Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (5)
| Vulnerability |
Summary |
Aliases |
|
VCID-1189-ej89-hybs
|
mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.
|
CVE-2017-3169
|
|
VCID-fyrq-yg2u-jkc7
|
mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.
|
CVE-2017-7679
|
|
VCID-qayj-kts9-3fde
|
Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.
|
CVE-2017-3167
|
|
VCID-twj7-4qwm-2khv
|
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.
|
CVE-2017-7668
|
|
VCID-wshe-gf99-tbg6
|
A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process.
|
CVE-2017-7659
|