You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2019/08/15 06:00:31 UTC
svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./
security/vulnerabilities-httpd.xml security/vulnerabilities_13.html
security/vulnerabilities_20.html security/vulnerabilities_22.html
security/vulnerabilities_24.html
Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_22.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_22.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_22.html Thu Aug 15 06:00:30 2019
@@ -97,7 +97,2460 @@ h2:hover > .headerlink, h3:hover > .head
<!-- RIGHT SIDE INFORMATION -->
<div id="apcontents">
-
+ <h1 id="top">Apache HTTP Server 2.2 vulnerabilities</h1><p>This page lists all security vulnerabilities fixed in released
+versions of Apache HTTP Server 2.2. Each
+vulnerability is given a security <a href="/security/impact_levels.html">impact rating</a> by the Apache
+security team - please note that this rating may well vary from
+platform to platform. We also list the versions of Apache httpd the
+flaw is known to affect, and where a flaw has not been verified list
+the version with a question mark. </p><p> Please note that if a vulnerability is shown below as being fixed
+in a "-dev" release then this means that a fix has been applied to
+the development source tree and will be part of an upcoming full release.</p><p> Please send comments or corrections for
+these vulnerabilities to the <a href="/security_report.html">Security
+Team</a>. </p><p><h3>Apache httpd 2.2 is End-of-Life since December 2017 and should not be used. This page only lists security issues that occurred before the End-of-Life. Subsequent issues may have affected 2.2 but will not be investigated or listed here. Users are advised to upgrade to the currently supported released version to address known issues.</h3></p><br/><h1 id="2.2.35-never">
+Not fixed in Apache httpd 2.2</h1><dl>
+ <dt>
+ <h3 id="CVE-2017-9798">low:
+ <name name="CVE-2017-9798">Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed")</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798">CVE-2017-9798</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>When an unrecognized HTTP Method is given in an <Limit {method}>
+directive in an .htaccess file, and that .htaccess file is processed by the
+corresponding request, the global methods table is corrupted in the current
+worker process, resulting in erratic behaviour.</p>
+ <p>This behavior may be avoided by listing all unusual HTTP Methods in a global
+httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later.</p>
+ <p>To permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive.</p>
+ <p>Source code patch (2.4) is at;</p>
+ <ul>
+<li><a href="https://www.apache.org/dist/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch">CVE-2017-9798-patch-2.4.patch</a></li>
+</ul>
+ <p>Source code patch (2.2) is at;</p>
+ <ul>
+<li><a href="https://archive.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch">CVE-2017-9798-patch-2.2.patch</a></li>
+</ul>
+ <p>Note 2.2 is end-of-life, no further release with this fix is planned. Users
+are encouraged to migrate to 2.4.28 or later for this and other fixes.</p>
+ <p>Acknowledgements:
+We would like to thank Hanno Böck for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">12th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">18th September 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.34, 2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.34">
+Fixed in Apache httpd 2.2.34</h1><dl>
+ <dt>
+ <h3 id="CVE-2017-9788">important:
+ <name name="CVE-2017-9788">Uninitialized memory reflection in mod_auth_digest</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788">CVE-2017-9788</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+The value placeholder in [Proxy-]Authorization headers
+of type 'Digest' was not initialized or reset
+before or between successive key=value assignments.
+by mod_auth_digest.
+</p>
+ <p>
+Providing an initial key with no '=' assignment
+could reflect the stale value of uninitialized pool
+memory used by the prior request, leading to leakage
+of potentially confidential information, and a segfault.
+</p>
+ <p>Acknowledgements:
+We would like to thank Robert ÅwiÄcki for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">28th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">11th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">11th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-3167">important:
+ <name name="CVE-2017-3167">ap_get_basic_auth_pw() Authentication Bypass</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167">CVE-2017-3167</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+authentication phase may lead to authentication requirements being bypassed.
+</p>
+ <p>
+Third-party module writers SHOULD use ap_get_basic_auth_components(), available
+in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the
+legacy ap_get_basic_auth_pw() during the authentication phase MUST either
+immediately authenticate the user after the call, or else stop the request
+immediately with an error response, to avoid incorrectly authenticating the
+current request.
+</p>
+ <p>Acknowledgements:
+We would like to thank Emmanuel Dreyfus for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">6th February 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">11th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-3169">important:
+ <name name="CVE-2017-3169">mod_ssl Null Pointer Dereference</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169">CVE-2017-3169</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+mod_ssl may dereference a NULL pointer when third-party modules call
+ap_hook_process_connection() during an HTTP request to an HTTPS port.
