Executive Summary
Summary | |
---|---|
Title | Apache vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-1021-1 | First vendor Publication | 2010-11-25 |
Vendor | Ubuntu | Last vendor Modification | 2010-11-25 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: Ubuntu 8.04 LTS: Ubuntu 9.10: Ubuntu 10.04 LTS: Ubuntu 10.10: In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Apache's mod_cache and mod_dav modules incorrectly handled requests that lacked a path. A remote attacker could exploit this with a crafted request and cause a denial of service. This issue affected Ubuntu 6.06 LTS, 8.04 LTS, 9.10 and 10.04 LTS. (CVE-2010-1452) It was discovered that Apache did not properly handle memory when destroying APR buckets. A remote attacker could exploit this with crafted requests and cause a denial of service via memory exhaustion. This issue affected Ubuntu 6.06 LTS and 10.10. (CVE-2010-1623) |
Original Source
Url : http://www.ubuntu.com/usn/USN-1021-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11683 | |||
Oval ID: | oval:org.mitre.oval:def:11683 | ||
Title: | Apache 'mod_cache' and 'mod_dav' Request Handling Denial of Service Vulnerability | ||
Description: | The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2010-1452 | Version: | 7 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows 7 | Product(s): | Apache |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:12456 | |||
Oval ID: | oval:org.mitre.oval:def:12456 | ||
Title: | DSA-2117-1 apr-util -- denial of service | ||
Description: | APR-util is part of the Apache Portable Runtime library which is used by projects such as Apache httpd and Subversion. Jeff Trawick discovered a flaw in the apr_brigade_split_line function in apr-util. A remote attacker could send crafted http requests to cause a greatly increased memory consumption in Apache httpd, resulting in a denial of service. This upgrade fixes this issue. After the upgrade, any running apache2 server processes need to be restarted. For the stable distribution, this problem has been fixed in version 1.2.12+dfsg-8+lenny5. For the testing distribution and the unstable distribution, this problem has been fixed in version 1.3.9+dfsg-4. We recommend that you upgrade your apr-util packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2117-1 CVE-2010-1623 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | apr-util |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22351 | |||
Oval ID: | oval:org.mitre.oval:def:22351 | ||
Title: | RHSA-2010:0950: apr-util security update (Moderate) | ||
Description: | Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0950-01 CVE-2010-1623 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 | Product(s): | apr-util |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23037 | |||
Oval ID: | oval:org.mitre.oval:def:23037 | ||
Title: | DEPRECATED: ELSA-2010:0950: apr-util security update (Moderate) | ||
Description: | Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0950-01 CVE-2010-1623 | Version: | 7 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | apr-util |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23618 | |||
Oval ID: | oval:org.mitre.oval:def:23618 | ||
Title: | ELSA-2010:0950: apr-util security update (Moderate) | ||
Description: | Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0950-01 CVE-2010-1623 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | apr-util |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-25 (apache) File : nvt/glsa_201206_25.nasl |
2012-07-30 | Name : CentOS Update for apr-util CESA-2010:0950 centos4 x86_64 File : nvt/gb_CESA-2010_0950_apr-util_centos4_x86_64.nasl |
2011-09-21 | Name : Debian Security Advisory DSA 2298-2 (apache2) File : nvt/deb_2298_2.nasl |
2011-09-21 | Name : Debian Security Advisory DSA 2298-1 (apache2) File : nvt/deb_2298_1.nasl |
2011-08-26 | Name : Mac OS X v10.6.6 Multiple Vulnerabilities (2011-001) File : nvt/secpod_macosx_su11-001.nasl |
2011-05-05 | Name : HP-UX Update for Apache Web Server HPSBUX02645 File : nvt/gb_hp_ux_HPSBUX02645.nasl |
2011-01-31 | Name : CentOS Update for apr-util CESA-2010:0950 centos4 i386 File : nvt/gb_CESA-2010_0950_apr-util_centos4_i386.nasl |
2011-01-04 | Name : HP-UX Update for Apache-based Web Server HPSBUX02612 File : nvt/gb_hp_ux_HPSBUX02612.nasl |
2010-12-23 | Name : RedHat Update for apr-util RHSA-2010:0950-01 File : nvt/gb_RHSA-2010_0950-01_apr-util.nasl |
2010-12-02 | Name : Ubuntu Update for apr-util vulnerability USN-1022-1 File : nvt/gb_ubuntu_USN_1022_1.nasl |
2010-12-02 | Name : Ubuntu Update for apache2 vulnerabilities USN-1021-1 File : nvt/gb_ubuntu_USN_1021_1.nasl |
2010-12-02 | Name : Fedora Update for apr-util FEDORA-2010-16178 File : nvt/gb_fedora_2010_16178_apr-util_fc14.nasl |
2010-11-04 | Name : Fedora Update for apr-util FEDORA-2010-15953 File : nvt/gb_fedora_2010_15953_apr-util_fc13.nasl |
2010-11-04 | Name : Fedora Update for apr-util FEDORA-2010-15916 File : nvt/gb_fedora_2010_15916_apr-util_fc12.nasl |
2010-10-10 | Name : FreeBSD Ports: apr File : nvt/freebsd_apr0.nasl |
2010-10-07 | Name : Apache APR-util 'buckets/apr_brigade.c' Denial Of Service Vulnerability File : nvt/gb_apache_apr_util_dos_vuln.nasl |
2010-10-04 | Name : Mandriva Update for apr-util MDVSA-2010:192 (apr-util) File : nvt/gb_mandriva_MDVSA_2010_192.nasl |
2010-09-07 | Name : RedHat Update for httpd RHSA-2010:0659-01 File : nvt/gb_RHSA-2010_0659-01_httpd.nasl |
2010-08-21 | Name : FreeBSD Ports: apache File : nvt/freebsd_apache17.nasl |
