You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2019/08/15 05:59:52 UTC
svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./
security/vulnerabilities-httpd.xml security/vulnerabilities_13.html
security/vulnerabilities_20.html security/vulnerabilities_22.html
security/vulnerabilities_24.html
Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_24.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_24.html Thu Aug 15 05:59:51 2019
@@ -97,2096 +97,7 @@ h2:hover > .headerlink, h3:hover > .head
<!-- RIGHT SIDE INFORMATION -->
<div id="apcontents">
- <h1 id="top">Apache HTTP Server 2.4 vulnerabilities</h1><p>This page lists all security vulnerabilities fixed in released
-versions of Apache HTTP Server 2.4. Each
-vulnerability is given a security <a href="/security/impact_levels.html">impact rating</a> by the Apache
-security team - please note that this rating may well vary from
-platform to platform. We also list the versions of Apache httpd the
-flaw is known to affect, and where a flaw has not been verified list
-the version with a question mark. </p><p> Please note that if a vulnerability is shown below as being fixed
-in a "-dev" release then this means that a fix has been applied to
-the development source tree and will be part of an upcoming full release.</p><p> Please send comments or corrections for
-these vulnerabilities to the <a href="/security_report.html">Security
-Team</a>. </p><p><em>The initial GA release, Apache httpd 2.4.1, includes fixes for all vulnerabilities which have been resolved in Apache httpd 2.2.22 and all older releases. Consult the <a href="vulnerabilities_22.html">Apache httpd 2.2 vulnerabilities list</a> for more information.</em></p><br/><h1 id="2.4.39">
-Fixed in Apache httpd 2.4.39</h1><dl>
- <dt>
- <h3 id="CVE-2019-0211">important:
- <name name="CVE-2019-0211">Apache HTTP Server privilege escalation from modules' scripts</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211">CVE-2019-0211</a>)
- </h3>
- </dt>
- <dd>
- <p>In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM
- event, worker or prefork, code executing in less-privileged
- child processes or threads (including scripts executed by an
- in-process scripting interpreter) could execute arbitrary code
- with the privileges of the parent process (usually root) by
- manipulating the scoreboard. Non-Unix systems are not
- affected.</p>
- <p>Acknowledgements:
- The issue was discovered by Charles Fol.
- </p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">22nd February 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">1st April 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2019-0217">important:
- <name name="CVE-2019-0217">mod_auth_digest access control bypass</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0217">CVE-2019-0217</a>)
- </h3>
- </dt>
- <dd>
- <p> In Apache HTTP Server 2.4 release 2.4.38 and prior, a
- race condition in mod_auth_digest when running in a threaded
- server could allow a user with valid credentials to authenticate
- using another username, bypassing configured access control
- restrictions.
- </p>
- <p>Acknowledgements:
- The issue was discovered by Simon Kappel.
- </p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">29th January 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">1st April 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2019-0215">important:
- <name name="CVE-2019-0215">mod_ssl access control bypass</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0215">CVE-2019-0215</a>)
- </h3>
- </dt>
- <dd>
- <p>In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in
- mod_ssl when using per-location client certificate verification
- with TLSv1.3 allowed a client supporting Post-Handshake
- Authentication to bypass configured access control restrictions.</p>
- <p>Acknowledgements:
- The issue was discovered by Michael Kaufmann.
- </p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">23rd January 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">1st April 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.38, 2.4.37</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2019-0197">low:
- <name name="CVE-2019-0197">mod_http2, possible crash on late upgrade</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0197">CVE-2019-0197</a>)
- </h3>
- </dt>
- <dd>
- <p>When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for
- h2 on a https: host, an Upgrade request from http/1.1 to http/2 that
- was not the first request on a connection could lead to a misconfiguration
- and crash. A server that never enabled the h2 protocol or that only enabled
- it for https: and did not configure the "H2Upgrade on" is unaffected by this.
- </p>
- <p>Acknowledgements:
-The issue was discovered by Stefan Eissing, greenbytes.de.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">29th January 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">1st April 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2019-0196">low:
- <name name="CVE-2019-0196">mod_http2, read-after-free on a string compare</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0196">CVE-2019-0196</a>)
- </h3>
- </dt>
- <dd>
- <p>Using fuzzed network input, the http/2 request
- handling could be made to access freed memory in string
- comparision when determining the method of a request and
- thus process the request incorrectly.
- </p>
- <p>Acknowledgements:
- The issue was discovered by Craig Young, <vuln-report@secur3.us>.
- </p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">29th January 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">1st April 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2019-0220">low:
- <name name="CVE-2019-0220">Apache httpd URL normalization inconsistincy</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0220">CVE-2019-0220</a>)
- </h3>
- </dt>
- <dd>
- <p> When the path component of a request URL contains multiple
- consecutive slashes ('/'), directives such as LocationMatch
- and RewriteRule must account for duplicates in regular
- expressions while other aspects of the servers processing will
- implicitly collapse them.
- </p>
- <p>Acknowledgements:
- The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH.
- </p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">20th January 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">1st April 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.38">
-Fixed in Apache httpd 2.4.38</h1><dl>
- <dt>
- <h3 id="CVE-2019-0190">important:
- <name name="CVE-2019-0190">mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190">CVE-2019-0190</a>)
- </h3>
- </dt>
- <dd>
- <p>A bug exists in the way mod_ssl handled client renegotiations.
- A remote attacker could send a carefully crafted request that
- would cause mod_ssl to enter a loop leading to a denial of
- service. This bug can be only triggered with Apache HTTP Server
- version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
- an interaction in changes to handling of renegotiation attempts.
- </p>
- <p>Acknowledgements:
- The issue was discovered through user bug reports.
- </p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">1st January 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">22nd January 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.37</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2018-17199">low:
- <name name="CVE-2018-17199">mod_session_cookie does not respect expiry time</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199">CVE-2018-17199</a>)
- </h3>
- </dt>
- <dd>
- <p>In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session
- checks the session expiry time before decoding the session.
- This causes session expiry time to be ignored for
- mod_session_cookie sessions since the expiry time is loaded
- when the session is decoded.</p>
- <p>Acknowledgements:
- The issue was discovered by Diego Angulo from ImExHS.
- </p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">8th October 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">22nd January 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2018-17189">low:
- <name name="CVE-2018-17189">DoS for HTTP/2 connections via slow request bodies</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189">CVE-2018-17189</a>)
- </h3>
- </dt>
- <dd>
- <p>By sending request bodies in a slow loris way to plain
- resources, the h2 stream for that request unnecessarily
- occupied a server thread cleaning up that incoming data.
- This affects only HTTP/2 connections. A possible mitigation
- is to not enable the h2 protocol.
-</p>
- <p>Acknowledgements:
-The issue was discovered by Gal Goldshtein of F5 Networks.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">16th October 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">22nd January 2019</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.35">
-Fixed in Apache httpd 2.4.35</h1><dl>
- <dt>
- <h3 id="CVE-2018-11763">low:
- <name name="CVE-2018-11763">DoS for HTTP/2 connections by continuous SETTINGS</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763">CVE-2018-11763</a>)
- </h3>
- </dt>
- <dd>
- <p>By sending continous SETTINGS frames of maximum size an ongoing HTTP/2
-connection could be kept busy and would never time out. This can be abused
-for a DoS on the server. This only affect a server that has enabled the h2
-protocol.</p>
- <p>Acknowledgements:
-The issue was discovered by Gal Goldshtein of F5 Networks.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">18th July 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">25th September 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.34">
-Fixed in Apache httpd 2.4.34</h1><dl>
- <dt>
- <h3 id="CVE-2018-1333">low:
- <name name="CVE-2018-1333">DoS for HTTP/2 connections by crafted requests</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1333">CVE-2018-1333</a>)
- </h3>
- </dt>
- <dd>
- <p>By specially crafting HTTP/2 requests, workers would be
-allocated 60 seconds longer than necessary, leading to
-worker exhaustion and a denial of service.</p>
- <p>This issue only affects servers that have configured and enabled HTTP/2 support,
-which is not the default</p>
- <p>Acknowledgements:
-The issue was discovered by Craig Young of Tripwire VERT.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">8th May 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">18th July 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.33, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2018-8011">moderate:
- <name name="CVE-2018-8011">mod_md, DoS via Coredumps on specially crafted requests</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8011">CVE-2018-8011</a>)
- </h3>
- </dt>
- <dd>
- <p>By specially crafting HTTP requests, the mod_md challenge
-handler would dereference a NULL pointer and cause the child
-process to segfault. This could be used to DoS the server.</p>
- <p>Acknowledgements:
-The issue was discovered by Daniel Caminada <daniel.caminada@ergon.ch>.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">29th June 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">18th July 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.33</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.33">
-Fixed in Apache httpd 2.4.33</h1><dl>
- <dt>
- <h3 id="CVE-2018-1303">low:
- <name name="CVE-2018-1303">Possible out of bound read in mod_cache_socache</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1303">CVE-2018-1303</a>)
- </h3>
- </dt>
- <dd>
- <p>A specially crafted HTTP request header could have crashed the Apache HTTP
-Server prior to version 2.4.33 due to an out of bound read while preparing data
-to be cached in shared memory. It could be used as a Denial of Service attack
-against users of mod_cache_socache.</p>
- <p>Acknowledgements:
-The issue was discovered by Robert Swiecki, bug found by honggfuzz.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">23rd January 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2018-1302">low:
- <name name="CVE-2018-1302">Possible write of after free on HTTP/2 stream shutdown</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1302">CVE-2018-1302</a>)
- </h3>
- </dt>
- <dd>
- <p>When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server
-prior to version 2.4.33 could have written a NULL pointer potentially to an
-already freed memory.</p>
- <p>The memory pools maintained by the server make this
-vulnerabilty hard to trigger in usual configurations, the reporter and the team
-could not reproduce it outside debug builds, so it is classified as low risk.</p>
- <p>Acknowledgements:
-The issue was discovered by Robert Swiecki, bug found by honggfuzz.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">23rd January 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2018-1301">low:
