Date: Sat, 17 Aug 2019 11:07:33 +0000 (UTC) From: Jochen Neumeister <joneum@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r509146 - head/security/vuxml Message-ID: <201908171107.x7HB7XND036713@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: joneum Date: Sat Aug 17 11:07:33 2019 New Revision: 509146 URL: https://svnweb.freebsd.org/changeset/ports/509146 Log: Add www/apache24 Sponsored by: Netzkommune GmbH Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Aug 17 09:02:37 2019 (r509145) +++ head/security/vuxml/vuln.xml Sat Aug 17 11:07:33 2019 (r509146) @@ -58,6 +58,58 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="caf545f2-c0d9-11e9-9051-4c72b94353b5"> + <topic>Apache -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>apache24</name> + <range><lt>2.4.41</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>SO-AND-SO reports:</p> + <blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.4">; + <h1>SECURITY: CVE-2019-10081</h1> + <p>mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", + could lead to an overwrite of memory in the pushing request's pool, + leading to crashes. The memory copied is that of the configured push + link header values, not data supplied by the client.</p> + <h1>SECURITY: CVE-2019-9517</h1> + <p>mod_http2: a malicious client could perform a DoS attack by flooding + a connection with requests and basically never reading responses + on the TCP connection. Depending on h2 worker dimensioning, it was + possible to block those with relatively few connections.</p> + <h1>SECURITY: CVE-2019-10098</h1> + <p>rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable + matches and substitutions with encoded line break characters.</p> + <h1>SECURITY: CVE-2019-10092</h1> + <p>Remove HTML-escaped URLs from canned error responses to prevent misleading + text/links being displayed via crafted links.</p> + <h1>SECURITY: CVE-2019-10097</h1> + <p>mod_remoteip: Fix stack buffer overflow and NULL pointer deference + when reading the PROXY protocol header.</p> + <h1>CVE-2019-10082</h1> + <p>mod_http2: Using fuzzed network input, the http/2 session + handling could be made to read memory after being freed, + during connection shutdown.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.apache.org/dist/httpd/CHANGES_2.4</url>; + <cvename>CVE-2019-10081</cvename> + <cvename>CVE-2019-9517</cvename> + <cvename>CVE-2019-10098</cvename> + <cvename>CVE-2019-10092</cvename> + <cvename>CVE-2019-10082</cvename> + </references> + <dates> + <discovery>2019-08-14</discovery> + <entry>2019-08-17</entry> + </dates> + </vuln> + <vuln vid="121fec01-c042-11e9-a73f-b36f5969f162"> <topic>nghttp2 -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908171107.x7HB7XND036713>