News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
August 20, 2014, 18:20:58
Pages: [1]   Go Down
  Print  
Topic: Apache HTTP Svr Vuln - update available  (Read 2394 times)
0 Members and 1 Guest are viewing this topic.
« on: October 16, 2006, 06:07:50 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

- http://secunia.com/advisories/22458/
Release Date: 2006-10-16
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: mod_tcl 1.x
...Successful exploitation allows execution of arbitrary code, but requires knowledge of the location of a tcl server script configured to use the vulnerable module for processing.
Solution: update to version 1.0.1.
http://tcl.apache.org/mod_tcl/ ...
Original Advisory: iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=421 ..."

 Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #1 on: September 01, 2011, 04:10:07 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

- http://atlas.arbor.net/briefs/
"... The Apache Software Foundation has released a patch for the Apache Killer DoS exploit code: http://www.apache.org/dist/httpd/Announcement2.2.html . Cisco and other vendors are also offering updates for this active and damaging attack..."
___

Apache HTTP Server v2.2.20 released...
- http://h-online.com/-1333766
31 August 2011 - "... Apache HTTP Server 1.3.x and 2.x.x to 2.2.19 are affected; updating to 2.2.20 fixes the flaw. As active use of the Apache Killer tool has been observed, the developers encourage all users to upgrade to the latest version..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3192
Last revised: 08/31/2011
CVSS v2 Base Score: 7.8 (HIGH)

> https://www.apache.org/dist/httpd/Announcement2.2.html
"... Apache HTTP Server 2.2.20 is available for download from:
http://httpd.apache.org/download.cgi

- https://httpd.apache.org/security/vulnerabilities_22.html

- https://archive.apache.org/dist/httpd/CHANGES_2.2.20
___

- http://securitytracker.com/id?1025960
Updated: Sep 2 2011

- https://isc.sans.edu/diary.html?date=2011-08-30
Last Updated: 2011-08-30

- http://news.netcraft.com/archives/2011/08/05/august-2011-web-server-survey-3.html
August 2011 - 65.18% Apache

 Exclamation Exclamation
« Last Edit: September 05, 2011, 09:50:57 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #2 on: September 14, 2011, 07:37:47 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Apache v2.2.21 released
- http://h-online.com/-1343066
14 September 2011 - "The Apache Foundation has announced* that the newly released version 2.2.21 of its free web server is essentially a bug fix and security release... The new version corrects and complements the first fix, which was released only two weeks ago... Users are advised to update their Apache installations as soon as possible. However, those who use Apache 2.0 will still need to wait: corrections for this version are scheduled to be incorporated in the release of version 2.0.65 in the near future. Those who use version 1.3 are not affected by the byte range bug..."

* http://www.apache.org/dist/httpd/Announcement2.2.html

Download
- http://httpd.apache.org/download.cgi

- https://httpd.apache.org/security/vulnerabilities_22.html
___

- https://secunia.com/advisories/46013/
Release Date: 2011-09-14
Criticality level: Moderately critical
Impact: DoS
Where: From remote
... vulnerability is reported in versions 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, and 2.2.20.
Solution: Update to version 2.2.21.
Original Advisory: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21

 Exclamation Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #3 on: September 18, 2011, 11:04:16 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Oracle security alert for CVE-2011-3192
- https://isc.sans.edu/diary.html?storyid=11602
Last Updated: 2011-09-18 00:22:30 UTC - "... from the description:
    'This security alert addresses the security issue CVE-2011-3192*, a denial of service vulnerability in Apache HTTPD, which is applicable to Oracle HTTP Server products** based on Apache 2.0 or 2.2. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems'..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3192
Last revised: 09/23/2011
CVSS v2 Base Score: 7.8 (HIGH)

** http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html
Oracle HTTP Server products
2011-September-15

- https://www.us-cert.gov/current/#oracle_releases_security_alert_for2
September 19, 2011

 Exclamation Exclamation
« Last Edit: September 23, 2011, 06:57:59 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #4 on: October 07, 2011, 06:06:56 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Apache patch - Reverse-Proxy Bypass Attack
- http://www.darkreading.com/taxonomy/index/printarticle/id/231900214
Oct 06, 2011

Apache HTTP Server Security Advisory
- http://seclists.org/fulldisclosure/2011/Oct/232
Title: mod_proxy reverse proxy exposure
Product: Apache HTTP Server
Versions: httpd 1.3 all versions, httpd 2.x all versions

> http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3368
Last revised: 10/06/2011 - "... mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21..."

Excellent write-up here:
- http://www.contextis.com/research/blog/reverseproxybypass/

 Exclamation
« Last Edit: October 07, 2011, 13:49:04 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #5 on: November 28, 2011, 05:36:24 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Apache mod_proxy/mod_rewrite vuln
- http://www.securitytracker.com/id/1026353
Date: Nov 24 2011
Impact: Host/resource access via network
CVE Reference: CVE-2011-4317 ...
Impact: A remote user can access internal servers.
Solution: The vendor has issued a fix.
The vendor's advisory is available at:
http://thread.gmane.org/gmane.comp.apache.devel/46440
Vendor URL: https://httpd.apache.org/ ...

- http://h-online.com/-1385107
25 November 2011

 Shocked Exclamation
« Last Edit: November 28, 2011, 07:27:30 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #6 on: February 06, 2012, 09:36:05 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Apache v2.2.22 released
- http://www.securitytracker.com/id/1026616
Date: Feb 1 2012
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information
Version(s): prior to 2.2.22
... The vendor has issued a fix (2.2.22).
- http://httpd.apache.org/security/vulnerabilities_22.html
CVE Reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3368
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3607
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4317
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0021
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0031
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0053

 Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #7 on: March 26, 2012, 02:48:00 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Apache Traffic Svr vuln - v3.0.4/3.1.3 released
- http://www.securitytracker.com/id/1026847
Date: Mar 23 2012
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0256
Impact: Denial of service via network
Version(s): prior to 3.0.4 and 3.1.3
Solution: The vendor has issued a fix (3.0.4, 3.1.3).
Vendor URL: http://trafficserver.apache.org/

- https://secunia.com/advisories/48509/
Release Date: 2012-03-26
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution: Update to version 3.0.4 or 3.1.3.
Original Advisory: Apache:
http://mail-archives.apache.org/mod_mbox/www-announce/201203.mbox/%3C4F6B6649.9000507@apache.org%3E
___

Apache Wicket vuln - v1.4.20/1.5.5 released
- http://www.securitytracker.com/id/1026846
Updated: Mar 23 2012
Impact: Disclosure of user information
Version(s): 1.4.x, 1.5.x
Solution: The vendor has issued a fix (1.4.20, 1.5.5).
Vendor URL: http://wicket.apache.org/
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1089 - 5.0

 Exclamation Exclamation
« Last Edit: March 26, 2012, 12:31:30 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: [1]   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.474 seconds with 20 queries.