- <name name="CVE-2018-1301">Possible out of bound access after failure in reading the HTTP request</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1301">CVE-2018-1301</a>)
- </h3>
- </dt>
- <dd>
- <p>A specially crafted request could have crashed the Apache HTTP Server prior to
-version 2.4.33, due to an out of bound access after a size limit is reached by
-reading the HTTP header. This vulnerability is considered very hard if not
-impossible to trigger in non-debug mode (both log and build level), so it is
-classified as low risk for common server usage.</p>
- <p>Acknowledgements:
-The issue was discovered by Robert Swiecki, bug found by honggfuzz.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">23rd January 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2018-1312">low:
- <name name="CVE-2018-1312">Weak Digest auth nonce generation in mod_auth_digest</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1312">CVE-2018-1312</a>)
- </h3>
- </dt>
- <dd>
- <p>When generating an HTTP Digest authentication challenge, the nonce
-sent to prevent reply attacks was not correctly generated using a
-pseudo-random seed.</p>
- <p>In a cluster of servers using a common Digest
-authentication configuration, HTTP requests could be replayed across
-servers by an attacker without detection.</p>
- <p>Acknowledgements:
-The issue was discovered by Nicolas Daniels.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">5th March 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2017-15715">low:
- <name name="CVE-2017-15715"><FilesMatch> bypass with a trailing newline in the file name</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15715">CVE-2017-15715</a>)
- </h3>
- </dt>
- <dd>
- <p>The expression specified in <FilesMatch> could match '$' to a newline character
-in a malicious filename, rather than matching only the end of the filename.</p>
- <p>This could be exploited in environments where uploads of some files are are
-externally blocked, but only by matching the trailing portion of the filename.</p>
- <p>Acknowledgements:
-The issue was discovered by Elar Lang - security.elarlang.eu
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">24th November 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2017-15710">low:
- <name name="CVE-2017-15710">Out of bound write in mod_authnz_ldap when using too small Accept-Language values</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15710">CVE-2017-15710</a>)
- </h3>
- </dt>
- <dd>
- <p>mod_authnz_ldap, if configured with AuthLDAPCharsetConfig,
-uses the Accept-Language header value to lookup the right charset encoding
-when verifying the user's credentials.</p>
- <p>If the header value is not present in the charset conversion
-table, a fallback mechanism is used to truncate it to a two
-characters value to allow a quick retry (for example, 'en-US' is truncated
-to 'en'). A header value of less than two characters forces an out of bound
-write of one NUL byte to a memory location that is not part of the string.
-In the worst case, quite unlikely, the process would crash which could
-be used as a Denial of Service attack. In the more likely case, this memory is
-already reserved for future use and the issue has no effect at all.</p>
- <p>Acknowledgements:
-The Apache HTTP Server security team would like to thank Alex Nichols
-and Jakob Hirsch for reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">7th December 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2018-1283">moderate:
- <name name="CVE-2018-1283">Tampering of mod_session data for CGI applications</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1283">CVE-2018-1283</a>)
- </h3>
- </dt>
- <dd>
- <p>When mod_session is configured to forward its session data to CGI
-applications (SessionEnv on, not the default), a remote user may influence
-their content by using a "Session" header.</p>
- <p>This comes from the "HTTP_SESSION"
-variable name used by mod_session to forward its data to CGIs, since the
-prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header
-fields, per CGI specifications.</p>
- <p>The severity is set to Moderate because "SessionEnv on" is not a default nor
-common configuration, it should be considered more severe when this is the case
-though, because of the possible remote exploitation.</p>
- <p>Acknowledgements:
-The issue was discovered internally by the Apache HTTP Server team.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">14th November 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">21st March 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.28">
-Fixed in Apache httpd 2.4.28</h1><dl>
- <dt>
- <h3 id="CVE-2017-9798">low:
- <name name="CVE-2017-9798">Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed")</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798">CVE-2017-9798</a>)
- </h3>
- </dt>
- <dd>
- <p>When an unrecognized HTTP Method is given in an <Limit {method}>
-directive in an .htaccess file, and that .htaccess file is processed by the
-corresponding request, the global methods table is corrupted in the current
-worker process, resulting in erratic behaviour.</p>
- <p>This behavior may be avoided by listing all unusual HTTP Methods in a global
-httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later.</p>
- <p>To permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive.</p>
- <p>Source code patch (2.4) is at;</p>
- <ul>
-<li><a href="https://www.apache.org/dist/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch">CVE-2017-9798-patch-2.4.patch</a></li>
-</ul>
- <p>Source code patch (2.2) is at;</p>
- <ul>
-<li><a href="https://archive.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch">CVE-2017-9798-patch-2.2.patch</a></li>
-</ul>
- <p>Note 2.2 is end-of-life, no further release with this fix is planned. Users
-are encouraged to migrate to 2.4.28 or later for this and other fixes.</p>
- <p>Acknowledgements:
-We would like to thank Hanno Böck for reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">12th July 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">18th September 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">5th October 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.27">
-Fixed in Apache httpd 2.4.27</h1><dl>
- <dt>
- <h3 id="CVE-2017-9789">important:
- <name name="CVE-2017-9789">Read after free in mod_http2</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9789">CVE-2017-9789</a>)
- </h3>
- </dt>
- <dd>
- <p>
-When under stress, closing many connections, the HTTP/2
-handling code would sometimes access memory after it has
-been freed, resulting in potentially erratic behaviour.
