diff options
| author | Bernard Spil <brnrd@FreeBSD.org> | 2018-03-24 22:39:24 +0800 |
|---|---|---|
| committer | Bernard Spil <brnrd@FreeBSD.org> | 2018-03-24 22:39:24 +0800 |
| commit | e0e7414ef86f496d58ca7851cbf93ac887906205 (patch) | |
| tree | aada7da3db47b3e856045b564f7e4d1c9463de47 | |
| parent | b02c316bb43f596efe39b31536f9e39ca2b78d82 (diff) | |
| download | freebsd-ports-e0e7414ef86f496d58ca7851cbf93ac887906205.tar.gz freebsd-ports-e0e7414ef86f496d58ca7851cbf93ac887906205.tar.zst freebsd-ports-e0e7414ef86f496d58ca7851cbf93ac887906205.zip | |
security/vuxml: Document recent Apache httpd vulnerabilities
Notes
Notes:
svn path=/head/; revision=465453
| -rw-r--r-- | security/vuxml/vuln.xml | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 8dc5afd52e6b..0a301f2cd046 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,56 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="f38187e7-2f6e-11e8-8f07-b499baebfeaf"> + <topic>apache -- multiple vulnerabilities</topic> + <affects> + <package> + <name>apache24</name> + <range><lt>2.4.30</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Apache httpd reports:</p> + <blockquote cite="https://www.apache.org/dist/httpd/CHANGES_2.4.33"> + <p>Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig + enabled (CVE-2017-15710)</p> + <p>mod_session: CGI-like applications that intend to read from + mod_session's 'SessionEnv ON' could be fooled into reading + user-supplied data instead. (CVE-2018-1283)</p> + <p>mod_cache_socache: Fix request headers parsing to avoid a possible + crash with specially crafted input data. (CVE-2018-1303)</p> + <p>core: Possible crash with excessively long HTTP request headers. + Impractical to exploit with a production build and production + LogLevel. (CVE-2018-1301)</p> + <p>core: Configure the regular expression engine to match '$' to the + end of the input string only, excluding matching the end of any + embedded newline characters. Behavior can be changed with new + directive 'RegexDefaultOptions'. (CVE-2017-15715)</p> + <p>mod_auth_digest: Fix generation of nonce values to prevent replay + attacks across servers using a common Digest domain. This change + may cause problems if used with round robin load balancers. + (CVE-2018-1312)</p> + <p>mod_http2: Potential crash w/ mod_http2. (CVE-2018-1302)</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.apache.org/dist/httpd/CHANGES_2.4.33</url> + <cvename>CVE-2017-15710</cvename> + <cvename>CVE-2018-1283</cvename> + <cvename>CVE-2018-1303</cvename> + <cvename>CVE-2018-1301</cvename> + <cvename>CVE-2017-15715</cvename> + <cvename>CVE-2018-1312</cvename> + <cvename>CVE-2018-1302</cvename> + </references> + <dates> + <discovery>2018-03-23</discovery> + <entry>2018-03-24</entry> + </dates> + </vuln> + <vuln vid="d50a50a2-2f3e-11e8-86f8-00e04c1ea73d"> <topic>mybb -- multiple vulnerabilities</topic> <affects> |