FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  365592
Date:      2014-08-21
Time:      19:46:21Z
Committer: zi

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
d8c901ff-0f0f-11e1-902b-20cf30e32f6dApache 1.3 -- mod_proxy reverse proxy exposure

Apache HTTP server project reports:

An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. There is no patch against this issue!


Discovery 2011-10-05
Entry 2011-11-14
apache
lt 1.3.43

apache+ssl
lt 1.3.43.1.59_2

apache+ipv6
lt 1.3.43

apache+mod_perl
lt 1.3.43

apache+mod_ssl
lt 1.3.41+2.8.31_4

apache+mod_ssl+ipv6
lt 1.3.41+2.8.31_4

ru-apache-1.3
lt 1.3.43+30.23_1

ru-apache+mod_ssl
lt 1.3.43+30.23_1

CVE-2011-3368
http://httpd.apache.org/security/vulnerabilities_13.html
http://seclists.org/fulldisclosure/2011/Oct/232
cae01d7b-110d-11df-955a-00219b0fc4d8apache -- Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long)

Apache ChangeLog reports:

Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.


Discovery 2009-06-30
Entry 2010-02-03
Modified 2010-02-03
apache
lt 1.3.42

apache+mod_perl
lt 1.3.42

apache+ipv6
lt 1.3.42

apache_fp
ge 0

ru-apache
lt 1.3.42+30.23

ru-apache+mod_ssl
lt 1.3.42

apache+ssl
lt 1.3.42.1.57_2

apache+mod_ssl
apache+mod_ssl+ipv6
apache+mod_ssl+mod_accel
apache+mod_ssl+mod_accel+ipv6
apache+mod_ssl+mod_accel+mod_deflate
apache+mod_ssl+mod_accel+mod_deflate+ipv6
apache+mod_ssl+mod_deflate
apache+mod_ssl+mod_deflate+ipv6
apache+mod_ssl+mod_snmp
apache+mod_ssl+mod_snmp+mod_accel
apache+mod_ssl+mod_snmp+mod_accel+ipv6
apache+mod_ssl+mod_snmp+mod_deflate
apache+mod_ssl+mod_snmp+mod_deflate+ipv6
apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6
lt 1.3.41+2.8.27_2

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0010
http://www.security-database.com/detail.php?alert=CVE-2010-0010
http://security-tracker.debian.org/tracker/CVE-2010-0010
http://www.vupen.com/english/Reference-CVE-2010-0010.php
dc8c08c7-1e7c-11db-88cf-000c6ec775d9apache -- mod_rewrite buffer overflow vulnerability

The Apache Software Foundation and The Apache HTTP Server Project reports:

An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.

Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.

This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

  • The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
  • The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).

Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.

The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.


Discovery 2006-07-27
Entry 2006-07-28
Modified 2006-11-01
apache
ge 1.3.28 lt 1.3.36_1

ge 2.0.46 lt 2.0.58_2

ge 2.2.0 lt 2.2.2_1

apache+mod_perl
ge 1.3.28 lt 1.3.36_1

apache+ipv6
ge 1.3.28 lt 1.3.37

apache_fp
ge 0

ru-apache
ge 1.3.28 lt 1.3.37+30.23

ru-apache+mod_ssl
ge 1.3.28 lt 1.3.34.1.57_2

apache+ssl
ge 1.3.28 lt 1.3.34.1.57_2

apache+mod_ssl
apache+mod_ssl+ipv6
apache+mod_ssl+mod_accel
apache+mod_ssl+mod_accel+ipv6
apache+mod_ssl+mod_accel+mod_deflate
apache+mod_ssl+mod_accel+mod_deflate+ipv6
apache+mod_ssl+mod_deflate
apache+mod_ssl+mod_deflate+ipv6
apache+mod_ssl+mod_snmp
apache+mod_ssl+mod_snmp+mod_accel
apache+mod_ssl+mod_snmp+mod_accel+ipv6
apache+mod_ssl+mod_snmp+mod_deflate
apache+mod_ssl+mod_snmp+mod_deflate+ipv6
apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6
ge 1.3.28 lt 1.3.36+2.8.27_1

395412
CVE-2006-3747
http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=115409818602955
d8c901ff-0f0f-11e1-902b-20cf30e32f6dApache 1.3 -- mod_proxy reverse proxy exposure

Apache HTTP server project reports:

An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. There is no patch against this issue!


