diff options
| author | ohauer <ohauer@FreeBSD.org> | 2013-07-11 03:01:44 +0800 |
|---|---|---|
| committer | ohauer <ohauer@FreeBSD.org> | 2013-07-11 03:01:44 +0800 |
| commit | 31dd4fd824aafa89c7f4eb95e23f32974c053110 (patch) | |
| tree | 9ee2e8ef59faea9a7ba11b10c71836a5c9a5b07c /security/vuxml | |
| parent | 8f8d23b2ad7bdf85595330cbd849b7f199e2ea75 (diff) | |
| download | freebsd-ports-gnome-31dd4fd824aafa89c7f4eb95e23f32974c053110.tar.gz freebsd-ports-gnome-31dd4fd824aafa89c7f4eb95e23f32974c053110.tar.zst freebsd-ports-gnome-31dd4fd824aafa89c7f4eb95e23f32974c053110.zip | |
- update to apache-2.2.25
- update vuxml with additional CVE-2013-1896 entry
Changes with Apache 2.2.25
http://www.apache.org/dist/httpd/CHANGES_2.2.25
*) SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
<ben reser.org>]
*) SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
*) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
strings. The default limit for ap_pregsub() can be adjusted at compile
time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick]
*) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun
<apache heilbrun.org>]
*) mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]
*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
*) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
*) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
password. [Daniel Ruggeri]
*) htdigest: Fix buffer overflow when reading digest password file
with very long lines. PR 54893. [Rainer Jung]
*) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
result in a 412 Precondition Failed for a COPY operation. PR54610
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
property on a resource for which there is no dead property in the same
namespace httpd segfaults. PR 52559 [Diego Santa Cruz
<diego.santaCruz spinetix.com>]
*) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
*) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
PR: ports/180248
Submitted by: Jason Helfman jgh@
Diffstat (limited to 'security/vuxml')
| -rw-r--r-- | security/vuxml/vuln.xml | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index a91b5ac06423..663f752d32e0 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -121,27 +121,27 @@ Note: Please add new entries to the beginning of this file. </vuln> <vuln vid="f3d24aee-e5ad-11e2-b183-20cf30e32f6d"> - <topic>apache22 -- mod_rewrite vulnerability</topic> + <topic>apache22 -- several vulnerabilities</topic> <affects> <package> <name>apache22</name> - <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range> + <range><gt>2.2.0</gt><lt>2.2.25</lt></range> </package> <package> <name>apache22-event-mpm</name> - <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range> + <range><gt>2.2.0</gt><lt>2.2.25</lt></range> </package> <package> <name>apache22-itk-mpm</name> - <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range> + <range><gt>2.2.0</gt><lt>2.2.25</lt></range> </package> <package> <name>apache22-peruser-mpm</name> - <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range> + <range><gt>2.2.0</gt><lt>2.2.25</lt></range> </package> <package> <name>apache22-worker-mpm</name> - <range><gt>2.2.0</gt><lt>2.2.24_1</lt></range> + <range><gt>2.2.0</gt><lt>2.2.25</lt></range> </package> </affects> <description> @@ -153,16 +153,21 @@ Note: Please add new entries to the beginning of this file. non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator.</p> + <p>mod_dav: Sending a MERGE request against a URI handled by + mod_dav_svn with the source href (sent as part of the request + body as XML) pointing to a URI that is not configured for DAV + will trigger a segfault.</p> </blockquote> </body> </description> <references> <cvename>CVE-2013-1862</cvename> + <cvename>CVE-2013-1896</cvename> </references> <dates> <discovery>2013-06-21</discovery> <entry>2013-07-05</entry> - <modified>2013-07-06</modified> + <modified>2013-07-10</modified> </dates> </vuln> |