Mailing List Archive

svn commit: r1880700 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Author: druggeri
Date: Sat Aug 8 12:17:17 2020
New Revision: 1880700

URL: http://svn.apache.org/viewvc?rev=1880700&view=rev
Log:
Make fixed version less ambiguous and move retroactive CVE down to the 2.4.25 area

Modified:
httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1880700&r1=1880699&r2=1880700&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Sat Aug 8 12:17:17 2020
@@ -6,7 +6,7 @@
<title>mod_proxy_uwsgi buffer overflow </title>
<description>
<p>
- Apache HTTP Server versions 2.4.32 to 2.4.44 <br />
+ Apache HTTP Server versions 2.4.32 to 2.4.43<br />
mod_proxy_uwsgi info disclosure and possible RCE
</p>
</description>
@@ -57,40 +57,6 @@
<affects prod="httpd" version="2.4.23"/>
<affects prod="httpd" version="2.4.20"/>
</issue>
-<issue reported="20161013" public="20200807">
- <cve name="CVE-2020-11985"/>
-
- <severity level="4">low</severity>
- <title>IP address spoofing when proxying using mod_remoteip and mod_rewrite</title>
- <description>
- <p>
- For configurations using proxying with mod_remoteip and certain
- mod_rewrite rules, an attacker could spoof their IP address for
- logging and PHP scripts.
- </p><p>
- Note this issue was fixed in Apache HTTP Server 2.4.24 but was
- retrospectively allocated a low severity CVE in 2020.
- </p>
- </description>
- <acknowledgements>
-
- </acknowledgements>
- <fixed base="2.4" version="2.4.25" date="20200807"/>
- <affects prod="httpd" version="2.4.23"/>
- <affects prod="httpd" version="2.4.20"/>
- <affects prod="httpd" version="2.4.18"/>
- <affects prod="httpd" version="2.4.17"/>
- <affects prod="httpd" version="2.4.16"/>
- <affects prod="httpd" version="2.4.12"/>
- <affects prod="httpd" version="2.4.10"/>
- <affects prod="httpd" version="2.4.9"/>
- <affects prod="httpd" version="2.4.7"/>
- <affects prod="httpd" version="2.4.6"/>
- <affects prod="httpd" version="2.4.4"/>
- <affects prod="httpd" version="2.4.3"/>
- <affects prod="httpd" version="2.4.2"/>
- <affects prod="httpd" version="2.4.1"/>
-</issue>
<issue reported="20200424" public="20200807">
<cve name="CVE-2020-9490"/>

@@ -1419,6 +1385,41 @@ We would like to thank ChenQin and Hanno
<affects prod="httpd" version="2.2.0"/>
</issue>

+<issue reported="20161013" public="20200807">
+ <cve name="CVE-2020-11985"/>
+
+ <severity level="4">low</severity>
+ <title>IP address spoofing when proxying using mod_remoteip and mod_rewrite</title>
+ <description>
+ <p>
+ For configurations using proxying with mod_remoteip and certain
+ mod_rewrite rules, an attacker could spoof their IP address for
+ logging and PHP scripts.
+ </p><p>
+ Note this issue was fixed in Apache HTTP Server 2.4.24 but was
+ retrospectively allocated a low severity CVE in 2020.
+ </p>
+ </description>
+ <acknowledgements>
+
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.25" date="20200807"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+ <affects prod="httpd" version="2.4.16"/>
+ <affects prod="httpd" version="2.4.12"/>
+ <affects prod="httpd" version="2.4.10"/>
+ <affects prod="httpd" version="2.4.9"/>
+ <affects prod="httpd" version="2.4.7"/>
+ <affects prod="httpd" version="2.4.6"/>
+ <affects prod="httpd" version="2.4.4"/>
+ <affects prod="httpd" version="2.4.3"/>
+ <affects prod="httpd" version="2.4.2"/>
+ <affects prod="httpd" version="2.4.1"/>
+</issue>
+
<issue reported="20160210" public="20161220">
<fixed base="2.4" version="2.4.25" date="20161220"/>
<fixed base="2.2" version="2.2.32" date="20170113"/>