You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/07/11 15:12:26 UTC
svn commit: r1801625 -
/httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Author: wrowe
Date: Tue Jul 11 15:12:26 2017
New Revision: 1801625
URL: http://svn.apache.org/viewvc?rev=1801625&view=rev
Log:
Cleaner split of 2.4 from 2.2 in vulnerability table, tie 2.2 to .34 release
Modified:
httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1801625&r1=1801624&r2=1801625&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Tue Jul 11 15:12:26 2017
@@ -9,7 +9,7 @@ Use of the ap_get_basic_auth_pw() by thi
authentication phase may lead to authentication requirements being bypassed.
</p><p>
Third-party module writers SHOULD use ap_get_basic_auth_components(), available
-in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the
+in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the
legacy ap_get_basic_auth_pw() during the authentication phase MUST either
immediately authenticate the user after the call, or else stop the request
immediately with an error response, to avoid incorrectly authenticating the
@@ -33,6 +33,26 @@ We would like to thank Emmanuel Dreyfus
<affects prod="httpd" version="2.4.3"/>
<affects prod="httpd" version="2.4.2"/>
<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.2.34" reported="20170206" public="20170619" released="20170711">
+<cve name="CVE-2017-3167"/>
+<severity level="2">important</severity>
+<title>ap_get_basic_auth_pw() Authentication Bypass</title>
+<description><p>
+Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+authentication phase may lead to authentication requirements being bypassed.
+</p><p>
+Third-party module writers SHOULD use ap_get_basic_auth_components(), available
+in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the
+legacy ap_get_basic_auth_pw() during the authentication phase MUST either
+immediately authenticate the user after the call, or else stop the request
+immediately with an error response, to avoid incorrectly authenticating the
+current request.
+</p></description>
+<acknowledgements>
+We would like to thank Emmanuel Dreyfus for reporting this issue.
+</acknowledgements>
<affects prod="httpd" version="2.2.32"/>
<affects prod="httpd" version="2.2.31"/>
<affects prod="httpd" version="2.2.29"/>
@@ -91,6 +111,20 @@ reporting this issue.
<affects prod="httpd" version="2.4.3"/>
<affects prod="httpd" version="2.4.2"/>
<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.2.34" reported="20161205" public="20170619" released="20170711">
+<cve name="CVE-2017-3169"/>
+<severity level="2">important</severity>
+<title>mod_ssl Null Pointer Dereference</title>
+<description><p>
+mod_ssl may dereference a NULL pointer when third-party modules call
+ap_hook_process_connection() during an HTTP request to an HTTPS port.
+</p></description>
+<acknowledgements>
+We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for
+reporting this issue.
+</acknowledgements>
<affects prod="httpd" version="2.2.32"/>
<affects prod="httpd" version="2.2.31"/>
<affects prod="httpd" version="2.2.29"/>
@@ -152,6 +186,23 @@ We would like to thank Javier Jiménez
issue.
</acknowledgements>
<affects prod="httpd" version="2.4.25"/>
+</issue>
+
+<issue fixed="2.2.34" reported="20170506" public="20170619" released="20170711">
+<cve name="CVE-2017-7668"/>
+<severity level="2">important</severity>
+<title>ap_find_token() Buffer Overread</title>
+<description><p>
+The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
+token list parsing, which allows ap_find_token() to search past the end of its
+input string. By maliciously crafting a sequence of request headers, an attacker
+may be able to cause a segmentation fault, or to force ap_find_token() to return
+an incorrect value.
+</p></description>
+<acknowledgements>
+We would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this
+issue.
+</acknowledgements>
<affects prod="httpd" version="2.2.32"/>
</issue>
@@ -181,6 +232,19 @@ We would like to thank ChenQin and Hanno
<affects prod="httpd" version="2.4.3"/>
<affects prod="httpd" version="2.4.2"/>
<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.2.34" reported="20151115" public="20170619" released="20170711">
+<cve name="CVE-2017-7679"/>
+<severity level="2">important</severity>
+<title>mod_mime Buffer Overread</title>
+<description><p>
+mod_mime can read one byte past the end of a buffer when sending a malicious
+Content-Type response header.
+</p></description>
+<acknowledgements>
+We would like to thank ChenQin and Hanno Böck for reporting this issue.
+</acknowledgements>
<affects prod="httpd" version="2.2.32"/>
<affects prod="httpd" version="2.2.31"/>
<affects prod="httpd" version="2.2.29"/>
@@ -432,220 +496,6 @@ this issue.
<affects prod="httpd" version="2.4.1"/>
</issue>
-<issue fixed="2.2.33-dev" reported="20170206" public="20170619" released="20170619">
-<cve name="CVE-2017-3167"/>
-<severity level="2">important</severity>
-<title>ap_get_basic_auth_pw() Authentication Bypass</title>
-<description><p>
-Use of the ap_get_basic_auth_pw() by third-party modules outside of the
-authentication phase may lead to authentication requirements being bypassed.
