4.3 - RHSA-2013:0130

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	httpd security, bug fix, and enhancement update

Informations
Name	RHSA-2013:0130	First vendor Publication	2013-01-08
Vendor	RedHat	Last vendor Modification	2013-01-08
Severity (Vendor)	Low	Revision	01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score	4.3	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687)

Bug fixes:

* Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the "%post" script for the "mod_ssl" package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and "localhost.key" was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The "%post" script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. (BZ#752618)

* The "mod_ssl" module did not support operation under FIPS mode. Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. (BZ#773473)

* Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command "service httpd reload" was run and httpd failed, the exit status code returned was "0" and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns "1" as an exit status code. (BZ#783242)

* Chunked Transfer Coding is described in RFC 261

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2013-0130.html

CWE : Common Weakness Enumeration

%	Id	Name
67 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
33 %	CWE-74	Failure to Sanitize Data into a Different Plane ('Injection')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18832

Oval ID:	oval:org.mitre.oval:def:18832
Title:	HP-UX Running Apache, Remote Denial of Service (DoS), Execution of Arbitrary Code and other vulnerabilities
Description:	Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2012-2687	Version:	11
Platform(s):	HP-UX 11	Product(s):
Definition Synopsis:
Criteria meets HP Security Bulletin HPSBUX02866 platforms HP Release B.11.23 AND HP-UX B.11.31 AND filesets tests hpuxws22APCH32.APACHE version is less than B.2.2.15.15 AND hpuxws22APCH32.APACHE2 version is less than B.2.2.15.15 AND hpuxws22APCH32.AUTH_LDAP version is less than B.2.2.15.15 AND hpuxws22APCH32.AUTH_LDAP2 version is less than B.2.2.15.15 AND hpuxws22APCH32.MOD_JK version is less than B.2.2.15.15 AND hpuxws22APCH32.MOD_JK2 version is less than B.2.2.15.15 AND hpuxws22APCH32.MOD_PERL version is less than B.2.2.15.15 AND hpuxws22APCH32.MOD_PERL2 version is less than B.2.2.15.15 AND hpuxws22APCH32.PHP version is less than B.2.2.15.15 AND hpuxws22APCH32.PHP2 version is less than B.2.2.15.15 AND hpuxws22APCH32.WEBPROXY version is less than B.2.2.15.15 AND hpuxws22APCH32.WEBPROXY2 version is less than B.2.2.15.15 OR Criteria meets HP Security Bulletin HPSBUX02866 HP-UX B.11.31 AND hpuxws22TOMCAT.TOMCAT version is less than C.6.0.36.01 OR Criteria meets HP Security Bulletin HPSBUX02866 HP-UX B.11.31 AND hpuxws22TOMCAT.TOMCAT version is less than D.7.0.35.01

Definition Id: oval:org.mitre.oval:def:19539

Oval ID:	oval:org.mitre.oval:def:19539
Title:	HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Cross Site Scripting (XSS)
Description:	Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2012-2687	Version:	9
Platform(s):	HP-UX 11	Product(s):
Definition Synopsis:
HP-UX B.11.31 AND hpuxws22TOMCAT.TOMCAT version is less than D.7.0.35.01

Definition Id: oval:org.mitre.oval:def:21017

Oval ID:	oval:org.mitre.oval:def:21017
Title:	RHSA-2013:0130: httpd security, bug fix, and enhancement update (Low)
Description:	Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
Family:	unix	Class:	patch
Reference(s):	RHSA-2013:0130-00 CESA-2013:0130 CVE-2008-0455 CVE-2008-0456 CVE-2012-2687	Version:	45
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5	Product(s):	httpd
Definition Synopsis:
Redhat 5 section The operating system installed on the system is Red Hat Enterprise Linux 5 AND Packages section httpd-manual is earlier than 0:2.2.3-74.el5 AND httpd is earlier than 0:2.2.3-74.el5 AND httpd-devel is earlier than 0:2.2.3-74.el5 AND mod_ssl is earlier than 0:2.2.3-74.el5 OR Centos 5 section CentOS Linux 5.x AND Packages section httpd-manual is earlier than 0:2.2.3-74.el5.centos AND httpd is earlier than 0:2.2.3-74.el5.centos AND httpd-devel is earlier than 0:2.2.3-74.el5.centos AND mod_ssl is earlier than 0:2.2.3-74.el5.centos

