CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header

2020-08-07 Thread Daniel Ruggeri
CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header Severity: moderate Vendor: Apache Software Foundation Versions Affected: Apache HTTP Server 2.4.20 to 2.4.43 Description: Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and

CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header

2020-08-07 Thread Daniel Ruggeri
CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header Severity: important Vendor: Apache Software Foundation Versions Affected: Apache HTTP Server 2.4.20 to 2.4.43 Description: Apache HTTP Server versions 2.4.20 to 2.4.43 A specially crafted value for the 'Cache-Digest'

[ANNOUNCEMENT] Apache HTTP Server 2.4.46 Released

2020-08-07 Thread Daniel Ruggeri
Apache HTTP Server 2.4.46 Released August 07, 2020 The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.46 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the

CVE-2020-11984: mod_uwsgi buffer overlow

2020-08-07 Thread Daniel Ruggeri
CVE-2020-11984: mod_uwsgi buffer overlow Severity: moderate Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.32 to 2.4.44 Description: Apache HTTP Server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE Mitigation: disable mod_uwsgi Credit:

CVE-2020-11985: CWE-345: Insufficient verification of data authenticity

2020-08-07 Thread Daniel Ruggeri
CVE-2020-11985: CWE-345: Insufficient verification of data authenticity Severity: low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.1 to 2.4.23 Description: Apache HTTP Server 2.4.1 to 2.4.23 IP address spoofing when proxying using mod_remoteip and mod_rewrite