-</p><p>
-Third-party module writers SHOULD use ap_get_basic_auth_components(), available
-in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the
-legacy ap_get_basic_auth_pw() during the authentication phase MUST either
-immediately authenticate the user after the call, or else stop the request
-immediately with an error response, to avoid incorrectly authenticating the
-current request.
-</p><p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch"
- >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch</a>.
-</p></description>
-<acknowledgements>
-We would like to thank Emmanuel Dreyfus for reporting this issue.
-</acknowledgements>
-<affects prod="httpd" version="2.4.25"/>
-<affects prod="httpd" version="2.4.23"/>
-<affects prod="httpd" version="2.4.20"/>
-<affects prod="httpd" version="2.4.18"/>
-<affects prod="httpd" version="2.4.17"/>
-<affects prod="httpd" version="2.4.16"/>
-<affects prod="httpd" version="2.4.12"/>
-<affects prod="httpd" version="2.4.10"/>
-<affects prod="httpd" version="2.4.9"/>
-<affects prod="httpd" version="2.4.7"/>
-<affects prod="httpd" version="2.4.6"/>
-<affects prod="httpd" version="2.4.4"/>
-<affects prod="httpd" version="2.4.3"/>
-<affects prod="httpd" version="2.4.2"/>
-<affects prod="httpd" version="2.4.1"/>
-<affects prod="httpd" version="2.2.32"/>
-<affects prod="httpd" version="2.2.31"/>
-<affects prod="httpd" version="2.2.29"/>
-<affects prod="httpd" version="2.2.27"/>
-<affects prod="httpd" version="2.2.26"/>
-<affects prod="httpd" version="2.2.25"/>
-<affects prod="httpd" version="2.2.24"/>
-<affects prod="httpd" version="2.2.23"/>
-<affects prod="httpd" version="2.2.22"/>
-<affects prod="httpd" version="2.2.21"/>
-<affects prod="httpd" version="2.2.20"/>
-<affects prod="httpd" version="2.2.19"/>
-<affects prod="httpd" version="2.2.18"/>
-<affects prod="httpd" version="2.2.17"/>
-<affects prod="httpd" version="2.2.16"/>
-<affects prod="httpd" version="2.2.15"/>
-<affects prod="httpd" version="2.2.14"/>
-<affects prod="httpd" version="2.2.13"/>
-<affects prod="httpd" version="2.2.12"/>
-<affects prod="httpd" version="2.2.11"/>
-<affects prod="httpd" version="2.2.10"/>
-<affects prod="httpd" version="2.2.9"/>
-<affects prod="httpd" version="2.2.8"/>
-<affects prod="httpd" version="2.2.6"/>
-<affects prod="httpd" version="2.2.5"/>
-<affects prod="httpd" version="2.2.4"/>
-<affects prod="httpd" version="2.2.3"/>
-<affects prod="httpd" version="2.2.2"/>
-<affects prod="httpd" version="2.2.0"/>
-</issue>
-
-<issue fixed="2.2.33-dev" reported="20161205" public="20170619" released="20170619">
-<cve name="CVE-2017-3169"/>
-<severity level="2">important</severity>
-<title>mod_ssl Null Pointer Dereference</title>
-<description><p>
-mod_ssl may dereference a NULL pointer when third-party modules call
-ap_hook_process_connection() during an HTTP request to an HTTPS port.
-</p><p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch"
- >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch</a>.
-</p></description>
-<acknowledgements>
-We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for
-reporting this issue.
-</acknowledgements>
-<affects prod="httpd" version="2.4.25"/>
-<affects prod="httpd" version="2.4.23"/>
-<affects prod="httpd" version="2.4.20"/>
-<affects prod="httpd" version="2.4.18"/>
-<affects prod="httpd" version="2.4.17"/>
-<affects prod="httpd" version="2.4.16"/>
-<affects prod="httpd" version="2.4.12"/>
-<affects prod="httpd" version="2.4.10"/>
-<affects prod="httpd" version="2.4.9"/>
-<affects prod="httpd" version="2.4.7"/>
-<affects prod="httpd" version="2.4.6"/>
-<affects prod="httpd" version="2.4.4"/>
-<affects prod="httpd" version="2.4.3"/>
-<affects prod="httpd" version="2.4.2"/>
-<affects prod="httpd" version="2.4.1"/>
-<affects prod="httpd" version="2.2.32"/>
-<affects prod="httpd" version="2.2.31"/>
-<affects prod="httpd" version="2.2.29"/>
-<affects prod="httpd" version="2.2.27"/>
-<affects prod="httpd" version="2.2.26"/>
-<affects prod="httpd" version="2.2.25"/>
-<affects prod="httpd" version="2.2.24"/>
-<affects prod="httpd" version="2.2.23"/>
-<affects prod="httpd" version="2.2.22"/>
-<affects prod="httpd" version="2.2.21"/>
-<affects prod="httpd" version="2.2.20"/>
-<affects prod="httpd" version="2.2.19"/>
-<affects prod="httpd" version="2.2.18"/>
-<affects prod="httpd" version="2.2.17"/>
-<affects prod="httpd" version="2.2.16"/>
-<affects prod="httpd" version="2.2.15"/>
-<affects prod="httpd" version="2.2.14"/>
-<affects prod="httpd" version="2.2.13"/>
-<affects prod="httpd" version="2.2.12"/>
-<affects prod="httpd" version="2.2.11"/>
-<affects prod="httpd" version="2.2.10"/>
-<affects prod="httpd" version="2.2.9"/>
-<affects prod="httpd" version="2.2.8"/>
-<affects prod="httpd" version="2.2.6"/>
-<affects prod="httpd" version="2.2.5"/>
-<affects prod="httpd" version="2.2.4"/>
-<affects prod="httpd" version="2.2.3"/>
-<affects prod="httpd" version="2.2.2"/>
-<affects prod="httpd" version="2.2.0"/>
-</issue>
-
-<issue fixed="2.2.33-dev" reported="20170506" public="20170619" released="20170619">
-<cve name="CVE-2017-7668"/>
-<severity level="2">important</severity>
-<title>ap_find_token() Buffer Overread</title>
-<description><p>
-The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
-token list parsing, which allows ap_find_token() to search past the end of its
-input string. By maliciously crafting a sequence of request headers, an attacker
-may be able to cause a segmentation fault, or to force ap_find_token() to return
-an incorrect value.