-</p>
- <p>Acknowledgements:
-We would like to thank Robert ÅwiÄcki for reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">30th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">11th July 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">11th July 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.26</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2017-9788">important:
- <name name="CVE-2017-9788">Uninitialized memory reflection in mod_auth_digest</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788">CVE-2017-9788</a>)
- </h3>
- </dt>
- <dd>
- <p>
-The value placeholder in [Proxy-]Authorization headers
-of type 'Digest' was not initialized or reset
-before or between successive key=value assignments.
-by mod_auth_digest.
-</p>
- <p>
-Providing an initial key with no '=' assignment
-could reflect the stale value of uninitialized pool
-memory used by the prior request, leading to leakage
-of potentially confidential information, and a segfault.
-</p>
- <p>Acknowledgements:
-We would like to thank Robert ÅwiÄcki for reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">28th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">11th July 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">11th July 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.26">
-Fixed in Apache httpd 2.4.26</h1><dl>
- <dt>
- <h3 id="CVE-2017-3167">important:
- <name name="CVE-2017-3167">ap_get_basic_auth_pw() Authentication Bypass</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167">CVE-2017-3167</a>)
- </h3>
- </dt>
- <dd>
- <p>
-Use of the ap_get_basic_auth_pw() by third-party modules outside of the
-authentication phase may lead to authentication requirements being bypassed.
-</p>
- <p>
-Third-party module writers SHOULD use ap_get_basic_auth_components(), available
-in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the
-legacy ap_get_basic_auth_pw() during the authentication phase MUST either
-immediately authenticate the user after the call, or else stop the request
-immediately with an error response, to avoid incorrectly authenticating the
-current request.
-</p>
- <p>Acknowledgements:
-We would like to thank Emmanuel Dreyfus for reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">6th February 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">19th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">19th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2017-3169">important:
- <name name="CVE-2017-3169">mod_ssl Null Pointer Dereference</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169">CVE-2017-3169</a>)
- </h3>
- </dt>
- <dd>
- <p>
-mod_ssl may dereference a NULL pointer when third-party modules call
-ap_hook_process_connection() during an HTTP request to an HTTPS port.
-</p>
- <p>Acknowledgements:
-We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for
-reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">5th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">19th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">19th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2017-7659">important:
- <name name="CVE-2017-7659">mod_http2 Null Pointer Dereference</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7659">CVE-2017-7659</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a
-NULL pointer and crash the server process.
-</p>
- <p>Acknowledgements:
-We would like to thank Robert ÅwiÄcki for reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">18th November 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">19th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">19th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.25</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2017-7668">important:
- <name name="CVE-2017-7668">ap_find_token() Buffer Overread</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668">CVE-2017-7668</a>)
- </h3>
- </dt>
- <dd>
- <p>
-The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
-token list parsing, which allows ap_find_token() to search past the end of its
-input string. By maliciously crafting a sequence of request headers, an attacker
-may be able to cause a segmentation fault, or to force ap_find_token() to return
-an incorrect value.
-</p>
- <p>Acknowledgements:
-We would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this
-issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">6th May 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">19th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">19th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.25</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2017-7679">important:
- <name name="CVE-2017-7679">mod_mime Buffer Overread</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679">CVE-2017-7679</a>)
- </h3>
- </dt>
- <dd>
- <p>
-mod_mime can read one byte past the end of a buffer when sending a malicious
-Content-Type response header.
-</p>
- <p>Acknowledgements:
-We would like to thank ChenQin and Hanno Böck for reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">15th November 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">19th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">19th June 2017</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.25">
-Fixed in Apache httpd 2.4.25</h1><dl>
- <dt>
- <h3 id="CVE-2016-8743">important:
- <name name="CVE-2016-8743">Apache HTTP Request Parsing Whitespace Defects</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>)
- </h3>
- </dt>
- <dd>
- <p>
-Apache HTTP Server, prior to release 2.4.25 (2.2.32), accepted a broad pattern
-of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB
-in parsing the request line and request header lines, as well as HTAB in
-parsing the request line. Any bare CR present in request lines was treated
-as whitespace and remained in the request field member "the_request", while
-a bare CR in the request header field name would be honored as whitespace,
-and a bare CR in the request header field value was retained the input headers
-array. Implied additional whitespace was accepted in the request line and prior
-to the ':' delimiter of any request header lines.
-</p>
- <p>
-RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section
-3.2.3 eliminated and clarified the role of implied whitespace in the grammer
-of this specification. Section 3.1.1 requires exactly one single SP between the
-method and request-target, and between the request-target and HTTP-version,
-followed immediately by a CRLF sequence. None of these fields permit any
-(unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed
-any whitespace from the request header field prior to the ':' character, while
-Section 3.2 disallows all CTL characters in the request header line other than
-the HTAB character as whitespace.
