979 matches found
Improving Apache httpd Protections Proactively with Orange Tsai of DEVCORE
...
K000140620: Apache HTTPD vulnerabilities CVE-2024-38474 and CVE-2024-38475
Security Advisory Description CVE-2024-38474 Substitution encoding issue in modrewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to b...
CLSA-2024-1723059198 httpd: Fix of 3 CVEs
CVE-2024-39884: modules: source code disclosure with handlers configured via AddType. Resolving regression introduced by CVE-2024-38476 fix. - CVE-2024-40725: modules: source code disclosure with handlers configured via AddType. Resolving regression introduced by CVE-2024-39884 fix...
Important: httpd
Issue Overview: A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosu...
K000140505: Apache HTTPD vulnerability CVE-2024-38473
Security Advisory Description Encoding problem in modproxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixe...
httpd: Substitution encoding issue in mod_rewrite
A flaw was found in the modrewrite module of httpd. Due to a substitution encoding issue, specially crafted requests may allow an attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant only to be execut...
httpd: NULL pointer dereference in mod_proxy
A flaw was found in the modproxy module of httpd. A NULL pointer dereference can be triggered when processing a specially crafted HTTP request, causing the httpd server to crash, and resulting in a denial of service...
OESA-2024-1847 mod_http2 security update
Modhttp2 is an official Apache httpd module, first released in 2.4.17. See Apache downloads to get a released version. modproxyhttp2 has been released in 2.4.23. Security Fixes: Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a...
AZL-43414 CVE-2024-40725 affecting package httpd for versions less than 2.4.62-1
A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local...
Apache httpd -- Source code disclosure with handlers configured via AddType
The Apache httpd project reports: source code disclosure with handlers configured via AddType CVE-2024-40725 Important: A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar...
httpd: CONTINUATION frames DoS
A vulnerability was found in how Apache httpd implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers,...
FreeBSD : Apache httpd -- source code disclosure (5d921a8c-3a43-11ef-b611-84a93843eb75)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 5d921a8c-3a43-11ef-b611-84a93843eb75 advisory. The Apache httpd project reports: isource code disclosure with handlers configured via AddType...
Apache httpd -- source code disclosure
The Apache httpd project reports: isource code disclosure with handlers configured via AddType CVE-2024-39884 Important. A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under so...
FreeBSD : Apache httpd -- Multiple vulnerabilities (d7efc2ad-37af-11ef-b611-84a93843eb75)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the d7efc2ad-37af-11ef-b611-84a93843eb75 advisory. The Apache httpd project reports: DoS by Null pointer in websocket over HTTP/2 CVE-2024-36387...
httpd: CONTINUATION frames DoS
A vulnerability was found in how Apache httpd implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers,...
httpd: CONTINUATION frames DoS
A vulnerability was found in how Apache httpd implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers,...
Moderate: Red Hat Security Advisory: mod_http2 security update
An update for modhttp2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...
RHEL 9 : mod_http2 (RHSA-2024:3417)
The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:3417 advisory. The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: CONTINUATION...
RHEL 9 : mod_http2 (RHSA-2024:3402)
The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:3402 advisory. The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: CONTINUATION...
K000139764: Apache HTTPD vulnerability CVE-2023-38709
Security Advisory Description Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. CVE-2023-38709 Impact This vulnerability allows malicious or exploitable...