-</p><p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch"
- >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch</a>.
-</p></description>
-<acknowledgements>
-We would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this
-issue.
-</acknowledgements>
-<affects prod="httpd" version="2.4.25"/>
-<affects prod="httpd" version="2.2.32"/>
-</issue>
-
-<issue fixed="2.2.33-dev" reported="20151115" public="20170619" released="20170619">
-<cve name="CVE-2017-7679"/>
-<severity level="2">important</severity>
-<title>mod_mime Buffer Overread</title>
-<description><p>
-mod_mime can read one byte past the end of a buffer when sending a malicious
-Content-Type response header.
-</p><p>
-A patch for 2.2.32 is available at
-<a href="https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch"
- >https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch</a>.
-</p></description>
-<acknowledgements>
-We would like to thank ChenQin and Hanno Böck for reporting this issue.
-</acknowledgements>
-<affects prod="httpd" version="2.4.25"/>
-<affects prod="httpd" version="2.4.23"/>
-<affects prod="httpd" version="2.4.20"/>
-<affects prod="httpd" version="2.4.18"/>
-<affects prod="httpd" version="2.4.17"/>
-<affects prod="httpd" version="2.4.16"/>
-<affects prod="httpd" version="2.4.12"/>
-<affects prod="httpd" version="2.4.10"/>
-<affects prod="httpd" version="2.4.9"/>
-<affects prod="httpd" version="2.4.7"/>
-<affects prod="httpd" version="2.4.6"/>
-<affects prod="httpd" version="2.4.4"/>
-<affects prod="httpd" version="2.4.3"/>
-<affects prod="httpd" version="2.4.2"/>
-<affects prod="httpd" version="2.4.1"/>
-<affects prod="httpd" version="2.2.32"/>
-<affects prod="httpd" version="2.2.31"/>
-<affects prod="httpd" version="2.2.29"/>
-<affects prod="httpd" version="2.2.27"/>
-<affects prod="httpd" version="2.2.26"/>
-<affects prod="httpd" version="2.2.25"/>
-<affects prod="httpd" version="2.2.24"/>
-<affects prod="httpd" version="2.2.23"/>
-<affects prod="httpd" version="2.2.22"/>
-<affects prod="httpd" version="2.2.21"/>
-<affects prod="httpd" version="2.2.20"/>
-<affects prod="httpd" version="2.2.19"/>
-<affects prod="httpd" version="2.2.18"/>
-<affects prod="httpd" version="2.2.17"/>
-<affects prod="httpd" version="2.2.16"/>
-<affects prod="httpd" version="2.2.15"/>
-<affects prod="httpd" version="2.2.14"/>
-<affects prod="httpd" version="2.2.13"/>
-<affects prod="httpd" version="2.2.12"/>
-<affects prod="httpd" version="2.2.11"/>
-<affects prod="httpd" version="2.2.10"/>
-<affects prod="httpd" version="2.2.9"/>
-<affects prod="httpd" version="2.2.8"/>
-<affects prod="httpd" version="2.2.6"/>
-<affects prod="httpd" version="2.2.5"/>
-<affects prod="httpd" version="2.2.4"/>
-<affects prod="httpd" version="2.2.3"/>
-<affects prod="httpd" version="2.2.2"/>
-<affects prod="httpd" version="2.2.0"/>
-</issue>
-
<issue fixed="2.2.32" reported="20160702" public="20160718" released="20160718">
<cve name="CVE-2016-5387"/>
<severity level="0">n/a</severity>