| httpd-2.2.34-2.an2.src
[5.6 MiB] |
Changelog
by JoungKyun.Kim (2017-10-14):
- security issues
. CVD-2017-9798
Corrupted or freed memory access. <Limit[Except]> must now be used in the
main configuration file (httpd.conf) to register HTTP methods before the
.htaccess files.
|
| httpd-2.2.34-1.an2.src
[5.6 MiB] |
Changelog
by JoungKyun.Kim (2017-07-17):
- update 2.2.34
http://www.apache.org/dist/httpd/CHANGES_2.2.34
- security issues:
. CVE-2017-7668
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
. CVE-2017-3169
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
. CVE-2017-3167
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
. CVE-2017-7679
mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.
|
| httpd-2.2.32-1.an2.src
[5.6 MiB] |
Changelog
by JoungKyun.Kim (2017-01-22):
- update 2.2.32
http://www.apache.org/dist/httpd/CHANGES_2.2.32
- security issues:
. CVE-2016-8743
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies.
|
| httpd-2.2.31-2.an2.src
[5.4 MiB] |
Changelog
by JoungKyun.Kim (2016-07-20):
- security issues:
. CVE-2016-5387
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and
therefore does not protect applications from the presence of untrusted
client data in the HTTP_PROXY environment variable, which might allow
remote attackers to redirect an application's outbound HTTP traffic to an
arbitrary proxy server via a crafted Proxy header in an HTTP request, aka
an "httpoxy" issue.
|
| httpd-2.2.31-1.an2.src
[5.4 MiB] |
Changelog
by JoungKyun.Kim (2015-08-16):
- update 2.2.31
- security issues:
. CVE-2015-3183
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters
|
| httpd-2.2.29-1.an2.src
[5.4 MiB] |
Changelog
by JoungKyun.Kim (2014-09-23):
- security issues:
. CVE-2013-5704
The mod_headers module in the Apache HTTP Server 2.2.22 allows
remote attackers to bypass "RequestHeader unset" directives by
placing a header in the trailer portion of data sent with chunked
transfer coding.
|
| httpd-2.2.27-2.an2.src
[5.4 MiB] |
Changelog
by JoungKyun.Kim (2014-07-30):
- security issues:
. CVE-2014-0118
The deflate_in_filter function in mod_deflate.c in the mod_deflate
module in the Apache HTTP Server before 2.4.10, when request body
decompression is enabled, allows remote attackers to cause a denial
of service (resource consumption) via crafted request data that
decompresses to a much larger size.
. CVE-2014-0226
Race condition in the mod_status module in the Apache HTTP Server
before 2.4.10 allows remote attackers to cause a denial of service
(heap-based buffer overflow), or possibly obtain sensitive credential
information or execute arbitrary code, via a crafted request that
triggers improper scoreboard handling within the status_handler
function in modules/generators/mod_status.c and the
lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
. CVE-2014-0231
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not
have a timeout mechanism, which allows remote attackers to cause a
denial of service (process hang) via a request to a CGI script that
does not read from its stdin file descriptor.
|
| httpd-2.2.27-1.an2.src
[5.4 MiB] |
Changelog
by JoungKyun.Kim (2014-04-05):
- update 2.2.27
. see also http://www.apache.org/dist/httpd/CHANGES_2.2.27
- support NPN on mod_ssl
- security issues:
. CVE-2014-0098
Clean up cookie logging with fewer redundant string parsing passes.
Log only cookies with a value assignment. Prevents segfaults when
logging truncated cookies.
. CVE-2013-6438
mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests
|
| httpd-2.2.26-1.an2.src
[5.2 MiB] |
Changelog
by JoungKyun.Kim (2014-02-07):
- update 2.2.26
. see also http://www.apache.org/dist/httpd/CHANGES_2.2.26
|
| httpd-2.2.25-1.an2.src
[5.3 MiB] |
Changelog
by JoungKyun.Kim (2013-07-06):
- update 2.2.25
. see also http://www.apache.org/dist/httpd/CHANGES_2.2.25
- security issues:
. CVE-2013-1862
mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server
2.2.x before 2.2.25 writes data to a log file without sanitizing
non-printable characters, which might allow remote attackers to
execute arbitrary commands via an HTTP request containing an escape
sequence for a terminal emulator.
|
| httpd-2.2.24-1.an2.src
[5.3 MiB] |
Changelog
by JoungKyun.Kim (2013-03-08):
- update 2.2.24
. see also http://www.apache.org/dist/httpd/CHANGES_2.2.24
- security issues:
. CVE-2012-3499
Various XSS flaws due to unescaped hostnames and URIs HTML output in
mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
. CVE-2012-4558
XSS in mod_proxy_balancer manager interface.
|
| httpd-2.2.23-2.an2.src
[5.3 MiB] |
Changelog
by JoungKyun.Kim (2012-11-09):
- fixed work binary
|
| httpd-2.2.23-1.an2.src
[5.3 MiB] |
Changelog
by JoungKyun.Kim (2012-10-12):
- update 2.2.23
- fixed CVE-2012-0883
- fixed CVE-2012-2687
|
| httpd-2.2.22-3.an2.src
[5.2 MiB] |
Changelog
by JoungKyun.Kim (2012-06-08):
- momve to /var/log/httpd to httpd-conf package
|
| httpd-2.2.22-2.an2.src
[5.2 MiB] |
Changelog
by JoungKyun.Kim (2012-03-22):
- fixed broken echo hangul variable on ssi
|
| httpd-2.2.22-1.an2.src
[5.2 MiB] |
Changelog
by JoungKyun.Kim (2012-02-17):
- update 2.2.22
|