Apache Httpd < 2.4.23 : TLS/SSL X.509 client certificate auth bypass with HTTP/2

For configurations enabling support for HTTP/2, SSL client certificate validation was not enforced if configured, allowing clients unauthorized access to protected resources over HTTP/2. This issue affected releases 2.4.18 and 2.4.20 only...

Python urllib HTTP header injection vulnerability-vulnerability warning-the black bar safety net

The Python urllib library in Python 2 for urllib2 in Python 3 to urllib is a HTTP Protocol the following Protocol flow injection vulnerabilities. If an attacker can control the Python code to access an arbitrary URL, or allow Python code to access a malicious web servr, and that this vulnerabilit...

subversion: multiple issues

CVE-2016-2167 authentication restriction bypass The canonicalizeusername function in svnserve/cyrusauth.c, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm...

Null pointer dereference

The reqcheckaccess function in the modauthzsvn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service NULL pointer dereference and crash via a crafted header in a 1 MOVE or 2 COPY request, involving an...

CVE-2016-2168

CVE-2016-2168 affects Apache Subversion’s httpd-based Subversion server, specifically the mod_authz_svn module. The issue arises in the req_check_access path, allowing remote authenticated users to trigger a denial of service (NULL pointer dereference and crash) via a crafted header in a MOVE or ...

CVE-2016-2168

The reqcheckaccess function in the modauthzsvn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service NULL pointer dereference and crash via a crafted header in a 1 MOVE or 2 COPY request, involving an...

[slackware-security] php

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: patches/packages/php-5.6.21-i486-1slack14.1.txz: Upgraded. This release fixes bugs and security issues. For more information, see:...

subversion -- multiple vulnerabilities

Subversion project reports: svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a...

[slackware-security] php

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: patches/packages/php-5.6.20-i486-1slack14.1.txz: Upgraded. This release fixes bugs and security issues. For more information, see:...

Amazon Linux AMI : mod_dav_svn / subversion (ALAS-2016-676)

It was found that when an SVN server both svnserve and httpd with the moddavsvn module searched the history of a file or a directory, it would disclose its location in the repository if that file or directory was not readable for example, if it had been moved. CVE-2015-3187 An integer overflow wa...

Moderate: Red Hat Security Advisory: rh-php56-php security update

Updated rh-php56-php packages that fix multiple security issues are now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are...

Apache Subversion mod_dav_svn Integer Overflow (CVE-2015-5343)

Heap overflow and out-of-bounds read vulnerabilities have been reported in the moddavsvn of Apache Subversion web servers. These vulnerabilities are caused by an integer overflow when parsing certain encoded requests. A remote, authenticated attacker could exploit this vulnerability by sending...

[slackware-security] php

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: patches/packages/php-5.6.19-i486-1slack14.1.txz: Upgraded. This release fixes bugs and security issues. For more information, see:...

[slackware-security] php

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: patches/packages/php-5.6.18-i486-1slack14.1.txz: Upgraded. This release fixes bugs and security issues. For more information, see:...

Apache Httpd < 2.2.32 : Apache HTTP Request Parsing Whitespace Defects

Apache HTTP Server, prior to release 2.4.25 and 2.2.32, accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines...

Netgear RP614v3 Authentication Bypass

Vendor : NETGEAR Product : RP614v3 informed on : 12. 10. 2015 responded : no fixed : no Effect : Remotely exploitable over LAN/WLAN Typ : Authentication Bypass Difficulty : trivial The N300 FW authentication bypass inspired me to check my rp614v3 router and I found this bypass: Firmware:...

Oracle: Security Advisory (ELSA-2015-1666)

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Oracle: Security Advisory (ELSA-2014-1972)

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

httpd24-httpd security and bug fix update

2.4.6-22.0.1.el6 - remove enable-tlsv1x-thunks to fit openssl 1.x api - replace index.html with Oracle's index page oracleindex.html - update vstring in specfile 2.4.6-22 - Remove modproxyfcgi fix for heap-based buffer overflow, httpd-2.4.6 is not affected CVE-2014-3583 2.4.6-21 - modproxywstunne...

Apache Httpd < 2.4.20 : mod_http2: denial of service by thread starvation

By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18...