+</p>
+ <p>Acknowledgements:
+We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for
+reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">5th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">11th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-7668">important:
+ <name name="CVE-2017-7668">ap_find_token() Buffer Overread</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668">CVE-2017-7668</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
+token list parsing, which allows ap_find_token() to search past the end of its
+input string. By maliciously crafting a sequence of request headers, an attacker
+may be able to cause a segmentation fault, or to force ap_find_token() to return
+an incorrect value.
+</p>
+ <p>Acknowledgements:
+We would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this
+issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">6th May 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">11th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.32</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2017-7679">important:
+ <name name="CVE-2017-7679">mod_mime Buffer Overread</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679">CVE-2017-7679</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+mod_mime can read one byte past the end of a buffer when sending a malicious
+Content-Type response header.
+</p>
+ <p>Acknowledgements:
+We would like to thank ChenQin and Hanno Böck for reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">15th November 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th June 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">11th July 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.32, 2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.32">
+Fixed in Apache httpd 2.2.32</h1><dl>
+ <dt>
+ <h3 id="CVE-2016-8743">important:
+ <name name="CVE-2016-8743">Apache HTTP Request Parsing Whitespace Defects</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Apache HTTP Server, prior to release 2.4.25 (2.2.32), accepted a broad pattern
+of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB
+in parsing the request line and request header lines, as well as HTAB in
+parsing the request line. Any bare CR present in request lines was treated
+as whitespace and remained in the request field member "the_request", while
+a bare CR in the request header field name would be honored as whitespace,
+and a bare CR in the request header field value was retained the input headers
+array. Implied additional whitespace was accepted in the request line and prior
+to the ':' delimiter of any request header lines.
+</p>
+ <p>
+RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section
+3.2.3 eliminated and clarified the role of implied whitespace in the grammer
+of this specification. Section 3.1.1 requires exactly one single SP between the
+method and request-target, and between the request-target and HTTP-version,
+followed immediately by a CRLF sequence. None of these fields permit any
+(unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed
+any whitespace from the request header field prior to the ':' character, while
+Section 3.2 disallows all CTL characters in the request header line other than
+the HTAB character as whitespace.
+</p>
+ <p>
+These defects represent a security concern when httpd is participating in any
+chain of proxies or interacting with back-end application servers, either
+through mod_proxy or using conventional CGI mechanisms. In each case where one
+agent accepts such CTL characters and does not treat them as whitespace, there
+is the possiblity in a proxy chain of generating two responses from a server
+behind the uncautious proxy agent. In a sequence of two requests, this results
+in request A to the first proxy being interpreted as requests A + A' by the
+backend server, and if requests A and B were submitted to the first proxy in
+a keepalive connection, the proxy may interpret response A' as the response
+to request B, polluting the cache or potentially serving the A' content to
+a different downstream user-agent.
+</p>
+ <p>
+These defects are addressed with the release of Apache HTTP Server 2.4.25
+and coordinated by a new directive;
+</p>
+ <ul>
+ <li>
+<a href="http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions">HttpProtocolOptions Strict</a></li>
+ </ul>
+ <p>
+which is the default behavior of 2.4.25 and later. By toggling from 'Strict'
+behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow
+some invalid HTTP/1.1 clients to communicate with the server, but this will
+reintroduce the possibility of the problems described in this assessment.
+Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs
+other than HTAB (where permitted), but will allow other RFC requirements to
+not be enforced, such as exactly two SP characters in the request line.
+</p>
+ <p>Acknowledgements:
+We would like to thank David Dennerline at IBM Security's X-Force Researchers
+as well as Régis Leroy for each reporting this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">10th February 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">20th December 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">13th January 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2016-4975">moderate:
+ <name name="CVE-2016-4975">mod_userdir CRLF injection</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4975">CVE-2016-4975</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Possible CRLF injection allowing HTTP response splitting attacks
+for sites which use mod_userdir. This issue was
+mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF
+injection into the "Location" or other outbound
+header key or value.
+</p>
+ <p>Acknowledgements:
+The issue was discovered by Sergey Bobrov
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">24th July 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th August 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">13th January 2017</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2016-5387">n/a:
+ <name name="CVE-2016-5387">HTTP_PROXY environment variable "httpoxy" mitigation</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387">CVE-2016-5387</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ HTTP_PROXY is a well-defined environment variable in a CGI process,
+ which collided with a number of libraries which failed to avoid
+ colliding with this CGI namespace. A mitigation is provided for the
+ httpd CGI environment to avoid populating the "HTTP_PROXY" variable
+ from a "Proxy:" header, which has never been registered by IANA.
+</p>
+ <p>
+ This workaround and patch are documented in the ASF Advisory at
+ <a href="https://www.apache.org/security/asf-httpoxy-response.txt">asf-httpoxy-response.txt</a>
+ and incorporated in the 2.4.25 and 2.2.32 releases.