Definition Id: oval:org.mitre.oval:def:23042

Oval ID:	oval:org.mitre.oval:def:23042
Title:	ELSA-2013:0130: httpd security, bug fix, and enhancement update (Low)
Description:	Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
Family:	unix	Class:	patch
Reference(s):	ELSA-2013:0130-00 CVE-2008-0455 CVE-2008-0456 CVE-2012-2687	Version:	17
Platform(s):	Oracle Linux 5	Product(s):	httpd
Definition Synopsis:
Oracle Linux 5.x rpm test httpd-manual is earlier than 0:2.2.3-74.el5 AND httpd is earlier than 0:2.2.3-74.el5 AND httpd-devel is earlier than 0:2.2.3-74.el5 AND mod_ssl is earlier than 0:2.2.3-74.el5

Definition Id: oval:org.mitre.oval:def:26266

Oval ID:	oval:org.mitre.oval:def:26266
Title:	SUSE-SU-2013:0387-1 -- Security update for apache2
Description:	This update fixes the following security issues with apache2 httpd: * Improper LD_LIBRARY_PATH handling (CVE-2012-0883 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883 > ) * Filename escaping problem (CVE-2012-2687 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687 > ) Additionally, some non-security bugs have been fixed as enumerated in the changelog of the RPM.
Family:	unix	Class:	patch
Reference(s):	SUSE-SU-2013:0387-1 CVE-2012-0883 CVE-2012-2687	Version:	3
Platform(s):	SUSE Linux Enterprise Server 10	Product(s):	apache2
Definition Synopsis:
SUSE Linux Enterprise Server 10 is installed Packages match section apache2 RPM is earlier than 0:2.2.3-16.46.1 AND apache2-devel RPM is earlier than 0:2.2.3-16.46.1 AND apache2-doc RPM is earlier than 0:2.2.3-16.46.1 AND apache2-example-pages RPM is earlier than 0:2.2.3-16.46.1 AND apache2-prefork RPM is earlier than 0:2.2.3-16.46.1 AND apache2-worker RPM is earlier than 0:2.2.3-16.46.1

Definition Id: oval:org.mitre.oval:def:27403

Oval ID:	oval:org.mitre.oval:def:27403
Title:	DEPRECATED: ELSA-2013-0130 -- httpd security, bug fix, and enhancement update (low)
Description:	[2.2.3-74.0.1.el5] - fix mod_ssl always performing full renegotiation (Joe Jin) [orabug 12423387] - replace index.html with Oracle's index page oracle_index.html - update vstring and distro in specfile [2.2.3-74] - further %post scriptlet fix (#752618, #867736)
Family:	unix	Class:	patch
Reference(s):	ELSA-2013-0130 CVE-2008-0455 CVE-2008-0456 CVE-2012-2687	Version:	4
Platform(s):	Oracle Linux 5	Product(s):	httpd
Definition Synopsis:
Oracle Linux 5.x Packages match section httpd is earlier than 0:2.2.3-74.0.1.el5 AND httpd-devel is earlier than 0:2.2.3-74.0.1.el5 AND httpd-manual is earlier than 0:2.2.3-74.0.1.el5 AND mod_ssl is earlier than 0:2.2.3-74.0.1.el5

