VulnerableCode Package Details - pkg:ebuild/www-servers/apache@2.2.22-r1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-53da-z9gn-n7f2	A flaw was found in mod_log_config. If the '%{cookiename}C' log format string is in use, a remote attacker could send a specific cookie causing a crash. This crash would only be a denial of service if using a threaded MPM.	CVE-2012-0021
VCID-56kt-8bg6-zbcj	A flaw was found in the handling of requests by mod_cache (2.2) and mod_dav (2.0 and 2.2). A malicious remote attacker could send a carefully crafted request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the uncommon "CacheIgnoreURLSessionIdentifiers" directive, introduced in version 2.2.14, is used.	CVE-2010-1452
VCID-5yez-d5nj-q7eq	An integer overflow flaw was found which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file.	CVE-2011-3607
VCID-6vze-zk58-7yep	A flaw was found when mod_proxy_ajp is used together with mod_proxy_balancer. Given a specific configuration, a remote attacker could send certain malformed HTTP requests, putting a backend server into an error state until the retry timeout expired. This could lead to a temporary denial of service.	CVE-2011-3348
VCID-cn4b-1w42-gyda	An information disclosure flaw was found in mod_proxy_http in version 2.2.9 only, on Unix platforms. Under certain timeout conditions, the server could return a response intended for another user. Only those configurations which trigger the use of proxy worker pools are affected. There was no vulnerability on earlier versions, as proxy pools were not yet introduced. The simplest workaround is to globally configure: SetEnv proxy-nokeepalive 1	CVE-2010-2791
VCID-d4rc-pnv5-6uc8	A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified.	CVE-2012-0053
VCID-ese4-47tg-efbw	Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory.	CVE-2012-0883
VCID-gu44-7hkr-muae	An additional exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker.	CVE-2011-4317
VCID-kkfv-4jd1-bqdm	A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. This could be used in a denial of service attack. Advisory: CVE-2011-3192.txt	CVE-2011-3192
VCID-pdtf-5zv7-2qaf	mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of service.	CVE-2010-0408
VCID-prd8-51a5-pygj	An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. No update of 1.3 will be released. Patches will be published to https://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/	CVE-2011-3368
VCID-wycq-jwzz-q7hf	A flaw in the core subrequest process code was fixed, to always provide a shallow copy of the headers_in array to the subrequest, instead of a pointer to the parent request's array as it had for requests without request bodies. This meant all modules such as mod_headers which may manipulate the input headers for a subrequest would poison the parent request in two ways, one by modifying the parent request, which might not be intended, and second by leaving pointers to modified header fields in memory allocated to the subrequest scope, which could be freed before the main request processing was finished, resulting in a segfault or in revealing data from another request on threaded servers, such as the worker or winnt MPMs.	CVE-2010-0434
VCID-ym93-sxb8-fkdm	A flaw was found in the handling of the scoreboard. An unprivileged child process could cause the parent process to crash at shutdown rather than terminate cleanly.	CVE-2012-0031

Vulnerability

Summary

Aliases

VCID-53da-z9gn-n7f2

A flaw was found in mod_log_config. If the '%{cookiename}C' log format string is in use, a remote attacker could send a specific cookie causing a crash. This crash would only be a denial of service if using a threaded MPM.

CVE-2012-0021

VCID-56kt-8bg6-zbcj

A flaw was found in the handling of requests by mod_cache (2.2) and mod_dav (2.0 and 2.2). A malicious remote attacker could send a carefully crafted request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the uncommon "CacheIgnoreURLSessionIdentifiers" directive, introduced in version 2.2.14, is used.

CVE-2010-1452

VCID-5yez-d5nj-q7eq

An integer overflow flaw was found which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file.

CVE-2011-3607

VCID-6vze-zk58-7yep

A flaw was found when mod_proxy_ajp is used together with mod_proxy_balancer. Given a specific configuration, a remote attacker could send certain malformed HTTP requests, putting a backend server into an error state until the retry timeout expired. This could lead to a temporary denial of service.

CVE-2011-3348

VCID-cn4b-1w42-gyda

An information disclosure flaw was found in mod_proxy_http in version 2.2.9 only, on Unix platforms. Under certain timeout conditions, the server could return a response intended for another user. Only those configurations which trigger the use of proxy worker pools are affected. There was no vulnerability on earlier versions, as proxy pools were not yet introduced. The simplest workaround is to globally configure: SetEnv proxy-nokeepalive 1

CVE-2010-2791

VCID-d4rc-pnv5-6uc8

A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified.

CVE-2012-0053

VCID-ese4-47tg-efbw

Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory.

CVE-2012-0883

VCID-gu44-7hkr-muae

An additional exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker.

CVE-2011-4317

VCID-kkfv-4jd1-bqdm

A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. This could be used in a denial of service attack. Advisory: CVE-2011-3192.txt

CVE-2011-3192

VCID-pdtf-5zv7-2qaf

mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of service.

CVE-2010-0408

VCID-prd8-51a5-pygj

An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. No update of 1.3 will be released. Patches will be published to https://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/

CVE-2011-3368

VCID-wycq-jwzz-q7hf

A flaw in the core subrequest process code was fixed, to always provide a shallow copy of the headers_in array to the subrequest, instead of a pointer to the parent request's array as it had for requests without request bodies. This meant all modules such as mod_headers which may manipulate the input headers for a subrequest would poison the parent request in two ways, one by modifying the parent request, which might not be intended, and second by leaving pointers to modified header fields in memory allocated to the subrequest scope, which could be freed before the main request processing was finished, resulting in a segfault or in revealing data from another request on threaded servers, such as the worker or winnt MPMs.

CVE-2010-0434

VCID-ym93-sxb8-fkdm

A flaw was found in the handling of the scoreboard. An unprivileged child process could cause the parent process to crash at shutdown rather than terminate cleanly.

CVE-2012-0031

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:01:14.772303+00:00	Gentoo Importer	Fixing	VCID-ese4-47tg-efbw	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.761084+00:00	Gentoo Importer	Fixing	VCID-d4rc-pnv5-6uc8	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.750044+00:00	Gentoo Importer	Fixing	VCID-ym93-sxb8-fkdm	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.739648+00:00	Gentoo Importer	Fixing	VCID-53da-z9gn-n7f2	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.729517+00:00	Gentoo Importer	Fixing	VCID-gu44-7hkr-muae	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.718299+00:00	Gentoo Importer	Fixing	VCID-5yez-d5nj-q7eq	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.708989+00:00	Gentoo Importer	Fixing	VCID-prd8-51a5-pygj	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.699428+00:00	Gentoo Importer	Fixing	VCID-6vze-zk58-7yep	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.685551+00:00	Gentoo Importer	Fixing	VCID-kkfv-4jd1-bqdm	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.675887+00:00	Gentoo Importer	Fixing	VCID-cn4b-1w42-gyda	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.667115+00:00	Gentoo Importer	Fixing	VCID-56kt-8bg6-zbcj	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.657666+00:00	Gentoo Importer	Fixing	VCID-wycq-jwzz-q7hf	https://security.gentoo.org/glsa/201206-25	38.0.0
2026-04-01T13:01:14.648958+00:00	Gentoo Importer	Fixing	VCID-pdtf-5zv7-2qaf	https://security.gentoo.org/glsa/201206-25	38.0.0