Discovery 2011-10-05
Entry 2011-11-14
apache
lt 1.3.43

apache+ssl
lt 1.3.43.1.59_2

apache+ipv6
lt 1.3.43

apache+mod_perl
lt 1.3.43

apache+mod_ssl
lt 1.3.41+2.8.31_4

apache+mod_ssl+ipv6
lt 1.3.41+2.8.31_4

ru-apache-1.3
lt 1.3.43+30.23_1

ru-apache+mod_ssl
lt 1.3.43+30.23_1

CVE-2011-3368
http://httpd.apache.org/security/vulnerabilities_13.html
http://seclists.org/fulldisclosure/2011/Oct/232
cae01d7b-110d-11df-955a-00219b0fc4d8apache -- Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long)

Apache ChangeLog reports:

Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.


Discovery 2009-06-30
Entry 2010-02-03
Modified 2010-02-03
apache
lt 1.3.42

apache+mod_perl
lt 1.3.42

apache+ipv6
lt 1.3.42

apache_fp
ge 0

ru-apache
lt 1.3.42+30.23

ru-apache+mod_ssl
lt 1.3.42

apache+ssl
lt 1.3.42.1.57_2

apache+mod_ssl
apache+mod_ssl+ipv6
apache+mod_ssl+mod_accel
apache+mod_ssl+mod_accel+ipv6
apache+mod_ssl+mod_accel+mod_deflate
apache+mod_ssl+mod_accel+mod_deflate+ipv6
apache+mod_ssl+mod_deflate
apache+mod_ssl+mod_deflate+ipv6
apache+mod_ssl+mod_snmp
apache+mod_ssl+mod_snmp+mod_accel
apache+mod_ssl+mod_snmp+mod_accel+ipv6
apache+mod_ssl+mod_snmp+mod_deflate
apache+mod_ssl+mod_snmp+mod_deflate+ipv6
apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6
lt 1.3.41+2.8.27_2

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0010
http://www.security-database.com/detail.php?alert=CVE-2010-0010
http://security-tracker.debian.org/tracker/CVE-2010-0010
http://www.vupen.com/english/Reference-CVE-2010-0010.php
dc8c08c7-1e7c-11db-88cf-000c6ec775d9apache -- mod_rewrite buffer overflow vulnerability

The Apache Software Foundation and The Apache HTTP Server Project reports:

An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.

Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.

This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

  • The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
  • The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).

Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.

The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.


Discovery 2006-07-27
Entry 2006-07-28
Modified 2006-11-01
apache
ge 1.3.28 lt 1.3.36_1

ge 2.0.46 lt 2.0.58_2

ge 2.2.0 lt 2.2.2_1

apache+mod_perl
ge 1.3.28 lt 1.3.36_1

apache+ipv6
ge 1.3.28 lt 1.3.37

apache_fp
ge 0

ru-apache
ge 1.3.28 lt 1.3.37+30.23

ru-apache+mod_ssl
ge 1.3.28 lt 1.3.34.1.57_2

apache+ssl
ge 1.3.28 lt 1.3.34.1.57_2

apache+mod_ssl
apache+mod_ssl+ipv6
apache+mod_ssl+mod_accel
apache+mod_ssl+mod_accel+ipv6
apache+mod_ssl+mod_accel+mod_deflate
apache+mod_ssl+mod_accel+mod_deflate+ipv6
apache+mod_ssl+mod_deflate
apache+mod_ssl+mod_deflate+ipv6
apache+mod_ssl+mod_snmp
apache+mod_ssl+mod_snmp+mod_accel
apache+mod_ssl+mod_snmp+mod_accel+ipv6
apache+mod_ssl+mod_snmp+mod_deflate
apache+mod_ssl+mod_snmp+mod_deflate+ipv6
apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6
ge 1.3.28 lt 1.3.36+2.8.27_1

395412
CVE-2006-3747
http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=115409818602955