Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 655
    • Issues 655
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 224
    • Merge Requests 224
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #984

Closed
Open
Opened Feb 01, 2012 by Natanael Copa@ncopaOwner

[v2.2] apache2 < 2.2.22: Various vulnerabilities (CVE-2012-0021, CVE-2012-0031, CVE-2012-0053, CVE-2011-3368)

low: mod_log_config crash CVE-2012-0021

A flaw was found in mod_log_config. If the ‘%{cookiename}C’ log format string is in use, a remote attacker could send a specific cookie causing a crash. This crash would only be a denial of service if using a threaded MPM.
Reported to security team: 30th December 2011
Issue public: 28th November 2011
Update released: 31st January 2012
Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17

low: scoreboard parent DoS CVE-2012-0031

A flaw was found in the handling of the scoreboard. An unprivileged child process could cause the parent process to crash at shutdown rather than terminate cleanly.

Acknowledgements: This issue was reported by halfdog
Reported to security team: 30th December 2011
Issue public: 11th January 2012
Update released: 31st January 2012
Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: error responses can expose cookies CVE-2012-0053

A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose “httpOnly” cookies when no custom ErrorDocument is specified.

Acknowledgements: This issue was reported by Norman Hippert
Reported to security team: 15th January 2012
Issue public: 23rd January 2012
Update released: 31st January 2012
Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_proxy reverse proxy exposure CVE-2011-3368

An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker.

Acknowledgements: This issue was reported by Context Information Security Ltd
Reported to security team: 16th September 2011
Issue public: 5th October 2011
Update released: 31st January 2012
Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

http://httpd.apache.org/security/vulnerabilities\_22.html

Solution: upgrade to 2.2.22

(from redmine: issue id 984, created on 2012-02-01, closed on 2012-02-01)

  • Changesets:
    • Revision 8473281f by Natanael Copa on 2012-02-01T08:01:39Z:
main/apache2: security upgrade to 2.2.22 (CVE-2012-0021, CVE-2012-0031, CVE-2012-0053, CVE-2011-3368)

low: mod_log_config crash CVE-2012-0021
low: scoreboard parent DoS CVE-2012-0031
moderate: error responses can expose cookies CVE-2012-0053
moderate: mod_proxy reverse proxy exposure CVE-2011-3368

This release also include the previosly patched:
low: mod_setenvif .htaccess privilege escalation CVE-2011-3607
moderate: mod_proxy reverse proxy exposure CVE-2011-4317

fixes #984
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
Alpine 2.2.4
Milestone
Alpine 2.2.4 (Past due)
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#984