+</p>
+ <p>
+ Note: This is not assigned an httpd severity, as it is a defect in
+ other software which overloaded well-established CGI environment
+ variables, and does not reflect an error in HTTP server software.
+</p>
+ <p>Acknowledgements:
+We would like to thank Dominic Scheirlinck and Scott Geary of Vend
+for reporting and proposing a fix for this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">2nd July 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">18th July 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">18th July 2016</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.31, 2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.31">
+Fixed in Apache httpd 2.2.31</h1><dl>
+ <dt>
+ <h3 id="CVE-2015-3183">low:
+ <name name="CVE-2015-3183">HTTP request smuggling attack against chunked request parser</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183">CVE-2015-3183</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+ An HTTP request smuggling attack was possible due to a bug in parsing of
+ chunked requests. A malicious client could force the server to
+ misinterpret the request length, allowing cache poisoning or
+ credential hijacking if an intermediary proxy is in use.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Régis Leroy.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">4th April 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">9th June 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">16th July 2015</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.29, 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.29">
+Fixed in Apache httpd 2.2.29</h1><dl>
+ <dt>
+ <h3 id="CVE-2014-0231">important:
+ <name name="CVE-2014-0231">mod_cgid denial of service</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231">CVE-2014-0231</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI
+scripts which did not consume standard input, a remote attacker could
+cause child processes to hang indefinitely, leading to denial of
+service.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Rainer Jung of the ASF
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">16th June 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">3rd September 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2013-5704">low:
+ <name name="CVE-2013-5704">HTTP Trailers processing bypass</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704">CVE-2013-5704</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+HTTP trailers could be used to replace HTTP headers late during request
+processing, potentially undoing or otherwise confusing modules that
+examined or modified request headers earlier.</p>
+ <p>This fix adds the "MergeTrailers" directive to restore legacy behavior.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Martin Holst Swende.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">6th September 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th October 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">3rd September 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2014-0118">moderate:
+ <name name="CVE-2014-0118">mod_deflate denial of service</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118">CVE-2014-0118</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A resource consumption flaw was found in mod_deflate. If request body
+decompression was configured (using the "DEFLATE" input filter), a
+remote attacker could cause the server to consume significant memory
+and/or CPU resources. The use of request body decompression is not a common
+configuration.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Giancarlo Pellegrino and Davide Balzarotti
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">19th February 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">3rd September 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2014-0226">moderate:
+ <name name="CVE-2014-0226">mod_status buffer overflow</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226">CVE-2014-0226</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A race condition was found in mod_status. An attacker able to access
+a public server status page on a server using a threaded MPM could send a
+carefully crafted request which could lead to a heap buffer overflow. Note
+that it is not a default or recommended configuration to have a public
+accessible server status page.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Marek Kroemeke, AKAT-1 and
+22733db72ab3ed94b5f8a1ffcde850251fe6f466 via HP ZDI
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">30th May 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th July 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">3rd September 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.27">
+Fixed in Apache httpd 2.2.27</h1><dl>
+ <dt>
+ <h3 id="CVE-2014-0098">low:
+ <name name="CVE-2014-0098">mod_log_config crash</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098">CVE-2014-0098</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in mod_log_config. A remote attacker could send a
+specific truncated cookie causing a crash. This crash would only be a
+denial of service if using a threaded MPM.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Rainer M Canavan
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">25th February 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">17th March 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">26th March 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2013-6438">moderate:
+ <name name="CVE-2013-6438">mod_dav crash</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438">CVE-2013-6438</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+XML parsing code in mod_dav incorrectly calculates the end of the string when
+removing leading spaces and places a NUL character outside the buffer, causing
+random crashes. This XML parsing code is only used with DAV provider modules
+that support DeltaV, of which the only publicly released provider is mod_dav_svn.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Ning Zhang & Amin Tora of Neustar
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">10th December 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">17th March 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">26th March 2014</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.25">
+Fixed in Apache httpd 2.2.25</h1><dl>
+ <dt>
+ <h3 id="CVE-2013-1862">low:
+ <name name="CVE-2013-1862">mod_rewrite log escape filtering</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862">CVE-2013-1862</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+mod_rewrite does not filter terminal escape sequences from logs,
+which could make it easier for attackers to insert those sequences
+into terminal emulators containing vulnerabilities related to escape
+sequences.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Ramiro Molina
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">13th March 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th April 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">22nd July 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2013-1896">moderate:
+ <name name="CVE-2013-1896">mod_dav crash</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896">CVE-2013-1896</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Sending a MERGE request against a URI handled by mod_dav_svn with the
+source href (sent as part of the request body as XML) pointing to a
+URI that is not configured for DAV will trigger a segfault.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Ben Reser
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">7th March 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">23rd May 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">22nd July 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.24">
+Fixed in Apache httpd 2.2.24</h1><dl>
+ <dt>
+ <h3 id="CVE-2012-3499">low:
+ <name name="CVE-2012-3499">XSS due to unescaped hostnames</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499">CVE-2012-3499</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Various XSS flaws due to unescaped hostnames and URIs HTML output in
+mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Niels Heinen of Google
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">11th July 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">18th February 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">25th February 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2012-4558">moderate:
+ <name name="CVE-2012-4558">XSS in mod_proxy_balancer</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558">CVE-2012-4558</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A XSS flaw affected the mod_proxy_balancer manager interface.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Niels Heinen of Google
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">7th October 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">18th February 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">25th February 2013</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.23">
+Fixed in Apache httpd 2.2.23</h1><dl>
+ <dt>
+ <h3 id="CVE-2012-2687">low:
+ <name name="CVE-2012-2687">XSS in mod_negotiation when untrusted uploads are supported</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687">CVE-2012-2687</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Possible XSS for sites which use mod_negotiation and allow
+untrusted uploads to locations which have MultiViews enabled.