-</p>
- <p>
-These defects represent a security concern when httpd is participating in any
-chain of proxies or interacting with back-end application servers, either
-through mod_proxy or using conventional CGI mechanisms. In each case where one
-agent accepts such CTL characters and does not treat them as whitespace, there
-is the possiblity in a proxy chain of generating two responses from a server
-behind the uncautious proxy agent. In a sequence of two requests, this results
-in request A to the first proxy being interpreted as requests A + A' by the
-backend server, and if requests A and B were submitted to the first proxy in
-a keepalive connection, the proxy may interpret response A' as the response
-to request B, polluting the cache or potentially serving the A' content to
-a different downstream user-agent.
-</p>
- <p>
-These defects are addressed with the release of Apache HTTP Server 2.4.25
-and coordinated by a new directive;
-</p>
- <ul>
- <li>
-<a href="http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions">HttpProtocolOptions Strict</a></li>
- </ul>
- <p>
-which is the default behavior of 2.4.25 and later. By toggling from 'Strict'
-behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow
-some invalid HTTP/1.1 clients to communicate with the server, but this will
-reintroduce the possibility of the problems described in this assessment.
-Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs
-other than HTAB (where permitted), but will allow other RFC requirements to
-not be enforced, such as exactly two SP characters in the request line.
-</p>
- <p>Acknowledgements:
-We would like to thank David Dennerline at IBM Security's X-Force Researchers
-as well as Régis Leroy for each reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">10th February 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">20th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">20th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2016-8740">low:
- <name name="CVE-2016-8740">HTTP/2 CONTINUATION denial of service</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740">CVE-2016-8740</a>)
- </h3>
- </dt>
- <dd>
- <p>
- The HTTP/2 protocol implementation (mod_http2) had an incomplete handling
- of the
- <a href="https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields">LimitRequestFields</a>
- directive. This allowed an attacker to inject unlimited request headers into
- the server, leading to eventual memory exhaustion.
-</p>
- <p>Acknowledgements:
-We would like to thank Naveen Tiwari
-and CDF/SEFCOM at Arizona State University to reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">22nd November 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">4th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">20th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2016-2161">low:
- <name name="CVE-2016-2161">DoS vulnerability in mod_auth_digest</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161">CVE-2016-2161</a>)
- </h3>
- </dt>
- <dd>
- <p>
- Malicious input to mod_auth_digest will cause the server to crash, and
- each instance continues to crash even for subsequently valid requests.
-</p>
- <p>Acknowledgements:
-We would like to thank Maksim Malyutin for reporting this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">11th July 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">20th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">20th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2016-0736">low:
- <name name="CVE-2016-0736">Padding Oracle in Apache mod_session_crypto</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736">CVE-2016-0736</a>)
- </h3>
- </dt>
- <dd>
- <p>
- Prior to Apache HTTP release 2.4.25, mod_sessioncrypto was encrypting its
- data/cookie using the configured ciphers with possibly either CBC or ECB
- modes of operation (AES256-CBC by default), hence no selectable or builtin
- authenticated encryption.
- This made it vulnerable to padding oracle attacks, particularly with CBC.
- An authentication tag (SipHash MAC) is now added to prevent such attacks.
-</p>
- <p>Acknowledgements:
-We would like to thank individuals at the RedTeam Pentesting GmbH for reporting
-this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">20th January 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">20th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">20th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2016-4975">moderate:
- <name name="CVE-2016-4975">mod_userdir CRLF injection</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4975">CVE-2016-4975</a>)
- </h3>
- </dt>
- <dd>
- <p>
-Possible CRLF injection allowing HTTP response splitting attacks
-for sites which use mod_userdir. This issue was
-mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF
-injection into the "Location" or other outbound
-header key or value.
-</p>
- <p>Acknowledgements:
-The issue was discovered by Sergey Bobrov
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">24th July 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">14th August 2018</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">20th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2016-5387">n/a:
- <name name="CVE-2016-5387">HTTP_PROXY environment variable "httpoxy" mitigation</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387">CVE-2016-5387</a>)
- </h3>
- </dt>
- <dd>
- <p>
- HTTP_PROXY is a well-defined environment variable in a CGI process,
- which collided with a number of libraries which failed to avoid
- colliding with this CGI namespace. A mitigation is provided for the
- httpd CGI environment to avoid populating the "HTTP_PROXY" variable
- from a "Proxy:" header, which has never been registered by IANA.
-</p>
- <p>
- This workaround and patch are documented in the ASF Advisory at
- <a href="https://www.apache.org/security/asf-httpoxy-response.txt">asf-httpoxy-response.txt</a>
- and incorporated in the 2.4.25 and 2.2.32 releases.
-</p>
- <p>
- Note: This is not assigned an httpd severity, as it is a defect in
- other software which overloaded well-established CGI environment
- variables, and does not reflect an error in HTTP server software.
-</p>
- <p>Acknowledgements:
-We would like to thank Dominic Scheirlinck and Scott Geary of Vend
-for reporting and proposing a fix for this issue.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">2nd July 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">18th July 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">20th December 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.23">
-Fixed in Apache httpd 2.4.23</h1><dl>
- <dt>
- <h3 id="CVE-2016-4979">important:
- <name name="CVE-2016-4979">TLS/SSL X.509 client certificate auth bypass with HTTP/2</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4979">CVE-2016-4979</a>)
- </h3>
- </dt>
- <dd>
- <p>
- For configurations enabling support for HTTP/2, SSL client
- certificate validation was not enforced if configured, allowing
- clients unauthorized access to protected resources over HTTP/2.
-</p>
- <p>
- This issue affected releases 2.4.18 and 2.4.20 only.
-</p>
- <p>Acknowledgements:
-This issue was reported by Erki Aring.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">30th June 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">5th July 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">5th July 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.20, 2.4.18</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.20">
-Fixed in Apache httpd 2.4.20</h1><dl>
- <dt>
- <h3 id="CVE-2016-1546">low:
- <name name="CVE-2016-1546">mod_http2: denial of service by thread starvation</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1546">CVE-2016-1546</a>)
- </h3>
- </dt>
- <dd>
- <p>
-
- By manipulating the flow control windows on streams, a client was able to
- block server threads for long times, causing starvation of worker threads.
- Connections could still be opened, but no streams where processed for these.
- This issue affected HTTP/2 support in 2.4.17 and 2.4.18.
-
-</p>
- <p>Acknowledgements:
-This issue was reported by Noam Mazor.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">2nd February 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">11th April 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">11th April 2016</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.18, 2.4.17</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.16">
-Fixed in Apache httpd 2.4.16</h1><dl>
- <dt>
- <h3 id="CVE-2015-0228">low:
- <name name="CVE-2015-0228">mod_lua: Crash in websockets PING handling</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228">CVE-2015-0228</a>)
- </h3>
- </dt>
- <dd>
- <p>
- A stack recursion crash in the mod_lua module was found. A Lua
- script executing the r:wsupgrade() function could crash the process
- if a malicious client sent a carefully crafted PING request. This
- issue affected releases 2.4.7 through 2.4.12 inclusive.
-</p>
- <p>Acknowledgements:
-This issue was reported by Guido Vranken.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">28th January 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">4th February 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.12, 2.4.10, 2.4.9, 2.4.7</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2015-0253">low:
- <name name="CVE-2015-0253">Crash in ErrorDocument 400 handling</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0253">CVE-2015-0253</a>)
- </h3>
- </dt>
- <dd>
- <p>
- A crash in ErrorDocument handling was found. If ErrorDocument 400
- was configured pointing to a local URL-path with the INCLUDES filter
- active, a NULL dereference would occur when handling the error,
- causing the child process to crash. This issue affected the 2.4.12
- release only.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">3rd February 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">5th March 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.12</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2015-3183">low:
- <name name="CVE-2015-3183">HTTP request smuggling attack against chunked request parser</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183">CVE-2015-3183</a>)
- </h3>
- </dt>
- <dd>
- <p>
- An HTTP request smuggling attack was possible due to a bug in parsing of
- chunked requests. A malicious client could force the server to
- misinterpret the request length, allowing cache poisoning or
- credential hijacking if an intermediary proxy is in use.
-</p>
- <p>Acknowledgements:
-This issue was reported by Régis Leroy.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">4th April 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">9th June 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2015-3185">low:
- <name name="CVE-2015-3185">ap_some_auth_required API unusable</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185">CVE-2015-3185</a>)
- </h3>
- </dt>
- <dd>
- <p>
- A design error in the "ap_some_auth_required" function renders the
- API unusuable in httpd 2.4.x. In particular the API is documented
- to answering if the request required authentication but only answers
- if there are Require lines in the applicable configuration. Since
- 2.4.x Require lines are used for authorization as well and can
- appear in configurations even when no authentication is required and
- the request is entirely unrestricted. This could lead to modules
- using this API to allow access when they should otherwise not do so.
- API users should use the new ap_some_authn_required API added in
- 2.4.16 instead.
- </p>
- <p>Acknowledgements:
-This issue was reported by Ben Reser.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">5th August 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">9th June 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.5, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.12">
-Fixed in Apache httpd 2.4.12</h1><dl>
- <dt>
- <h3 id="CVE-2014-8109">low:
- <name name="CVE-2014-8109">mod_lua multiple "Require" directive handling is broken</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109">CVE-2014-8109</a>)
- </h3>
- </dt>
- <dd>
- <p>
-Fix handling of the Require line in mod_lau when a LuaAuthzProvider is
-used in multiple Require directives with different arguments. This could
-lead to different authentication rules than expected.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">9th November 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">30th January 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2014-3583">low:
- <name name="CVE-2014-3583">mod_proxy_fcgi out-of-bounds memory read</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3583">CVE-2014-3583</a>)
- </h3>
- </dt>
- <dd>
- <p>
-An out-of-bounds memory read was found in mod_proxy_fcgi. A malicious
-FastCGI server could send a carefully crafted response which could
-lead to a crash when reading past the end of a heap memory or stack
-buffer. This issue affects version 2.4.10 only.