2010-08-20 | Name : Mandriva Update for apache MDVSA-2010:152 (apache) File : nvt/gb_mandriva_MDVSA_2010_152.nasl |
2010-08-20 | Name : Mandriva Update for apache MDVSA-2010:153 (apache) File : nvt/gb_mandriva_MDVSA_2010_153.nasl |
2010-08-16 | Name : Fedora Update for httpd FEDORA-2010-12478 File : nvt/gb_fedora_2010_12478_httpd_fc13.nasl |
2010-07-27 | Name : Apache HTTP Server Multiple Remote Denial of Service Vulnerabilities File : nvt/gb_apache_41963.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2011-041-03 httpd File : nvt/esoft_slk_ssa_2011_041_03.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2011-041-01 apr-util File : nvt/esoft_slk_ssa_2011_041_01.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2010-240-02 httpd File : nvt/esoft_slk_ssa_2010_240_02.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
68327 | Apache APR-util buckets/apr_brigade.c apr_brigade_split_line() Function Memor... Apache APR-util contains a flaw that may allow a remote denial of service. The issue is triggered when a memory leak occurs in the 'apr_brigade_split_line()' function in 'buckets/apr_brigade.c', allowing a remote attacker to destroy an APR bucket to cause a denial of service via memory consumption. |
66745 | Apache HTTP Server Multiple Modules Pathless Request Remote DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-09-16 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL15902.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_apache2-110726.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_apache2-110726.nasl - Type : ACT_GATHER_INFO |
2014-05-19 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201405-24.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0659.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0950.nasl - Type : ACT_GATHER_INFO |
2013-06-29 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0659.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100830_httpd_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20101207_apr_util_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-06-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-25.nasl - Type : ACT_GATHER_INFO |
2012-04-20 | Name : The remote web server is affected by multiple vulnerabilities. File : hpsmh_7_0_0_24.nasl - Type : ACT_GATHER_INFO |
2011-12-13 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_apache2-110831.nasl - Type : ACT_GATHER_INFO |
2011-08-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2298.nasl - Type : ACT_GATHER_INFO |
2011-07-12 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libapr-util1-110701.nasl - Type : ACT_GATHER_INFO |
2011-07-12 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libapr-util1-110706.nasl - Type : ACT_GATHER_INFO |
2011-07-12 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libapr-util1-7611.nasl - Type : ACT_GATHER_INFO |
2011-03-22 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_6_7.nasl - Type : ACT_GATHER_INFO |
2011-03-22 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2011-001.nasl - Type : ACT_GATHER_INFO |
2011-02-11 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2011-041-01.nasl - Type : ACT_GATHER_INFO |
2011-02-11 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2011-041-03.nasl - Type : ACT_GATHER_INFO |
2011-01-28 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0950.nasl - Type : ACT_GATHER_INFO |
2010-12-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0950.nasl - Type : ACT_GATHER_INFO |
2010-11-28 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1022-1.nasl - Type : ACT_GATHER_INFO |
2010-11-28 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1021-1.nasl - Type : ACT_GATHER_INFO |
2010-11-10 | Name : The remote Fedora host is missing a security update. File : fedora_2010-16178.nasl - Type : ACT_GATHER_INFO |
2010-10-29 | Name : The remote Fedora host is missing a security update. File : fedora_2010-15916.nasl - Type : ACT_GATHER_INFO |
2010-10-29 | Name : The remote Fedora host is missing a security update. File : fedora_2010-15953.nasl - Type : ACT_GATHER_INFO |
2010-10-20 | Name : The remote web server may be affected by several issues. File : apache_2_2_17.nasl - Type : ACT_GATHER_INFO |
2010-10-20 | Name : The remote web server is affected by multiple vulnerabilities. File : apache_2_0_64.nasl - Type : ACT_GATHER_INFO |
2010-10-06 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_dd943fbbd0fe11df95a800219b0fc4d8.nasl - Type : ACT_GATHER_INFO |
2010-10-06 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2117.nasl - Type : ACT_GATHER_INFO |
2010-10-06 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-192.nasl - Type : ACT_GATHER_INFO |
2010-08-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0659.nasl - Type : ACT_GATHER_INFO |
2010-08-29 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2010-240-02.nasl - Type : ACT_GATHER_INFO |
2010-08-17 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-153.nasl - Type : ACT_GATHER_INFO |
2010-08-17 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-152.nasl - Type : ACT_GATHER_INFO |
2010-08-14 | Name : The remote Fedora host is missing a security update. File : fedora_2010-12478.nasl - Type : ACT_GATHER_INFO |
2010-07-30 | Name : The remote web server is affected by multiple vulnerabilities. File : apache_2_2_16.nasl - Type : ACT_GATHER_INFO |
2010-07-26 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_28a7310f985511df8d36001aa0166822.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:58:05 |
|