rpm package
suse/apache2&distro=SUSE Linux Enterprise Server 12 SP2-BCL
pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL
Vulnerabilities (46)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-1302 | Med | 5.9 | < 2.4.23-29.18.2 | 2.4.23-29.18.2 | Mar 26, 2018 | When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurati | |
| CVE-2018-1301 | Med | 5.9 | < 2.4.23-29.18.2 | 2.4.23-29.18.2 | Mar 26, 2018 | A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both l | |
| CVE-2018-1283 | Med | 5.3 | < 2.4.23-29.18.2 | 2.4.23-29.18.2 | Mar 26, 2018 | In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_se | |
| CVE-2017-15715 | Hig | 8.1 | < 2.4.23-29.18.2 | 2.4.23-29.18.2 | Mar 26, 2018 | In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally bloc | |
| CVE-2017-15710 | Hig | 7.5 | < 2.4.23-29.18.2 | 2.4.23-29.18.2 | Mar 26, 2018 | In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present | |
| CVE-2016-8743 | Hig | 7.5 | < 2.4.23-29.24.1 | 2.4.23-29.24.1 | Jul 27, 2017 | Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or inter |
- affected < 2.4.23-29.18.2fixed 2.4.23-29.18.2
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurati
- affected < 2.4.23-29.18.2fixed 2.4.23-29.18.2
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both l
- affected < 2.4.23-29.18.2fixed 2.4.23-29.18.2
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_se
- affected < 2.4.23-29.18.2fixed 2.4.23-29.18.2
In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally bloc
- affected < 2.4.23-29.18.2fixed 2.4.23-29.18.2
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present
- affected < 2.4.23-29.24.1fixed 2.4.23-29.24.1
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or inter
Page 3 of 3