Re: [users@httpd] Need confirmation of Issue Fix in Apache HTTP server 2.2.29

Fri, 26 Dec 2014 07:54:03 -0800 

Hello Kesavan,

Errors 1 and 4 were reported fixed in Apache httpd 2.2.28:
- http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?revision=1619851&view=markup 

Error 1 (CVE-2014-0231) was fixed for 2.2.28 in SVN revision 1611185:
- http://svn.apache.org/viewvc?view=revision&revision=1611185

Error 4 (CVE-2014-0118) was fixed for 2.2.28 in SVN revision 1611426:
- http://svn.apache.org/viewvc?view=revision&revision=1611426

Errors 2 and 3 were reported fixed in Apache httpd 2.4.10:

- 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?revision=1646179&view=markup

Both of these vulnerabilities were only relevant to Apache httpd 2.4.x.


Error 2 (CVE-2014-3523) was fixed for 2.4.10 in SVN revisions 1610653 
and 1610661:

- http://svn.apache.org/viewvc?view=revision&revision=1610653
- http://svn.apache.org/viewvc?view=revision&revision=1610661

Error 3 (CVE-2014-0117) was fixed for 2.4.10 in SVN revision 1610737:
- http://svn.apache.org/viewvc?view=revision&revision=1610737

Thanks,

Mike Rumph

On 12/26/2014 12:01 AM, Sengodan, Kesavan wrote:


Hi


I would like to confirm whether the following issues are fixed in 
Apache HTTP server 2.2.29 or not?


======================

*_Description of vulnerabilities_

*Multiple vulnerabilities have been reported in Apache HTTP Server, 
which can be exploited by malicious people to cause a DoS (Denial of 
Service).



1) An error within the mod_cgid module when handling certain input can 
be exploited to cause a hang of a child process.
2) An error within WinNT MPM can be exploited to trigger a memory leak 
by sending specially crafted requests. Successful exploitation 
requires the server is configured using the default AcceptFilter 
setting. Note: This vulnerability only affects Apache HTTP Server 
running on Windows NT operating systems.
3) An error when handling HTTP headers within the mod_proxy module can 
be exploited to cause a crash of the worker by sending a specially 
crafted request. Successful exploitation requires the server to be 
configured as a reverse proxy.
4) An error when within mod_deflate module can be exploited to consume 
memory and CPU resources. Successful exploitation requires the server 
to be configured to use request body decompression.



The vulnerabilities are reported in 2.4.x versions prior to 2.4.9 and 
2.2.x versions prior to 2.2.27 and 2.x versions prior to 2.0.65


======================

Pl. confirm me ASAP.

Thanks

Kesavan Sengodan

























					Reply via email to