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apache Http Server cpe:2.3:a:apache:http_server:2.4.2:::::::* cpe:2.3:a:apache:http_server:2.4.1:::::::* cpe:2.3:a:apache:http_server:2.4.0:::::::* cpe:2.3:a:apache:http_server:2.3.9:::::::* cpe:2.3:a:apache:http_server:2.3.8:::::::* cpe:2.3:a:apache:http_server:2.3.7:::::::* cpe:2.3:a:apache:http_server:2.3.6:::::::* cpe:2.3:a:apache:http_server:2.3.5:::::::* cpe:2.3:a:apache:http_server:2.3.5:alpha:::::: cpe:2.3:a:apache:http_server:2.3.4:::::::* cpe:2.3:a:apache:http_server:2.3.4:alpha:::::: cpe:2.3:a:apache:http_server:2.3.3:::::::* cpe:2.3:a:apache:http_server:2.3.2:::::::* cpe:2.3:a:apache:http_server:2.3.16:::::::* cpe:2.3:a:apache:http_server:2.3.15:::::::* cpe:2.3:a:apache:http_server:2.3.14:::::::* cpe:2.3:a:apache:http_server:2.3.13:::::::* cpe:2.3:a:apache:http_server:2.3.12:::::::* cpe:2.3:a:apache:http_server:2.3.11:::::::* cpe:2.3:a:apache:http_server:2.3.10:::::::* cpe:2.3:a:apache:http_server:2.3.1:::::::* cpe:2.3:a:apache:http_server:2.3.0:::::::* cpe:2.3:a:apache:http_server:2.2.9:::::::* cpe:2.3:a:apache:http_server:2.2.8:::::::* cpe:2.3:a:apache:http_server:2.2.7:::::::* cpe:2.3:a:apache:http_server:2.2.6:::::::* cpe:2.3:a:apache:http_server:2.2.5:::::::* cpe:2.3:a:apache:http_server:2.2.4:::::::* cpe:2.3:a:apache:http_server:2.2.32:::::::* cpe:2.3:a:apache:http_server:2.2.31:::::::* cpe:2.3:a:apache:http_server:2.2.30:::::::* cpe:2.3:a:apache:http_server:2.2.3:::::::* cpe:2.3:a:apache:http_server:2.2.3::windows::::: cpe:2.3:a:apache:http_server:2.2.29:::::::* cpe:2.3:a:apache:http_server:2.2.27:::::::* cpe:2.3:a:apache:http_server:2.2.26:::::::* cpe:2.3:a:apache:http_server:2.2.25:::::::* cpe:2.3:a:apache:http_server:2.2.24:::::::* cpe:2.3:a:apache:http_server:2.2.23:::::::* cpe:2.3:a:apache:http_server:2.2.22:::::::* cpe:2.3:a:apache:http_server:2.2.21:::::::* cpe:2.3:a:apache:http_server:2.2.20:::::::* cpe:2.3:a:apache:http_server:2.2.2:::::::* cpe:2.3:a:apache:http_server:2.2.2::windows::::: cpe:2.3:a:apache:http_server:2.2.19:::::::* cpe:2.3:a:apache:http_server:2.2.18:::::::* cpe:2.3:a:apache:http_server:2.2.17:::::::* cpe:2.3:a:apache:http_server:2.2.16:::::::* cpe:2.3:a:apache:http_server:2.2.15-60:::::::* cpe:2.3:a:apache:http_server:2.2.15:::::::* cpe:2.3:a:apache:http_server:2.2.14:::::::* cpe:2.3:a:apache:http_server:2.2.13:::::::* cpe:2.3:a:apache:http_server:2.2.12:::::::* cpe:2.3:a:apache:http_server:2.2.11:::::::* cpe:2.3:a:apache:http_server:2.2.10:::::::* cpe:2.3:a:apache:http_server:2.2.1:::::::* cpe:2.3:a:apache:http_server:2.2.0:::::::* cpe:2.3:a:apache:http_server:2.2:::::::* cpe:2.3:a:apache:http_server:2.1.9:::::::* cpe:2.3:a:apache:http_server:2.1.8:::::::* cpe:2.3:a:apache:http_server:2.1.7:::::::* cpe:2.3:a:apache:http_server:2.1.6:::::::* cpe:2.3:a:apache:http_server:2.1.5:::::::* cpe:2.3:a:apache:http_server:2.1.4:::::::* cpe:2.3:a:apache:http_server:2.1.3:::::::* cpe:2.3:a:apache:http_server:2.1.2:::::::* cpe:2.3:a:apache:http_server:2.1.1:::::::* cpe:2.3:a:apache:http_server:2.1.0:::::::* cpe:2.3:a:apache:http_server:2.1:::::::* cpe:2.3:a:apache:http_server:2.0.9:::::::* cpe:2.3:a:apache:http_server:2.0.65:::::::* cpe:2.3:a:apache:http_server:2.0.64:::::::* cpe:2.3:a:apache:http_server:2.0.63:::::::* cpe:2.3:a:apache:http_server:2.0.61:::::::* cpe:2.3:a:apache:http_server:2.0.60:::::::* cpe:2.3:a:apache:http_server:2.0.59:::::::* cpe:2.3:a:apache:http_server:2.0.58:::::::* cpe:2.3:a:apache:http_server:2.0.58::win32::::: cpe:2.3:a:apache:http_server:2.0.57:::::::* cpe:2.3:a:apache:http_server:2.0.56:::::::* cpe:2.3:a:apache:http_server:2.0.55:::::::* cpe:2.3:a:apache:http_server:2.0.54:::::::* cpe:2.3:a:apache:http_server:2.0.53:::::::* cpe:2.3:a:apache:http_server:2.0.52:::::::* cpe:2.3:a:apache:http_server:2.0.51:::::::* cpe:2.3:a:apache:http_server:2.0.50:::::::* cpe:2.3:a:apache:http_server:2.0.49:::::::* cpe:2.3:a:apache:http_server:2.0.48:::::::* cpe:2.3:a:apache:http_server:2.0.47:::::::* cpe:2.3:a:apache:http_server:2.0.46:::::::* cpe:2.3:a:apache:http_server:2.0.46::win32::::: cpe:2.3:a:apache:http_server:2.0.45:::::::* cpe:2.3:a:apache:http_server:2.0.44:::::::* cpe:2.3:a:apache:http_server:2.0.43:::::::* cpe:2.3:a:apache:http_server:2.0.42:::::::* cpe:2.3:a:apache:http_server:2.0.41:::::::* cpe:2.3:a:apache:http_server:2.0.40:::::::* cpe:2.3:a:apache:http_server:2.0.39:::::::* cpe:2.3:a:apache:http_server:2.0.38:::::::* cpe:2.3:a:apache:http_server:2.0.37:::::::* cpe:2.3:a:apache:http_server:2.0.36:::::::* cpe:2.3:a:apache:http_server:2.0.35:::::::* cpe:2.3:a:apache:http_server:2.0.34:beta:::::: cpe:2.3:a:apache:http_server:2.0.34:beta:win32:::::* cpe:2.3:a:apache:http_server:2.0.34:::::::* cpe:2.3:a:apache:http_server:2.0.33:::::::* cpe:2.3:a:apache:http_server:2.0.32:beta:::::: cpe:2.3:a:apache:http_server:2.0.32:::::::* cpe:2.3:a:apache:http_server:2.0.32:beta:win32:::::* cpe:2.3:a:apache:http_server:2.0.31:::::::* cpe:2.3:a:apache:http_server:2.0.30:::::::* cpe:2.3:a:apache:http_server:2.0.29:::::::* cpe:2.3:a:apache:http_server:2.0.28:beta:::::: cpe:2.3:a:apache:http_server:2.0.28:::::::* cpe:2.3:a:apache:http_server:2.0.28:beta:win32:::::* cpe:2.3:a:apache:http_server:2.0.27:::::::* cpe:2.3:a:apache:http_server:2.0.26:::::::* cpe:2.3:a:apache:http_server:2.0.25:::::::* cpe:2.3:a:apache:http_server:2.0.24:::::::* cpe:2.3:a:apache:http_server:2.0.23:::::::* cpe:2.3:a:apache:http_server:2.0.22:::::::* cpe:2.3:a:apache:http_server:2.0.21:::::::* cpe:2.3:a:apache:http_server:2.0.20:::::::* cpe:2.3:a:apache:http_server:2.0.19:::::::* cpe:2.3:a:apache:http_server:2.0.18:::::::* cpe:2.3:a:apache:http_server:2.0.17:::::::* cpe:2.3:a:apache:http_server:2.0.16:::::::* cpe:2.3:a:apache:http_server:2.0.15:::::::* cpe:2.3:a:apache:http_server:2.0.14:::::::* cpe:2.3:a:apache:http_server:2.0.13:::::::* cpe:2.3:a:apache:http_server:2.0.12:::::::* cpe:2.3:a:apache:http_server:2.0.11:::::::* cpe:2.3:a:apache:http_server:2.0.0:::::::* cpe:2.3:a:apache:http_server:2.0:::::::* cpe:2.3:a:apache:http_server:2.0:alpha9:::::: cpe:2.3:a:apache:http_server:1.99:::::::* cpe:2.3:a:apache:http_server:1.4.0:::::::* cpe:2.3:a:apache:http_server:1.3.9:::::::* cpe:2.3:a:apache:http_server:1.3.9::win32::::: cpe:2.3:a:apache:http_server:1.3.8:::::::* cpe:2.3:a:apache:http_server:1.3.7:::::::* cpe:2.3:a:apache:http_server:1.3.7::dev::::: cpe:2.3:a:apache:http_server:1.3.68:::::::* cpe:2.3:a:apache:http_server:1.3.65:::::::* cpe:2.3:a:apache:http_server:1.3.6:::::::* cpe:2.3:a:apache:http_server:1.3.6::win32::::: cpe:2.3:a:apache:http_server:1.3.5:::::::* cpe:2.3:a:apache:http_server:1.3.42:::::::* cpe:2.3:a:apache:http_server:1.3.41:::::::* cpe:2.3:a:apache:http_server:1.3.40:::::::* cpe:2.3:a:apache:http_server:1.3.4:::::::* cpe:2.3:a:apache:http_server:1.3.39:::::::* cpe:2.3:a:apache:http_server:1.3.38:::::::* cpe:2.3:a:apache:http_server:1.3.37:::::::* cpe:2.3:a:apache:http_server:1.3.36:::::::* cpe:2.3:a:apache:http_server:1.3.35:::::::* cpe:2.3:a:apache:http_server:1.3.34:::::::* cpe:2.3:a:apache:http_server:1.3.33:::::::* cpe:2.3:a:apache:http_server:1.3.32:::::::* cpe:2.3:a:apache:http_server:1.3.31:::::::* cpe:2.3:a:apache:http_server:1.3.30:::::::* cpe:2.3:a:apache:http_server:1.3.3:::::::* cpe:2.3:a:apache:http_server:1.3.29:::::::* cpe:2.3:a:apache:http_server:1.3.28:::::::* cpe:2.3:a:apache:http_server:1.3.27:::::::* cpe:2.3:a:apache:http_server:1.3.26:::::::* cpe:2.3:a:apache:http_server:1.3.26::win32::::: cpe:2.3:a:apache:http_server:1.3.25:::::::* cpe:2.3:a:apache:http_server:1.3.25::win32::::: cpe:2.3:a:apache:http_server:1.3.24:::::::* cpe:2.3:a:apache:http_server:1.3.24::win32::::: cpe:2.3:a:apache:http_server:1.3.23:::::::* cpe:2.3:a:apache:http_server:1.3.23::win32::::: cpe:2.3:a:apache:http_server:1.3.22:::::::* cpe:2.3:a:apache:http_server:1.3.22::win32::::: cpe:2.3:a:apache:http_server:1.3.20:::::::* cpe:2.3:a:apache:http_server:1.3.20::win32::::: cpe:2.3:a:apache:http_server:1.3.2:::::::* cpe:2.3:a:apache:http_server:1.3.19:::::::* cpe:2.3:a:apache:http_server:1.3.19::win32::::: cpe:2.3:a:apache:http_server:1.3.18:::::::* cpe:2.3:a:apache:http_server:1.3.18::win32::::: cpe:2.3:a:apache:http_server:1.3.17:::::::* cpe:2.3:a:apache:http_server:1.3.17::win32::::: cpe:2.3:a:apache:http_server:1.3.16:::::::* cpe:2.3:a:apache:http_server:1.3.16::win32::::: cpe:2.3:a:apache:http_server:1.3.15:::::::* cpe:2.3:a:apache:http_server:1.3.15::win32::::: cpe:2.3:a:apache:http_server:1.3.14:::::::* cpe:2.3:a:apache:http_server:1.3.14::win32::::: cpe:2.3:a:apache:http_server:1.3.14::mac_os::::: cpe:2.3:a:apache:http_server:1.3.13:::::::* cpe:2.3:a:apache:http_server:1.3.13::win32::::: cpe:2.3:a:apache:http_server:1.3.12:::::::* cpe:2.3:a:apache:http_server:1.3.12::win32::::: cpe:2.3:a:apache:http_server:1.3.11:::::::* cpe:2.3:a:apache:http_server:1.3.11::win32::::: cpe:2.3:a:apache:http_server:1.3.10:::::::* cpe:2.3:a:apache:http_server:1.3.1.1:::::::* cpe:2.3:a:apache:http_server:1.3.1:::::::* cpe:2.3:a:apache:http_server:1.3.0:::::::* cpe:2.3:a:apache:http_server:1.3:::::::* cpe:2.3:a:apache:http_server:1.2.9:::::::* cpe:2.3:a:apache:http_server:1.2.6:::::::* cpe:2.3:a:apache:http_server:1.2.5:::::::* cpe:2.3:a:apache:http_server:1.2.4:::::::* cpe:2.3:a:apache:http_server:1.2.0:::::::* cpe:2.3:a:apache:http_server:1.15.17:::::::* cpe:2.3:a:apache:http_server:1.1.1:::::::* cpe:2.3:a:apache:http_server:1.1:::::::* cpe:2.3:a:apache:http_server:1.0.5:::::::* cpe:2.3:a:apache:http_server:1.0.3:::::::* cpe:2.3:a:apache:http_server:1.0.2:::::::* cpe:2.3:a:apache:http_server:1.0:::::::* cpe:2.3:a:apache:http_server:0.8.14:::::::* cpe:2.3:a:apache:http_server:0.8.11:::::::* cpe:2.3:a:apache:http_server:::::::: cpe:2.3:a:apache:http_server:::win32:::::* cpe:2.3:a:apache:http_server:-:::::::*	219
Os	Redhat Enterprise Linux Desktop cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*	1
Os	Redhat Enterprise Linux Server cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*	1
Os	Redhat Enterprise Linux Workstation cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*	1

