Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 402453 - www-servers/apache-2.2.22 released (6 CVE bugs fixed)
Summary: www-servers/apache-2.2.22 released (6 CVE bugs fixed)
Status: RESOLVED DUPLICATE of bug 401761
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Linux bug wranglers
URL: http://www.apache.org/dist/httpd/Anno...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-06 20:08 UTC by Max Nokhrin
Modified: 2012-02-06 20:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Max Nokhrin 2012-02-06 20:08:28 UTC
SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations.
    SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file.
    SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations.
    SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17.
    SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly.
    SECURITY: CVE-2012-0053 (cve.mitre.org) Fixed an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400.


Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-02-06 20:14:18 UTC
Please read the instructions next time. They tell you where to file security bugs.

*** This bug has been marked as a duplicate of bug 401761 ***