Multiple Vulnerabilities in the Apache 2 HTTP Server Prior to 2.2.16

CVE DescriptionCVSSv2 Base ScoreComponentProduct and Resolution
CVE-2009-1195 In configurations using the "AllowOverride" directive with certain "Options=" arguments, local users may be able to bypass the configured restrictions and execute commands from a Server-Side-Include script which they shouldn't be able to. 4.9 Apache 2
OpenSolaris snv_111b plus bug fixes: 6972023 6937352 6864797 6935576 6936032 6882208 6857346 6841115 6838652 6844352
Solaris 10 SPARC: 120543-22 X86: 120544-22
CVE-2009-1891 The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote users to cause a Denial of Service (DoS - CPU consumption). 4.3
CVE-2009-3094 A NULL pointer dereference vulnerability in the mod_proxy_ftp module could allow a remote user who controls an FTP server to crash an httpd child process resulting in a limited denial of service. 5.4
CVE-2009-3095 A vulnerability in the mod_proxy_ftp module when configured as a reverse proxy could allow a remote user to bypass intended access restrictions allowing the user to send arbitrary commands to the FTP server. 7.5
CVE-2009-3555 The Apache 2 mod_ssl module in httpd 2.2.14 and earlier is susceptible to the SSL and TLS protocol Man-in-the-Middle vulnerability during a renegotiation. This vulnerability allowed an attacker to "prefix" a chosen plaintext to the HTTP request as seen by the web server. A protocol extension was developed which fixed this vulnerability if supported by both client and server. 5.8
CVE-2010-0408 The ap_proxy_ajp_request function in the mod_proxy_ajp module in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain requests which can allow a remote user to cause a Denial of Service (DoS - backend server outage). 5.0
CVE-2010-0425 Windows only. 10.0
CVE-2010-0434 All Apache 2 modules on threaded servers which handle subrequests such as mod_headers may allow remote users to obtain sensitive information or cause a crash of the affected module. 4.3
CVE-2010-1452 The mod_cache and mod_dav modules can mishandle carefully crafted requests which can allow a remoter user to cause an httpd child process to crash which is a type of Denial of Service (DoS). 5.0

This notification describes vulnerabilities fixed in third-party components that are included in Sun's product distribution.
Information about vulnerabilities affecting Oracle Sun products can be found on Oracle Critical Patch Updates and Security Alerts page.

Comments:

Post a Comment:
Comments are closed for this entry.
About

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today