Tech Talk

[Highly critical]

FYI...

- http://secunia.com/advisories/22458/
Release Date: 2006-10-16
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: mod_tcl 1.x
...Successful exploitation allows execution of arbitrary code, but requires knowledge of the location of a tcl server script configured to use the vulnerable module for processing.
Solution: update to version 1.0.1.
http://tcl.apache.org/mod_tcl/ ...
Original Advisory: iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=421 ..."

 

[Apache HTTP Server v2.2.20 released]

FYI...

- http://atlas.arbor.net/briefs/
"... The Apache Software Foundation has released a patch for the Apache Killer DoS exploit code: http://www.apache.org/dist/httpd/Announcement2.2.html . Cisco and other vendors are also offering updates for this active and damaging attack..."
___

Apache HTTP Server v2.2.20 released...
- http://h-online.com/-1333766
31 August 2011 - "... Apache HTTP Server 1.3.x and 2.x.x to 2.2.19 are affected; updating to 2.2.20 fixes the flaw. As active use of the Apache Killer tool has been observed, the developers encourage all users to upgrade to the latest version..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3192
Last revised: 08/31/2011
CVSS v2 Base Score: 7.8 (HIGH)

> https://www.apache.org/dist/httpd/Announcement2.2.html
"... Apache HTTP Server 2.2.20 is available for download from:
http://httpd.apache.org/download.cgi

- https://httpd.apache.org/security/vulnerabilities_22.html

- https://archive.apache.org/dist/httpd/CHANGES_2.2.20
___

- http://securitytracker.com/id?1025960
Updated: Sep 2 2011

- https://isc.sans.edu/diary.html?date=2011-08-30
Last Updated: 2011-08-30

- http://news.netcraft.com/archives/2011/08/05/august-2011-web-server-survey-3.html
August 2011 - 65.18% Apache

 

[Apache v2.2.21 released]

FYI...

Apache v2.2.21 released
- http://h-online.com/-1343066
14 September 2011 - "The Apache Foundation has announced* that the newly released version 2.2.21 of its free web server is essentially a bug fix and security release... The new version corrects and complements the first fix, which was released only two weeks ago... Users are advised to update their Apache installations as soon as possible. However, those who use Apache 2.0 will still need to wait: corrections for this version are scheduled to be incorporated in the release of version 2.0.65 in the near future. Those who use version 1.3 are not affected by the byte range bug..."

* http://www.apache.org/dist/httpd/Announcement2.2.html

Download
- http://httpd.apache.org/download.cgi

- https://httpd.apache.org/security/vulnerabilities_22.html
___

- https://secunia.com/advisories/46013/
Release Date: 2011-09-14
Criticality level: Moderately critical
Impact: DoS
Where: From remote
... vulnerability is reported in versions 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, and 2.2.20.
Solution: Update to version 2.2.21.
Original Advisory: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21

 

[Oracle security alert for CVE-2011-3192]

FYI...

Oracle security alert for CVE-2011-3192
- https://isc.sans.edu/diary.html?storyid=11602
Last Updated: 2011-09-18 00:22:30 UTC - "... from the description:
    'This security alert addresses the security issue CVE-2011-3192*, a denial of service vulnerability in Apache HTTPD, which is applicable to Oracle HTTP Server products** based on Apache 2.0 or 2.2. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems'..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3192
Last revised: 09/23/2011
CVSS v2 Base Score: 7.8 (HIGH)

** http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html
Oracle HTTP Server products
2011-September-15

- https://www.us-cert.gov/current/#oracle_releases_security_alert_for2
September 19, 2011

 

[Apache patch - Reverse-Proxy Bypass Attack]

FYI...

Apache patch - Reverse-Proxy Bypass Attack
- http://www.darkreading.com/taxonomy/index/printarticle/id/231900214
Oct 06, 2011

Apache HTTP Server Security Advisory
- http://seclists.org/fulldisclosure/2011/Oct/232
Title: mod_proxy reverse proxy exposure
Product: Apache HTTP Server
Versions: httpd 1.3 all versions, httpd 2.x all versions

> http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3368
Last revised: 10/06/2011 - "... mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21..."

Excellent write-up here:
- http://www.contextis.com/research/blog/reverseproxybypass/

 

[Apache mod_proxy/mod_rewrite vuln]

FYI...

Apache mod_proxy/mod_rewrite vuln
- http://www.securitytracker.com/id/1026353
Date: Nov 24 2011
Impact: Host/resource access via network
CVE Reference: CVE-2011-4317 ...
Impact: A remote user can access internal servers.
Solution: The vendor has issued a fix.
The vendor's advisory is available at:
http://thread.gmane.org/gmane.comp.apache.devel/46440
Vendor URL: https://httpd.apache.org/ ...

- http://h-online.com/-1385107
25 November 2011

 

[Apache v2.2.22 released]

FYI...

Apache v2.2.22 released
- http://www.securitytracker.com/id/1026616
Date: Feb 1 2012
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information
Version(s): prior to 2.2.22
... The vendor has issued a fix (2.2.22).
- http://httpd.apache.org/security/vulnerabilities_22.html
CVE Reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3368
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3607
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4317
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0021
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0031
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0053

 

[Apache Traffic Svr vuln - v3.0.4/3.1.3 released]

FYI...

Apache Traffic Svr vuln - v3.0.4/3.1.3 released
- http://www.securitytracker.com/id/1026847
Date: Mar 23 2012
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0256
Impact: Denial of service via network
Version(s): prior to 3.0.4 and 3.1.3
Solution: The vendor has issued a fix (3.0.4, 3.1.3).
Vendor URL: http://trafficserver.apache.org/

- https://secunia.com/advisories/48509/
Release Date: 2012-03-26
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution: Update to version 3.0.4 or 3.1.3.
Original Advisory: Apache:
http://mail-archives.apache.org/mod_mbox/www-announce/201203.mbox/%3C4F6B6649.9000507@apache.org%3E
___

Apache Wicket vuln - v1.4.20/1.5.5 released
- http://www.securitytracker.com/id/1026846
Updated: Mar 23 2012
Impact: Disclosure of user information
Version(s): 1.4.x, 1.5.x
Solution: The vendor has issued a fix (1.4.20, 1.5.5).
Vendor URL: http://wicket.apache.org/
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1089 - 5.0