OpenVAS Exploits

Date	Description
2012-11-26	Name : FreeBSD Ports: apache22 File : nvt/freebsd_apache22.nasl
2012-11-09	Name : Ubuntu Update for apache2 USN-1627-1 File : nvt/gb_ubuntu_USN_1627_1.nasl
2012-10-03	Name : Mandriva Update for apache MDVSA-2012:154-1 (apache) File : nvt/gb_mandriva_MDVSA_2012_154_1.nasl
2010-05-12	Name : Mac OS X 10.5.7 Update / Mac OS X Security Update 2009-002 File : nvt/macosx_upd_10_5_7_secupd_2009-002.nasl
2009-11-17	Name : Mac OS X Version File : nvt/macosx_version.nasl
2008-09-24	Name : Gentoo Security Advisory GLSA 200803-19 (apache) File : nvt/glsa_200803_19.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
41019	Apache HTTP Server mod_negotiation Module Multi-Line Filename Upload XSS
41018	Apache HTTP Server mod_negotiation Module Multi-Line Filename Upload CRLF

Information Assurance Vulnerability Management (IAVM)

Date	Description
2015-07-16	IAVM : 2015-A-0149 - Multiple Vulnerabilities in Juniper Networks and Security Manager(NSM) Appliance Severity : Category I - VMSKEY : V0061101

Nessus® Vulnerability Scanner

Date	Description
2015-09-01	Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL17201.nasl - Type : ACT_GATHER_INFO
2015-08-31	Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL17189.nasl - Type : ACT_GATHER_INFO
2015-07-20	Name : The remote host is affected by multiple vulnerabilities. File : juniper_nsm_jsa10685_cred.nasl - Type : ACT_GATHER_INFO
2015-07-20	Name : The remote host is affected by multiple vulnerabilities. File : juniper_nsm_jsa10685.nasl - Type : ACT_GATHER_INFO
2015-05-20	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-0469-1.nasl - Type : ACT_GATHER_INFO
2015-05-20	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-0387-1.nasl - Type : ACT_GATHER_INFO
2015-01-19	Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_apache_20130129.nasl - Type : ACT_GATHER_INFO
2014-12-16	Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-770.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL15901.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-81.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-80.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-308.nasl - Type : ACT_GATHER_INFO
2013-09-13	Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_8_5.nasl - Type : ACT_GATHER_INFO
2013-09-13	Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2013-004.nasl - Type : ACT_GATHER_INFO
2013-08-11	Name : The remote web server may be affected by multiple vulnerabilities. File : oracle_http_server_cpu_jul_2013.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0130.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0512.nasl - Type : ACT_GATHER_INFO
2013-03-10	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0512.nasl - Type : ACT_GATHER_INFO
2013-03-05	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_apache2-8443.nasl - Type : ACT_GATHER_INFO
2013-03-05	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_apache2-130225.nasl - Type : ACT_GATHER_INFO
2013-03-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130221_httpd_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2013-02-21	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0512.nasl - Type : ACT_GATHER_INFO
2013-02-13	Name : The remote Fedora host is missing a security update. File : fedora_2013-1661.nasl - Type : ACT_GATHER_INFO
2013-01-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1592.nasl - Type : ACT_GATHER_INFO
2013-01-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1591.nasl - Type : ACT_GATHER_INFO
2013-01-17	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130108_httpd_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2013-01-17	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0130.nasl - Type : ACT_GATHER_INFO
2013-01-08	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0130.nasl - Type : ACT_GATHER_INFO
2012-11-09	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1627-1.nasl - Type : ACT_GATHER_INFO
2012-11-05	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_65539c54251711e2b9d620cf30e32f6d.nasl - Type : ACT_GATHER_INFO
2012-10-02	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-154.nasl - Type : ACT_GATHER_INFO
2012-09-14	Name : The remote web server is affected by multiple vulnerabilities. File : apache_2_2_23.nasl - Type : ACT_GATHER_INFO
2012-08-23	Name : The remote web server is affected by multiple vulnerabilities. File : apache_2_4_3.nasl - Type : ACT_GATHER_INFO
2011-11-18	Name : The remote web server may be affected by one or more issues. File : apache_mod_negotiation_xss.nasl - Type : ACT_GATHER_INFO
2009-05-13	Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_5_7.nasl - Type : ACT_GATHER_INFO
2008-03-13	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-19.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:56:38	Multiple Updates
2013-01-08 09:18:09	First insertion

Global Informations

Type	Count
CWE ID(s)	3
Oval ID(s)	6
CPE ID(s)	222
osvdb(s)	2
Openvas Exploit(s)	6
IAVM(s)	1
Nessus® Exploit(s)	36

	Related
4.3	CVE-2008-0455
2.6	CVE-2012-2687
2.6	CVE-2008-0456
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)