rpm package
opensuse/apache2&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/apache2&distro=openSUSE%20Tumbleweed
Vulnerabilities (136)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-0118 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Jul 20, 2014 | The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to | ||
| CVE-2014-0117 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Jul 20, 2014 | The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header. | ||
| CVE-2013-5704 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Apr 15, 2014 | The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such | ||
| CVE-2014-0098 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Mar 18, 2014 | The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation. | ||
| CVE-2013-6438 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Mar 18, 2014 | The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request | ||
| CVE-2013-2249 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Jul 23, 2013 | mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors. | ||
| CVE-2013-1896 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Jul 10, 2013 | mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn modul | ||
| CVE-2012-3499 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Feb 26, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, | ||
| CVE-2012-3502 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Aug 22, 2012 | The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remote | ||
| CVE-2012-2687 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Aug 22, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or H | ||
| CVE-2012-0053 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Jan 28, 2012 | protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) mal | ||
| CVE-2012-0021 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Jan 28, 2012 | The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a co | ||
| CVE-2012-0031 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Jan 18, 2012 | scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an inval | ||
| CVE-2011-4317 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Nov 30, 2011 | The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a r | ||
| CVE-2011-3607 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Nov 8, 2011 | Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunct | ||
| CVE-2011-3368 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Oct 5, 2011 | The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to | ||
| CVE-2011-3192 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Aug 29, 2011 | The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August | ||
| CVE-2011-1176 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Mar 29, 2011 | The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers | ||
| CVE-2010-1623 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Oct 4, 2010 | Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of | ||
| CVE-2010-1452 | — | < 2.4.23-4.1 | 2.4.23-4.1 | Jul 28, 2010 | The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. |
- CVE-2014-0118Jul 20, 2014affected < 2.4.23-4.1fixed 2.4.23-4.1
The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to
- CVE-2014-0117Jul 20, 2014affected < 2.4.23-4.1fixed 2.4.23-4.1
The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header.
- CVE-2013-5704Apr 15, 2014affected < 2.4.23-4.1fixed 2.4.23-4.1
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such
- CVE-2014-0098Mar 18, 2014affected < 2.4.23-4.1fixed 2.4.23-4.1
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
- CVE-2013-6438Mar 18, 2014affected < 2.4.23-4.1fixed 2.4.23-4.1
The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request
- CVE-2013-2249Jul 23, 2013affected < 2.4.23-4.1fixed 2.4.23-4.1
mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.
- CVE-2013-1896Jul 10, 2013affected < 2.4.23-4.1fixed 2.4.23-4.1
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn modul
- CVE-2012-3499Feb 26, 2013affected < 2.4.23-4.1fixed 2.4.23-4.1
Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap,
- CVE-2012-3502Aug 22, 2012affected < 2.4.23-4.1fixed 2.4.23-4.1
The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remote
- CVE-2012-2687Aug 22, 2012affected < 2.4.23-4.1fixed 2.4.23-4.1
Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or H
- CVE-2012-0053Jan 28, 2012affected < 2.4.23-4.1fixed 2.4.23-4.1
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) mal
- CVE-2012-0021Jan 28, 2012affected < 2.4.23-4.1fixed 2.4.23-4.1
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a co
- CVE-2012-0031Jan 18, 2012affected < 2.4.23-4.1fixed 2.4.23-4.1
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an inval
- CVE-2011-4317Nov 30, 2011affected < 2.4.23-4.1fixed 2.4.23-4.1
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a r
- CVE-2011-3607Nov 8, 2011affected < 2.4.23-4.1fixed 2.4.23-4.1
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunct
- CVE-2011-3368Oct 5, 2011affected < 2.4.23-4.1fixed 2.4.23-4.1
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to
- CVE-2011-3192Aug 29, 2011affected < 2.4.23-4.1fixed 2.4.23-4.1
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August
- CVE-2011-1176Mar 29, 2011affected < 2.4.23-4.1fixed 2.4.23-4.1
The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers
- CVE-2010-1623Oct 4, 2010affected < 2.4.23-4.1fixed 2.4.23-4.1
Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of
- CVE-2010-1452Jul 28, 2010affected < 2.4.23-4.1fixed 2.4.23-4.1
The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path.
Page 5 of 7