+</p>
+ <p>Note: This issue is also known as CVE-2008-0455.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">31st May 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">13th June 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">13th September 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2012-0883">low:
+ <name name="CVE-2012-0883">insecure LD_LIBRARY_PATH handling</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883">CVE-2012-0883</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Insecure handling of LD_LIBRARY_PATH was found that could
+lead to the current working directory to be searched for DSOs.
+This could allow a local user to execute code as root if an
+administrator runs apachectl from an untrusted directory.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">14th February 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd March 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">13th September 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.22">
+Fixed in Apache httpd 2.2.22</h1><dl>
+ <dt>
+ <h3 id="CVE-2012-4557">low:
+ <name name="CVE-2012-4557">mod_proxy_ajp remote DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4557">CVE-2012-4557</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found when mod_proxy_ajp connects to a backend server that
+takes too long to respond. Given a specific configuration, a remote
+attacker could send certain requests, putting a backend server into an
+error state until the retry timeout expired. This could lead to a
+temporary denial of service.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">11th October 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">4th January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">31st January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2011-3607">low:
+ <name name="CVE-2011-3607">mod_setenvif .htaccess privilege escalation</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607">CVE-2011-3607</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+An integer overflow flaw was found which, when the mod_setenvif module
+is enabled, could allow local users to gain privileges via a .htaccess
+file.
+</p>
+ <p>Acknowledgements:
+This issue was reported by halfdog
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">4th October 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd November 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">31st January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2012-0021">low:
+ <name name="CVE-2012-0021">mod_log_config crash</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021">CVE-2012-0021</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in mod_log_config. If the '%{cookiename}C' log format string
+is in use, a remote attacker could send a specific cookie causing a crash.
+This crash would only be a denial of service if using a threaded MPM.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">30th December 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">28th November 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">31st January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2012-0031">low:
+ <name name="CVE-2012-0031">scoreboard parent DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031">CVE-2012-0031</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the handling of the scoreboard. An
+unprivileged child process could cause the parent process to crash at
+shutdown rather than terminate cleanly.
+</p>
+ <p>Acknowledgements:
+This issue was reported by halfdog
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">30th December 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">11th January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">31st January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2011-4317">moderate:
+ <name name="CVE-2011-4317">mod_proxy reverse proxy exposure </name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317">CVE-2011-4317</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+An additional exposure was found when using mod_proxy in reverse proxy
+mode. In certain configurations using RewriteRule with proxy flag or
+ProxyPassMatch, a remote attacker could cause the reverse proxy to
+connect to an arbitrary server, possibly disclosing sensitive
+information from internal web servers not directly accessible to
+attacker.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Prutha Parikh of Qualys
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">20th October 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">22nd January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">31st January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2012-0053">moderate:
+ <name name="CVE-2012-0053">error responses can expose cookies</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053">CVE-2012-0053</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the default error response for status code 400. This flaw could
+be used by an attacker to expose "httpOnly" cookies
+when no custom ErrorDocument is specified.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Norman Hippert
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">15th January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">23rd January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">31st January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2011-3368">moderate:
+ <name name="CVE-2011-3368">mod_proxy reverse proxy exposure</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368">CVE-2011-3368</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+An exposure was found when using mod_proxy in reverse proxy mode.
