pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
26379462a9
vuln-list-alt/oval/c9f2/ALT-PU-2017-1655/definitions.json
pepelyaevip 9d72b75f75 ALT Vulnerability
2024-12-12 21:07:30 +00:00

343 lines
16 KiB
JSON
Raw Blame History

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20171655",
"Version": "oval:org.altlinux.errata:def:20171655",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2017-1655: package `apache2` update to version 2.4.25-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c9f2"
],
"Products": [
"ALT SPWorkstation",
"ALT SPServer"
]
}
],
"References": [
{
"RefID": "ALT-PU-2017-1655",
"RefURL": "https://errata.altlinux.org/ALT-PU-2017-1655",
"Source": "ALTPU"
},
{
"RefID": "BDU:2017-01804",
"RefURL": "https://bdu.fstec.ru/vul/2017-01804",
"Source": "BDU"
},
{
"RefID": "BDU:2017-01805",
"RefURL": "https://bdu.fstec.ru/vul/2017-01805",
"Source": "BDU"
},
{
"RefID": "BDU:2017-01806",
"RefURL": "https://bdu.fstec.ru/vul/2017-01806",
"Source": "BDU"
},
{
"RefID": "BDU:2021-00720",
"RefURL": "https://bdu.fstec.ru/vul/2021-00720",
"Source": "BDU"
},
{
"RefID": "CVE-2016-0736",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-0736",
"Source": "CVE"
},
{
"RefID": "CVE-2016-2161",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-2161",
"Source": "CVE"
},
{
"RefID": "CVE-2016-4975",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-4975",
"Source": "CVE"
},
{
"RefID": "CVE-2016-5387",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-5387",
"Source": "CVE"
},
{
"RefID": "CVE-2016-8740",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-8740",
"Source": "CVE"
},
{
"RefID": "CVE-2016-8743",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-8743",
"Source": "CVE"
},
{
"RefID": "CVE-2020-11985",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-11985",
"Source": "CVE"
}
],
"Description": "This update upgrades apache2 to version 2.4.25-alt1. \nSecurity Fix(es):\n\n * BDU:2017-01804: Уязвимость веб-сервера Apache HTTP Server, позволяющая нарушителю провести сетевые атаки\n\n * BDU:2017-01805: Уязвимость модуля mod_auth_digest веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать аварийное завершение работы сервера\n\n * BDU:2017-01806: Уязвимость модуля mod_session_crypto веб-сервера Apache HTTP Server, позволяющая нарушителю осуществить атаки типа Padding Oracle\n\n * BDU:2021-00720: Уязвимость реализации модулей mod_remoteip и mod_rewrite веб-сервера Apache HTTP Server, позволяющая нарушителю осуществить подмену ip-адреса\n\n * CVE-2016-0736: In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.\n\n * CVE-2016-2161: In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.\n\n * CVE-2016-4975: Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the \"Location\" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).\n\n * CVE-2016-5387: The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. NOTE: the vendor states \"This mitigation has been assigned the identifier CVE-2016-5387\"; in other words, this is not a CVE ID for a vulnerability.\n\n * CVE-2016-8740: The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.\n\n * CVE-2016-8743: Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.\n\n * CVE-2020-11985: IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.\n\n * #33491: Маленький таймаут для старта сервиса",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2017-05-25"
},
"Updated": {
"Date": "2017-05-25"
},
"BDUs": [
{
"ID": "BDU:2017-01804",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"CWE": "CWE-19",
"Href": "https://bdu.fstec.ru/vul/2017-01804",
"Impact": "Low",
"Public": "20170728"
},
{
"ID": "BDU:2017-01805",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CWE": "CWE-20",
"Href": "https://bdu.fstec.ru/vul/2017-01805",
"Impact": "Low",
"Public": "20170728"
},
{
"ID": "BDU:2017-01806",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CWE": "CWE-310",
"Href": "https://bdu.fstec.ru/vul/2017-01806",
"Impact": "Low",
"Public": "20170728"
},
{
"ID": "BDU:2021-00720",
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"CWE": "CWE-345",
"Href": "https://bdu.fstec.ru/vul/2021-00720",
"Impact": "Low",
"Public": "20161013"
}
],
"CVEs": [
{
"ID": "CVE-2016-0736",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-310",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-0736",
"Impact": "High",
"Public": "20170727"
},
{
"ID": "CVE-2016-2161",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-20",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-2161",
"Impact": "High",
"Public": "20170727"
},
{
"ID": "CVE-2016-4975",
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"CWE": "CWE-93",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-4975",
"Impact": "Low",
"Public": "20180814"
},
{
"ID": "CVE-2016-5387",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-5387",
"Impact": "High",
"Public": "20160719"
},
{
"ID": "CVE-2016-8740",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-20",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-8740",
"Impact": "High",
"Public": "20161205"
},
{
"ID": "CVE-2016-8743",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-8743",
"Impact": "High",
"Public": "20170727"
},
{
"ID": "CVE-2020-11985",
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"CWE": "CWE-345",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-11985",
"Impact": "Low",
"Public": "20200807"
}
],
"Bugzilla": [
{
"ID": "33491",
"Href": "https://bugzilla.altlinux.org/33491",
"Data": "Маленький таймаут для старта сервиса"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:8.4",
"cpe:/o:alt:spserver:8.4"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:4001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20171655001",
"Comment": "apache2 is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655002",
"Comment": "apache2-ab is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655003",
"Comment": "apache2-base is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655004",
"Comment": "apache2-cgi-bin is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655005",
"Comment": "apache2-cgi-bin-printenv is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655006",
"Comment": "apache2-cgi-bin-test-cgi is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655007",
"Comment": "apache2-compat is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655008",
"Comment": "apache2-configs-A1PROXIED is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655009",
"Comment": "apache2-datadirs is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655010",
"Comment": "apache2-devel is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655011",
"Comment": "apache2-docs is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655012",
"Comment": "apache2-full is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655013",
"Comment": "apache2-htcacheclean is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655014",
"Comment": "apache2-htcacheclean-control is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655015",
"Comment": "apache2-html is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655016",
"Comment": "apache2-htpasswd is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655017",
"Comment": "apache2-httpd-event is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655018",
"Comment": "apache2-httpd-prefork is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655019",
"Comment": "apache2-httpd-worker is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655020",
"Comment": "apache2-icons is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655021",
"Comment": "apache2-manual is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655022",
"Comment": "apache2-manual-addons is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655023",
"Comment": "apache2-mod_cache_disk is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655024",
"Comment": "apache2-mod_ldap is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655025",
"Comment": "apache2-mod_ssl is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655026",
"Comment": "apache2-mod_ssl-compat is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655027",
"Comment": "apache2-mods is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655028",
"Comment": "apache2-suexec is earlier than 1:2.4.25-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20171655029",
"Comment": "rpm-build-apache2 is earlier than 1:2.4.25-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink