Download
| Alert*
|
oval:org.secpod.oval:def:1200131
httpd24 is installed oval:org.secpod.oval:def:1601139 In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized me ... oval:org.secpod.oval:def:1600919 By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 . oval:org.secpod.oval:def:1600206 Multiple cross-site scripting vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via ... oval:org.secpod.oval:def:1600308 Cross-site scripting flaws were found in the mod_proxy_balancer module"s manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user"s ... oval:org.secpod.oval:def:1600118 The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service via a crafted cookie that is not properly handled during truncation. oval:org.secpod.oval:def:1200166 mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictio ... oval:org.secpod.oval:def:1600429 It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could p ... oval:org.secpod.oval:def:1600495 The following security-related issues were fixed:Padding oracle vulnerability in Apache mod_session_crypto DoS vulnerability in mod_auth_digest Apache HTTP request parsing whitespace defects oval:org.secpod.oval:def:1200130 It was discovered that in httpd 2.4, the internal API function ap_some_auth_required could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. Multiple flaws ... oval:org.secpod.oval:def:1600980 A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or l ... oval:org.secpod.oval:def:1600997 In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads could execute arbitrary code with the privileges of the parent process by manipulating the scoreboard oval:org.secpod.oval:def:1600879 Use-after-free on HTTP/2 stream shutdownWhen an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger ... oval:org.secpod.oval:def:504878 The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module. Security Fix: * httpd: mod_session_cookie does not respect expiry time * httpd: mod_auth_di ... oval:org.secpod.oval:def:1600965 In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol oval:org.secpod.oval:def:1600001 A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module could send a specially crafted request that would cause the httpd child p ... oval:org.secpod.oval:def:1600776 Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user"s .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. ... oval:org.secpod.oval:def:1600742 ap_find_token buffer overread:A buffer over-read flaw was found in the httpds ap_find_token function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. Apache HTTP Request Parsing Whitespace Defects:It was discovered that the HTTP parse ... oval:org.secpod.oval:def:504850 The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module. The following packages have been upgraded to a later upstream version: httpd24-httpd . Secu ... |
