Univention Bugzilla – Full Text Bug Listing |
Summary: | apache2: Multiple issues (3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Moritz Muehlenhoff <jmm> |
Component: | Security updates | Assignee: | Stefan Gohmann <gohmann> |
Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
Severity: | normal | ||
Priority: | P3 | CC: | gohmann, requate |
Version: | UCS 3.0 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 3.2-7-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Moritz Muehlenhoff
2013-11-12 11:25:23 CET
Denial of service in mod_log_config (CVE-2014-0098) Denial of service in mod_dav (CVE-2013-6438) (In reply to Moritz Muehlenhoff from comment #0) > +++ This bug was initially created as a clone of Bug #31300 +++ > > mod_write doesn't filter log file data for non-printable character > (CVE-2013-1862) > > Denial of service in mod_dav (CVE-2013-1896) These two issues were fixed with the update to Squeeze 6.0.9 (Bug 34588), the other issues remain unfixed. (In reply to Moritz Muehlenhoff from comment #1) > Denial of service in mod_log_config (CVE-2014-0098) The vulnerable code isn't present yet in the version in UCS 3.x Currrently only this issue is open: Denial of service in mod_dav (CVE-2013-6438) Denial of service in mod_proxy (CVE-2014-0117) Heap overflow in mod_status scoreboard handling (CVE-2014-0226) Denial of service in mod_deflate (CVE-2014-0118) Denial of service in mod_cgid (CVE-2014-0231) Denial of service in mod_cache (CVE-2014-3581) Denial of service through malicious fcgi scripts (CVE-2014-3583) Incorrect handling of chunked trailer fields in mod_headers (CVE-2013-5704) (In reply to Moritz Muehlenhoff from comment #5) > Denial of service in mod_proxy (CVE-2014-0117) This doesn't affect UCS 3.x (In reply to Moritz Muehlenhoff from comment #7) > Denial of service through malicious fcgi scripts (CVE-2014-3583) This only affects Apache 2.4 (In reply to Moritz Muehlenhoff from comment #7) > Denial of service through malicious fcgi scripts (CVE-2014-3583) This only affects Apache 2.4 * HTTP request smuggling attack against chunked request parser, allowing cache poisoning or credential hijacking if an intermediary proxy is in use (CVE-2015-3183) Fixed upstream in Debian package version 2.2.16-6+squeeze15 2.2.16-6+squeeze15 has been imported. YAML: 2015-08-29-apache2.yaml My tests were successful. Advisory: OK Changelog: OK Tests (amd64): OK |