-</p>
- <p>Acknowledgements:
-This issue was reported by Teguh P. Alko.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">17th September 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">12th November 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">30th January 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.10</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2014-3581">low:
- <name name="CVE-2014-3581">mod_cache crash with empty Content-Type header</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581">CVE-2014-3581</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A NULL pointer deference was found in mod_cache. A malicious HTTP
-server could cause a crash in a caching forward proxy configuration.
-This crash would only be a denial of service if using a threaded MPM.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">8th September 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">30th January 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2013-5704">low:
- <name name="CVE-2013-5704">HTTP Trailers processing bypass</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704">CVE-2013-5704</a>)
- </h3>
- </dt>
- <dd>
- <p>
-HTTP trailers could be used to replace HTTP headers late during request
-processing, potentially undoing or otherwise confusing modules that
-examined or modified request headers earlier.</p>
- <p>This fix adds the "MergeTrailers" directive to restore legacy behavior.
-</p>
- <p>Acknowledgements:
-This issue was reported by Martin Holst Swende.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">6th September 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">19th October 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">30th January 2015</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.10">
-Fixed in Apache httpd 2.4.10</h1><dl>
- <dt>
- <h3 id="CVE-2014-0231">important:
- <name name="CVE-2014-0231">mod_cgid denial of service</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231">CVE-2014-0231</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI
-scripts which did not consume standard input, a remote attacker could
-cause child processes to hang indefinitely, leading to denial of
-service.
-</p>
- <p>Acknowledgements:
-This issue was reported by Rainer Jung of the ASF
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">16th June 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">14th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2014-3523">important:
- <name name="CVE-2014-3523">WinNT MPM denial of service</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3523">CVE-2014-3523</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A flaw was found in the WinNT MPM in httpd versions 2.4.1 to 2.4.9, when
-using the default AcceptFilter for that platform. A remote attacker
-could send carefully crafted requests that would leak memory and
-eventually lead to a denial of service against the server.
-</p>
- <p>Acknowledgements:
-This issue was reported by Jeff Trawick of the ASF
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">1st July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">15th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2014-0117">moderate:
- <name name="CVE-2014-0117">mod_proxy denial of service</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117">CVE-2014-0117</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A flaw was found in mod_proxy in httpd versions 2.4.6 to 2.4.9. A remote attacker could send a carefully crafted request
-to a server configured as a reverse proxy, and cause the child process
-to crash. This could lead to a denial of service against a threaded MPM.
-</p>
- <p>Acknowledgements:
-This issue was reported by Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 via HP ZDI
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">7th April 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">15th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.9, 2.4.7, 2.4.6</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2014-0118">moderate:
- <name name="CVE-2014-0118">mod_deflate denial of service</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118">CVE-2014-0118</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A resource consumption flaw was found in mod_deflate. If request body
-decompression was configured (using the "DEFLATE" input filter), a
-remote attacker could cause the server to consume significant memory
-and/or CPU resources. The use of request body decompression is not a common
-configuration.
-</p>
- <p>Acknowledgements:
-This issue was reported by Giancarlo Pellegrino and Davide Balzarotti
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">19th February 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">14th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2014-0226">moderate:
- <name name="CVE-2014-0226">mod_status buffer overflow</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226">CVE-2014-0226</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A race condition was found in mod_status. An attacker able to access
-a public server status page on a server using a threaded MPM could send a
-carefully crafted request which could lead to a heap buffer overflow. Note
-that it is not a default or recommended configuration to have a public
-accessible server status page.
-</p>
- <p>Acknowledgements:
-This issue was reported by Marek Kroemeke, AKAT-1 and
-22733db72ab3ed94b5f8a1ffcde850251fe6f466 via HP ZDI
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">30th May 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">14th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">15th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.9">
-Fixed in Apache httpd 2.4.9</h1><dl>
- <dt>
- <h3 id="CVE-2014-0098">low:
- <name name="CVE-2014-0098">mod_log_config crash</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098">CVE-2014-0098</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A flaw was found in mod_log_config. A remote attacker could send a
-specific truncated cookie causing a crash. This crash would only be a
-denial of service if using a threaded MPM.
-</p>
- <p>Acknowledgements:
-This issue was reported by Rainer M Canavan
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">25th February 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">17th March 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">17th March 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2013-6438">moderate:
- <name name="CVE-2013-6438">mod_dav crash</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438">CVE-2013-6438</a>)
- </h3>
- </dt>
- <dd>
- <p>
-XML parsing code in mod_dav incorrectly calculates the end of the string when
-removing leading spaces and places a NUL character outside the buffer, causing
-random crashes. This XML parsing code is only used with DAV provider modules
-that support DeltaV, of which the only publicly released provider is mod_dav_svn.