+In certain configurations using RewriteRule with proxy flag or
+ProxyPassMatch, a remote attacker could cause the reverse proxy to
+connect to an arbitrary server, possibly disclosing sensitive
+information from internal web servers not directly accessible to
+attacker.</p>
+ <p>No update of 1.3 will be released. Patches will be published to
+<a href="https://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/">https://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/</a></p>
+ <p>Acknowledgements:
+This issue was reported by Context Information Security Ltd
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">16th September 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">5th October 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">31st January 2012</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.21">
+Fixed in Apache httpd 2.2.21</h1><dl>
+ <dt>
+ <h3 id="CVE-2011-3348">moderate:
+ <name name="CVE-2011-3348">mod_proxy_ajp remote DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348">CVE-2011-3348</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found when mod_proxy_ajp is used together with
+mod_proxy_balancer. Given a specific configuration, a remote attacker
+could send certain malformed HTTP requests, putting a backend server
+into an error state until the retry timeout expired.
+This could lead to a temporary denial of service.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">7th September 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">14th September 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">14th September 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.20">
+Fixed in Apache httpd 2.2.20</h1><dl>
+ <dt>
+ <h3 id="CVE-2011-3192">important:
+ <name name="CVE-2011-3192">Range header remote DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192">CVE-2011-3192</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the way the Apache HTTP Server handled Range HTTP
+headers. A remote attacker could use this flaw to cause httpd to use
+an excessive amount of memory and CPU time via HTTP requests with a
+specially-crafted Range header. This could be used in a denial of
+service attack. </p>
+ <p>
+Advisory: <a href="https://httpd.apache.org/security/CVE-2011-3192.txt">CVE-2011-3192.txt</a>
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">20th August 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">30th August 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.19">
+Fixed in Apache httpd 2.2.19</h1><dl>
+ <dt>
+ <h3 id="CVE-2011-0419">moderate:
+ <name name="CVE-2011-0419">apr_fnmatch flaw leads to mod_autoindex remote DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419">CVE-2011-0419</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the apr_fnmatch() function of the bundled APR
+library. Where mod_autoindex is enabled, and a directory indexed by
+mod_autoindex contained files with sufficiently long names, a
+remote attacker could send a carefully crafted request which would
+cause excessive CPU usage. This could be used in a denial of service
+attack.
+</p>
+ <p>
+Workaround: Setting the 'IgnoreClient' option to the 'IndexOptions'
+directive disables processing of the client-supplied request query
+arguments, preventing this attack.
+</p>
+ <p>
+Resolution: Update APR to release 1.4.5 (bundled with httpd 2.2.19)
+or release 0.9.20 (bundled with httpd 2.0.65)
+</p>
+ <p>Acknowledgements:
+This issue was reported by Maksymilian Arciemowicz
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">2nd March 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">10th May 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">21st May 2011</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.17">
+Fixed in Apache httpd 2.2.17</h1><dl>
+ <dt>
+ <h3 id="CVE-2009-3720">low:
+ <name name="CVE-2009-3720">expat DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720">CVE-2009-3720</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A buffer over-read flaw was found in the bundled expat
+library. An attacker who is able to get Apache to parse
+an untrused XML document (for example through mod_dav) may
+be able to cause a crash. This crash would only
+be a denial of service if using the worker MPM.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">21st August 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">17th January 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th October 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2009-3560">low:
+ <name name="CVE-2009-3560">expat DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560">CVE-2009-3560</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A buffer over-read flaw was found in the bundled expat
+library. An attacker who is able to get Apache to parse
+an untrused XML document (for example through mod_dav) may
+be able to cause a crash. This crash would only
+be a denial of service if using the worker MPM.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">18th December 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd December 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th October 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2010-1623">low:
+ <name name="CVE-2010-1623">apr_bridage_split_line DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623">CVE-2010-1623</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the apr_brigade_split_line() function of the bundled
+APR-util library, used to process non-SSL requests. A remote attacker
+could send requests, carefully crafting the timing of individual bytes,
+which would slowly consume memory, potentially leading to a denial of
+service.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">3rd March 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st October 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th October 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.16">
+Fixed in Apache httpd 2.2.16</h1><dl>
+ <dt>
+ <h3 id="CVE-2010-2068">important:
+ <name name="CVE-2010-2068">Timeout detection flaw (mod_proxy_http)</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2068">CVE-2010-2068</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+An information disclosure flaw was found in mod_proxy_http in versions
+2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha. Under certain timeout
+conditions, the server could return a response intended for another user.
+Only Windows, Netware and OS2 operating systems are affected. Only those
+configurations which trigger the use of proxy worker pools are affected.
