diff options
| author | Jochen Neumeister <joneum@FreeBSD.org> | 2019-08-17 11:07:33 +0000 |
|---|---|---|
| committer | Jochen Neumeister <joneum@FreeBSD.org> | 2019-08-17 11:07:33 +0000 |
| commit | f44b7dd6fb3d13e61f15591350f1dfba89cfb5ae (patch) | |
| tree | 1803a37b55355da35e5f85efbe2258551295ccf0 /security/vuxml | |
| parent | 67540693d8f53503c97df37d00a19baee2621215 (diff) | |
| download | ports-f44b7dd6fb3d13e61f15591350f1dfba89cfb5ae.tar.gz ports-f44b7dd6fb3d13e61f15591350f1dfba89cfb5ae.zip | |
Notes
Diffstat (limited to 'security/vuxml')
| -rw-r--r-- | security/vuxml/vuln.xml | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index d82ec98ebf52..25a0f393b171 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,58 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="caf545f2-c0d9-11e9-9051-4c72b94353b5"> + <topic>Apache -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>apache24</name> + <range><lt>2.4.41</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>SO-AND-SO reports:</p> + <blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.4"> + <h1>SECURITY: CVE-2019-10081</h1> + <p>mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", + could lead to an overwrite of memory in the pushing request's pool, + leading to crashes. The memory copied is that of the configured push + link header values, not data supplied by the client.</p> + <h1>SECURITY: CVE-2019-9517</h1> + <p>mod_http2: a malicious client could perform a DoS attack by flooding + a connection with requests and basically never reading responses + on the TCP connection. Depending on h2 worker dimensioning, it was + possible to block those with relatively few connections.</p> + <h1>SECURITY: CVE-2019-10098</h1> + <p>rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable + matches and substitutions with encoded line break characters.</p> + <h1>SECURITY: CVE-2019-10092</h1> + <p>Remove HTML-escaped URLs from canned error responses to prevent misleading + text/links being displayed via crafted links.</p> + <h1>SECURITY: CVE-2019-10097</h1> + <p>mod_remoteip: Fix stack buffer overflow and NULL pointer deference + when reading the PROXY protocol header.</p> + <h1>CVE-2019-10082</h1> + <p>mod_http2: Using fuzzed network input, the http/2 session + handling could be made to read memory after being freed, + during connection shutdown.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.apache.org/dist/httpd/CHANGES_2.4</url> + <cvename>CVE-2019-10081</cvename> + <cvename>CVE-2019-9517</cvename> + <cvename>CVE-2019-10098</cvename> + <cvename>CVE-2019-10092</cvename> + <cvename>CVE-2019-10082</cvename> + </references> + <dates> + <discovery>2019-08-14</discovery> + <entry>2019-08-17</entry> + </dates> + </vuln> + <vuln vid="121fec01-c042-11e9-a73f-b36f5969f162"> <topic>nghttp2 -- multiple vulnerabilities</topic> <affects> |