svn commit: r544381 - head/security/vuxml
Bernard Spil
brnrd at FreeBSD.org
Sat Aug 8 09:53:50 UTC 2020
Author: brnrd
Date: Sat Aug 8 09:53:49 2020
New Revision: 544381
URL: https://svnweb.freebsd.org/changeset/ports/544381
Log:
security/vuxml: Add Apache httpd vulnerabilities
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sat Aug 8 09:52:48 2020 (r544380)
+++ head/security/vuxml/vuln.xml Sat Aug 8 09:53:49 2020 (r544381)
@@ -58,6 +58,49 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="76700d2f-d959-11ea-b53c-d4c9ef517024">
+ <topic>Apache httpd -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>apache24</name>
+ <range><lt>2.4.46</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Apache httpd projec reports:</p>
+ <blockquote cite="https://downloads.apache.org/httpd/CHANGES_2.4.46">
+ <ul>
+ <li>mod_http2: Important: Push Diary Crash on Specifically
+ Crafted HTTP/2 Header (CVE-2020-9490)<br/>
+ A specially crafted value for the 'Cache-Digest' header in a HTTP/2
+ request would result in a crash when the server actually tries to
+ HTTP/2 PUSH a resource afterwards.</li>
+ <li>mod_proxy_uwsgi: Moderate: mod_proxy_uwsgi buffer overflow
+ (CVE-2020-11984)<br/>
+ info disclosure and possible RCE</li>
+ <li>mod_http2: Moderate: Push Diary Crash on Specifically Crafted
+ HTTP/2 Header (CVE-2020-11993)<br/>
+ When trace/debug was enabled for the HTTP/2 module and on certain
+ traffic edge patterns, logging statements were made on the wrong
+ connection, causing concurrent use of memory pools.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.apache.org/httpd/CHANGES_2.4.46</url>
+ <url>https://httpd.apache.org/security/vulnerabilities_24.html</url>
+ <cvename>CVE-2020-9490</cvename>
+ <cvename>CVE-2020-11984</cvename>
+ <cvename>CVE-2020-11993</cvename>
+ </references>
+ <dates>
+ <discovery>2020-08-07</discovery>
+ <entry>2020-08-08</entry>
+ </dates>
+ </vuln>
+
<vuln vid="bc7aff8c-d806-11ea-a5aa-0800272260e5">
<topic>go -- encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs</topic>
<affects>
More information about the svn-ports-all
mailing list