-</p>
- <p>Acknowledgements:
-This issue was reported by Ning Zhang & Amin Tora of Neustar
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">10th December 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">17th March 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">17th March 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.7">
-Fixed in Apache httpd 2.4.7</h1><dl>
- <dt>
- <h3 id="CVE-2013-4352">low:
- <name name="CVE-2013-4352">mod_cache crash</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4352">CVE-2013-4352</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A NULL pointer dereference was found in mod_cache. A malicious HTTP
-server could cause a crash in a caching forward proxy configuration.
-(Note that this vulnerability was fixed in the 2.4.7 release, but the
-security impact was not disclosed at the time of the release.)
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">14th September 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">14th July 2014</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">26th November 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.6</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.6">
-Fixed in Apache httpd 2.4.6</h1><dl>
- <dt>
- <h3 id="CVE-2013-1896">moderate:
- <name name="CVE-2013-1896">mod_dav crash</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896">CVE-2013-1896</a>)
- </h3>
- </dt>
- <dd>
- <p>
-Sending a MERGE request against a URI handled by mod_dav_svn with the
-source href (sent as part of the request body as XML) pointing to a
-URI that is not configured for DAV will trigger a segfault.
-</p>
- <p>Acknowledgements:
-This issue was reported by Ben Reser
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">7th March 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">23rd May 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">22nd July 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2013-2249">moderate:
- <name name="CVE-2013-2249">mod_session_dbd session fixation flaw</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249">CVE-2013-2249</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A flaw in mod_session_dbd caused it to proceed with save operations for a session
-without considering the dirty flag and the requirement for a new
-session ID.
-</p>
- <p>Acknowledgements:
-This issue was reported by Takashi Sato
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">29th May 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">22nd July 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">22nd July 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.4, 2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.4">
-Fixed in Apache httpd 2.4.4</h1><dl>
- <dt>
- <h3 id="CVE-2012-3499">low:
- <name name="CVE-2012-3499">XSS due to unescaped hostnames</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499">CVE-2012-3499</a>)
- </h3>
- </dt>
- <dd>
- <p>
-Various XSS flaws due to unescaped hostnames and URIs HTML output in
-mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
-</p>
- <p>Acknowledgements:
-This issue was reported by Niels Heinen of Google
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">11th July 2012</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">18th February 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">25th February 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2012-4558">moderate:
- <name name="CVE-2012-4558">XSS in mod_proxy_balancer</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558">CVE-2012-4558</a>)
- </h3>
- </dt>
- <dd>
- <p>
-A XSS flaw affected the mod_proxy_balancer manager interface.
-</p>
- <p>Acknowledgements:
-This issue was reported by Niels Heinen of Google
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">7th October 2012</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">18th February 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">25th February 2013</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.3, 2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.3">
-Fixed in Apache httpd 2.4.3</h1><dl>
- <dt>
- <h3 id="CVE-2012-3502">important:
- <name name="CVE-2012-3502">Response mixup when using mod_proxy_ajp or mod_proxy_http</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3502">CVE-2012-3502</a>)
- </h3>
- </dt>
- <dd>
- <p>
-The modules mod_proxy_ajp and mod_proxy_http did not always close
-the connection to the back end server when necessary as part of error
-handling. This could lead to an information disclosure due to a response mixup
-between users.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">16th August 2012</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">21st August 2012</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
- <dt>
- <h3 id="CVE-2012-2687">low:
- <name name="CVE-2012-2687">XSS in mod_negotiation when untrusted uploads are supported</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687">CVE-2012-2687</a>)
- </h3>
- </dt>
- <dd>
- <p>
-Possible XSS for sites which use mod_negotiation and allow
-untrusted uploads to locations which have MultiViews enabled.
-</p>
- <p>Note: This issue is also known as CVE-2008-0455.</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">31st May 2012</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">13th June 2012</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">21st August 2012</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.2, 2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl><br/><h1 id="2.4.2">
-Fixed in Apache httpd 2.4.2</h1><dl>
- <dt>
- <h3 id="CVE-2012-0883">low:
- <name name="CVE-2012-0883">insecure LD_LIBRARY_PATH handling</name>
- (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883">CVE-2012-0883</a>)
- </h3>
- </dt>
- <dd>
- <p>
-Insecure handling of LD_LIBRARY_PATH was found that could
-lead to the current working directory to be searched for DSOs.
-This could allow a local user to execute code as root if an
-administrator runs apachectl from an untrusted directory.
-</p>
- <table class="cve">
- <tr>
- <td class="cve-header">Reported to security team</td>
- <td class="cve-value">14th February 2012</td>
- </tr>
- <tr>
- <td class="cve-header">Issue public</td>
- <td class="cve-value">2nd March 2012</td>
- </tr>
- <tr>
- <td class="cve-header">Update Released</td>
- <td class="cve-value">17th April 2012</td>
- </tr>
- <tr>
- <td class="cve-header">Affects</td>
- <td class="cve-value">2.4.1</td>
- </tr>
- </table>
- </dd>
-</dl>
-
+
<!-- FOOTER -->
<div id="footer">