+There was no vulnerability on earlier versions, as proxy pools were not
+yet introduced. The simplest workaround is to globally configure;</p>
+ <p>SetEnv proxy-nokeepalive 1</p>
+ <p>Source code patches are at;</p>
+ <ul>
+<li>2.2.15: <a href="https://archive.apache.org/dist/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch">CVE-2010-2068-r953616.patch</a></li>
+<li>2.3.5: <a href="https://archive.apache.org/dist/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch">CVE-2010-2068-r953418.patch</a></li>
+</ul>
+ <p>Binary replacement modules are at</p>
+ <ul>
+<li><a href="https://archive.apache.org/dist/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip">mod_proxy_http-CVE-2010-2068.zip</a></li>
+</ul>
+ <p>Acknowledgements:
+We would like to thank Loren Anderson for the detailed analysis and
+reporting of this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">9th June 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">25th July 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2010-1452">low:
+ <name name="CVE-2010-1452">mod_cache and mod_dav DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452">CVE-2010-1452</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the handling of requests by mod_cache (2.2) and mod_dav (2.0 and 2.2).
+A malicious remote attacker could send a carefully crafted request and
+cause a httpd child process to crash. This crash would only
+be a denial of service if using the worker MPM. This issue is further
+mitigated as mod_dav is only affected by requests that are most likely
+to be authenticated, and mod_cache is only affected if the uncommon
+"CacheIgnoreURLSessionIdentifiers" directive, introduced in
+version 2.2.14, is used.
+</p>
+ <p>Acknowledgements:
+This issue was reported by Mark Drayton.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">4th May 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">25th July 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">25th July 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.15">
+Fixed in Apache httpd 2.2.15</h1><dl>
+ <dt>
+ <h3 id="CVE-2010-0425">important:
+ <name name="CVE-2010-0425">mod_isapi module unload flaw</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425">CVE-2010-0425</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found with within mod_isapi which would attempt to unload the ISAPI dll when it
+encountered various error states. This could leave the callbacks in an
+undefined state and result in a segfault. On Windows platforms using mod_isapi, a
+remote attacker could send a malicious request to trigger this issue, and as win32 MPM runs only one
+process, this would result in a denial of service, and potentially allow
+arbitrary code execution.
+</p>
+ <p>Acknowledgements:
+We would like to thank Brett Gervasoni of Sense of Security for reporting and
+proposing a patch fix for this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">9th February 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd March 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">5th March 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2010-0434">low:
+ <name name="CVE-2010-0434">Subrequest handling of request headers (mod_headers)</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0434">CVE-2010-0434</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw in the core subrequest process code was fixed, to always provide a shallow copy of the headers_in
+array to the subrequest, instead of a pointer to the parent request's array
+as it had for requests without request bodies. This meant all modules such
+as mod_headers which may manipulate the input headers for a subrequest would
+poison the parent request in two ways, one by modifying the parent request,
+which might not be intended, and second by leaving pointers to modified header
+fields in memory allocated to the subrequest scope, which could be freed
+before the main request processing was finished, resulting in a segfault or
+in revealing data from another request on threaded servers, such as the worker
+or winnt MPMs.
+</p>
+ <p>Acknowledgements:
+We would like to thank Philip Pickett of VMware for reporting and proposing a
+fix for this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">9th December 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">5th March 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2010-0408">moderate:
+ <name name="CVE-2010-0408">mod_proxy_ajp DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0408">CVE-2010-0408</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+mod_proxy_ajp would return the wrong status code if it encountered
+an error, causing a backend server to be put into an error state until
+the retry timeout expired. A remote attacker could send malicious requests
+to trigger this issue, resulting in denial of service.
+</p>
+ <p>Acknowledgements:
+We would like to thank Niku Toivola of Sulake Corporation for reporting and
+proposing a patch fix for this issue.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">2nd February 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd March 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">5th March 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.14">
+Fixed in Apache httpd 2.2.14</h1><dl>
+ <dt>
+ <h3 id="CVE-2009-3094">low:
+ <name name="CVE-2009-3094">mod_proxy_ftp DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094">CVE-2009-3094</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A NULL pointer dereference flaw was found in the mod_proxy_ftp
+module. A malicious FTP server to which requests are being proxied
+could use this flaw to crash an httpd child process via a malformed
+reply to the EPSV or PASV commands, resulting in a limited denial of
+service.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">4th September 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd September 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">5th October 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2009-3095">low:
+ <name name="CVE-2009-3095">mod_proxy_ftp FTP command injection</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095">CVE-2009-3095</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the mod_proxy_ftp module. In a reverse proxy
+configuration, a remote attacker could use this flaw to bypass
+intended access restrictions by creating a carefully-crafted HTTP
+Authorization header, allowing the attacker to send arbitrary commands
+to the FTP server.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">3rd September 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">5th October 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2009-2699">moderate:
+ <name name="CVE-2009-2699">Solaris pollset DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2699">CVE-2009-2699</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>Faulty error handling was found affecting Solaris pollset support
+(Event Port backend) caused by a bug in APR. A remote attacker
+could trigger this issue on Solaris servers which used prefork or
+event MPMs, resulting in a denial of service.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">5th August 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">23rd September 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">5th October 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.13">
+Fixed in Apache httpd 2.2.13</h1><dl>
+ <dt>
+ <h3 id="CVE-2009-2412">low:
+ <name name="CVE-2009-2412">APR apr_palloc heap overflow</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412">CVE-2009-2412</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw in apr_palloc() in the bundled copy of APR could
