rpm package
suse/apache2&distro=SUSE OpenStack Cloud Crowbar 9
pkg:rpm/suse/apache2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
Vulnerabilities (28)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-31618 | — | < 2.4.23-29.74.1 | 2.4.23-29.74.1 | Jun 15, 2021 | Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status | ||
| CVE-2021-30641 | — | < 2.4.23-29.74.1 | 2.4.23-29.74.1 | Jun 10, 2021 | Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF' | ||
| CVE-2021-26691 | — | < 2.4.23-29.74.1 | 2.4.23-29.74.1 | Jun 10, 2021 | In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow | ||
| CVE-2021-26690 | — | < 2.4.23-29.74.1 | 2.4.23-29.74.1 | Jun 10, 2021 | Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service | ||
| CVE-2020-35452 | — | < 2.4.23-29.74.1 | 2.4.23-29.74.1 | Jun 10, 2021 | Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation | ||
| CVE-2020-11985 | — | < 2.4.23-29.63.1 | 2.4.23-29.63.1 | Aug 7, 2020 | IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but | ||
| CVE-2020-11993 | — | < 2.4.23-29.63.1 | 2.4.23-29.63.1 | Aug 7, 2020 | Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" w | ||
| CVE-2020-9490 | — | < 2.4.23-29.63.1 | 2.4.23-29.63.1 | Aug 7, 2020 | Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate thi |
- CVE-2021-31618Jun 15, 2021affected < 2.4.23-29.74.1fixed 2.4.23-29.74.1
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status
- CVE-2021-30641Jun 10, 2021affected < 2.4.23-29.74.1fixed 2.4.23-29.74.1
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
- CVE-2021-26691Jun 10, 2021affected < 2.4.23-29.74.1fixed 2.4.23-29.74.1
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
- CVE-2021-26690Jun 10, 2021affected < 2.4.23-29.74.1fixed 2.4.23-29.74.1
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service
- CVE-2020-35452Jun 10, 2021affected < 2.4.23-29.74.1fixed 2.4.23-29.74.1
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation
- CVE-2020-11985Aug 7, 2020affected < 2.4.23-29.63.1fixed 2.4.23-29.63.1
IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but
- CVE-2020-11993Aug 7, 2020affected < 2.4.23-29.63.1fixed 2.4.23-29.63.1
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" w
- CVE-2020-9490Aug 7, 2020affected < 2.4.23-29.63.1fixed 2.4.23-29.63.1
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate thi
Page 2 of 2