="httpd" version="2.4.26"/>
+<affects prod="httpd" version="2.4.25"/>
+<affects prod="httpd" version="2.4.23"/>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<affects prod="httpd" version="2.4.17"/>
+<affects prod="httpd" version="2.4.16"/>
+<affects prod="httpd" version="2.4.12"/>
+<affects prod="httpd" version="2.4.10"/>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
 
 <issue fixed="2.4.28" reported="20170712" public="20170918" released="20171005">
 <cve name="CVE-2017-9798"/>