+cause heap overflows in programs that try to apr_palloc() a user
+controlled size. The Apache HTTP Server itself does not pass
+unsanitized user-provided sizes to this function, so it could only
+be triggered through some other application which uses apr_palloc()
+in a vulnerable way.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">27th July 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">4th August 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">9th August 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.12">
+Fixed in Apache httpd 2.2.12</h1><dl>
+ <dt>
+ <h3 id="CVE-2009-1890">important:
+ <name name="CVE-2009-1890">mod_proxy reverse proxy DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890">CVE-2009-1890</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A denial of service flaw was found in the mod_proxy module when it was
+used as a reverse proxy. A remote attacker could use this flaw to
+force a proxy process to consume large amounts of CPU time.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">30th June 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd July 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">27th July 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2009-1191">important:
+ <name name="CVE-2009-1191">mod_proxy_ajp information disclosure</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191">CVE-2009-1191</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+An information disclosure flaw was found in mod_proxy_ajp in version
+2.2.11 only. In certain
+situations, if a user sent a carefully crafted HTTP request, the server
+could return a response intended for another user.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">5th March 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">21st April 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">27th July 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.11</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2009-1891">low:
+ <name name="CVE-2009-1891">mod_deflate DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891">CVE-2009-1891</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A denial of service flaw was found in the mod_deflate module. This
+module continued to compress large files until compression was
+complete, even if the network connection that requested the content
+was closed before compression completed. This would cause mod_deflate
+to consume large amounts of CPU if mod_deflate was enabled for a large
+file.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">26th June 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">27th July 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2009-1195">low:
+ <name name="CVE-2009-1195">AllowOverride Options handling bypass</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195">CVE-2009-1195</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the handling of the "Options" and "AllowOverride"
+directives. In configurations using the "AllowOverride" directive
+with certain "Options=" arguments, local users were not restricted
+from executing commands from a Server-Side-Include script as intended.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">9th March 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">22nd April 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">27th July 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2008-0456">low:
+ <name name="CVE-2008-0456">CRLF injection in mod_negotiation when untrusted uploads are supported</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0456">CVE-2008-0456</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+Possible CRLF injection allowing HTTP response splitting attacks for sites
+which use mod_negotiation and allow untrusted uploads to locations which have
+MultiViews enabled.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">15th January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">21st January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">27th July 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2009-1956">moderate:
+ <name name="CVE-2009-1956">APR-util off-by-one overflow</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956">CVE-2009-1956</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+An off-by-one overflow flaw was found in the way the bundled copy of
+the APR-util library processed a variable list of arguments. An
+attacker could provide a specially-crafted string as input for the
+formatted output conversion routine, which could, on big-endian
+platforms, potentially lead to the disclosure of sensitive information
+or a denial of service.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">24th April 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">27th July 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2009-1955">moderate:
+ <name name="CVE-2009-1955">APR-util XML DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955">CVE-2009-1955</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A denial of service flaw was found in the bundled copy of the APR-util
+library Extensible Markup Language (XML) parser. A remote attacker
+could create a specially-crafted XML document that would cause
+excessive memory consumption when processed by the XML decoding
+engine.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">6th June 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st June 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">27th July 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2009-0023">moderate:
+ <name name="CVE-2009-0023">APR-util heap underwrite</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023">CVE-2009-0023</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A heap-based underwrite flaw was found in the way the bundled copy of
+the APR-util library created compiled forms of particular search
+patterns. An attacker could formulate a specially-crafted search
+keyword, that would overwrite arbitrary heap memory locations when
+processed by the pattern preparation engine.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">25th December 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st June 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">27th July 2009</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.10">
+Fixed in Apache httpd 2.2.10</h1><dl>
+ <dt>
+ <h3 id="CVE-2010-2791">important:
+ <name name="CVE-2010-2791">Timeout detection flaw (mod_proxy_http)</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791">CVE-2010-2791</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms. Under certain timeout
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected. There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced. The simplest workaround is to
+globally configure:</p>
+ <p>SetEnv proxy-nokeepalive 1</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">23rd July 2010</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">31st October 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.9</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2008-2939">low:
+ <name name="CVE-2008-2939">mod_proxy_ftp globbing XSS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939">CVE-2008-2939</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the handling of wildcards in the path of a FTP
+URL with mod_proxy_ftp. If mod_proxy_ftp is enabled to support
+FTP-over-HTTP, requests containing globbing characters could lead
+to cross-site scripting (XSS) attacks.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">28th July 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">5th August 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">31st October 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.9">
+Fixed in Apache httpd 2.2.9</h1><dl>
+ <dt>
+ <h3 id="CVE-2007-6420">low:
+ <name name="CVE-2007-6420">mod_proxy_balancer CSRF</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420">CVE-2007-6420</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+The mod_proxy_balancer provided an administrative interface that could be
+vulnerable to cross-site request forgery (CSRF) attacks.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">12th October 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">9th January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">14th June 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2008-2364">moderate:
+ <name name="CVE-2008-2364">mod_proxy_http DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364">CVE-2008-2364</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the handling of excessive interim responses
+from an origin server when using mod_proxy_http. A remote attacker
+could cause a denial of service or high memory usage.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">29th May 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">10th June 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">14th June 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.8">
+Fixed in Apache httpd 2.2.8</h1><dl>
+ <dt>
+ <h3 id="CVE-2008-0005">low:
+ <name name="CVE-2008-0005">mod_proxy_ftp UTF-7 XSS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005">CVE-2008-0005</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A workaround was added in the mod_proxy_ftp module. On sites where
+mod_proxy_ftp is enabled and a forward proxy is configured, a
+cross-site scripting attack is possible against Web browsers which do
+not correctly derive the response character set following the rules in
+RFC 2616.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">15th December 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">8th January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2007-6422">low:
+ <name name="CVE-2007-6422">mod_proxy_balancer DoS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422">CVE-2007-6422</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the mod_proxy_balancer module. On sites where
+mod_proxy_balancer is enabled, an authorized user could send a carefully
+crafted request that would cause the Apache child process handling that
+request to crash. This could lead to a denial of service if using a
+threaded Multi-Processing Module. </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">12th December 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2007-6421">low:
+ <name name="CVE-2007-6421">mod_proxy_balancer XSS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6421">CVE-2007-6421</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the mod_proxy_balancer module. On sites where
+mod_proxy_balancer is enabled, a cross-site scripting attack against an
+authorized user is possible. </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">12th December 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2007-6388">moderate:
+ <name name="CVE-2007-6388">mod_status XSS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388">CVE-2007-6388</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the mod_status module. On sites where mod_status is
+enabled and the status pages were publicly accessible, a cross-site
+scripting attack is possible.
+Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">15th December 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">2nd January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2007-5000">moderate:
+ <name name="CVE-2007-5000">mod_imagemap XSS</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000">CVE-2007-5000</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the mod_imagemap module. On sites where
+mod_imagemap is enabled and an imagemap file is publicly available, a
+cross-site scripting attack is possible.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">23rd October 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">11th December 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">19th January 2008</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.2.6">
+Fixed in Apache httpd 2.2.6</h1><dl>
+ <dt>
+ <h3 id="CVE-2007-3847">moderate:
+ <name name="CVE-2007-3847">mod_proxy crash</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847">CVE-2007-3847</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the Apache HTTP Server mod_proxy module. On sites where
+a reverse proxy is configured, a remote attacker could send a carefully
+crafted request that would cause the Apache child process handling that
+request to crash. On sites where a forward proxy is configured, an attacker
+could cause a similar crash if a user could be persuaded to visit a
+malicious site using the proxy. This could lead to a denial of service if
+using a threaded Multi-Processing Module.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">10th December 2006</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">7th September 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2006-5752">moderate:
+ <name name="CVE-2006-5752">mod_status cross-site scripting</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752">CVE-2006-5752</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>
+A flaw was found in the mod_status module. On sites where the
+server-status page is publicly accessible and ExtendedStatus is
+enabled this could lead to a cross-site scripting attack.
+Note that the server-status
+page is not enabled by default and it is best practice to not make
+this publicly available.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">19th October 2006</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">20th June 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">7th September 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2007-3304">moderate:
+ <name name="CVE-2007-3304">Signals to arbitrary processes</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>The Apache HTTP server did not verify that a process
+was an Apache child process before sending it signals. A local
+attacker with the ability to run scripts on the HTTP server could
+manipulate the scoreboard and cause arbitrary processes to be
+terminated which could lead to a denial of service.</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">15th May 2006</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">19th June 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">7th September 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.4, 2.2.3, 2.2.2, 2.2.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2007-1862">moderate:
+ <name name="CVE-2007-1862">mod_cache information leak</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862">CVE-2007-1862</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>The recall_headers function in mod_mem_cache in Apache 2.2.4 did not
+properly copy all levels of header data, which can cause Apache to
+return HTTP headers containing previously used data, which could be
+used by remote attackers to obtain potentially sensitive information.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">26th April 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st June 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Update Released</td>
+ <td class="cve-value">7th September 2007</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.2.4</td>
+ </tr>
+ </table>
[... 142 lines stripped ...]