Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-3185 (GCVE-0-2015-3185)
Vulnerability from cvelistv5 – Published: 2015-07-20 23:00 – Updated: 2024-08-06 05:39
VLAI
EPSS
Summary
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
35 references
Date Public
2015-07-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:31.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2015:1684",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708"
},
{
"name": "RHSA-2015:1667",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1667.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/HT205217"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.apache.org/dist/httpd/CHANGES_2.4"
},
{
"name": "APPLE-SA-2015-09-16-2",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
},
{
"name": "RHSA-2017:2709",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2709"
},
{
"name": "RHSA-2015:1666",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1666.html"
},
{
"name": "1032967",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1032967"
},
{
"name": "USN-2686-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2686-1"
},
{
"name": "APPLE-SA-2015-08-13-2",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"
},
{
"name": "75965",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/75965"
},
{
"name": "DSA-3325",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3325"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT205031"
},
{
"name": "RHSA-2017:2710",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2710"
},
{
"name": "APPLE-SA-2015-09-16-4",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/HT205219"
},
{
"name": "RHSA-2017:2708",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2708"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [9/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-07-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:12:19.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "openSUSE-SU-2015:1684",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708"
},
{
"name": "RHSA-2015:1667",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1667.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/HT205217"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.apache.org/dist/httpd/CHANGES_2.4"
},
{
"name": "APPLE-SA-2015-09-16-2",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
},
{
"name": "RHSA-2017:2709",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2709"
},
{
"name": "RHSA-2015:1666",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1666.html"
},
{
"name": "1032967",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1032967"
},
{
"name": "USN-2686-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2686-1"
},
{
"name": "APPLE-SA-2015-08-13-2",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"
},
{
"name": "75965",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/75965"
},
{
"name": "DSA-3325",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3325"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT205031"
},
{
"name": "RHSA-2017:2710",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2710"
},
{
"name": "APPLE-SA-2015-09-16-4",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/HT205219"
},
{
"name": "RHSA-2017:2708",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2708"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [9/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-3185",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2015:1684",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html"
},
{
"name": "http://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "CONFIRM",
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708",
"refsource": "CONFIRM",
"url": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708"
},
{
"name": "RHSA-2015:1667",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1667.html"
},
{
"name": "https://support.apple.com/HT205217",
"refsource": "CONFIRM",
"url": "https://support.apple.com/HT205217"
},
{
"name": "http://www.apache.org/dist/httpd/CHANGES_2.4",
"refsource": "CONFIRM",
"url": "http://www.apache.org/dist/httpd/CHANGES_2.4"
},
{
"name": "APPLE-SA-2015-09-16-2",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
},
{
"name": "RHSA-2017:2709",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2709"
},
{
"name": "RHSA-2015:1666",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1666.html"
},
{
"name": "1032967",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1032967"
},
{
"name": "USN-2686-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2686-1"
},
{
"name": "APPLE-SA-2015-08-13-2",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"
},
{
"name": "75965",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/75965"
},
{
"name": "DSA-3325",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3325"
},
{
"name": "RHSA-2016:2957",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"name": "https://support.apple.com/kb/HT205031",
"refsource": "CONFIRM",
"url": "https://support.apple.com/kb/HT205031"
},
{
"name": "RHSA-2017:2710",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2710"
},
{
"name": "APPLE-SA-2015-09-16-4",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html"
},
{
"name": "https://support.apple.com/HT205219",
"refsource": "CONFIRM",
"url": "https://support.apple.com/HT205219"
},
{
"name": "RHSA-2017:2708",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2708"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73",
"refsource": "CONFIRM",
"url": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [9/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3185",
"datePublished": "2015-07-20T23:00:00.000Z",
"dateReserved": "2015-04-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T05:39:31.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2015-3185",
"date": "2026-06-19",
"epss": "0.18795",
"percentile": "0.96917"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"B5A6F2F3-4894-4392-8296-3B8DD2679084\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F38D3B7E-8429-473F-BB31-FC3583EE5A5B\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BDC40E89-2D57-4988-913E-024BFB56B367\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6FCD3C8C-9BF8-4F30-981A-593EEAEB9EDD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"046487A3-752B-4D0F-8984-96486B828EAB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"89D2E052-51CD-4B57-A8B8-FAE51988D654\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EAA27058-BACF-4F94-8E3C-7D38EC302EC1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8FEAB0DF-04A9-4F99-8666-0BADC5D642B8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E7D924D1-8A36-4C43-9E56-52814F9A6350\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DFA089AB-AF28-4AE1-AE39-6D1B8192A3DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"39CDFECC-E26D-47E0-976F-6629040B3764\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E3ECBCB1-0675-41F5-857B-438F36925F63\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CB6CBFBF-74F6-42AF-BC79-AA53EA75F00B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:http_server:2.4.13:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EF77159D-505A-475C-A137-4F89D4769B8F\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7344422F-F65A-4000-A9EF-8D323DA29011\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E8B0A12E-E122-4189-A05E-4FEA43C19876\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x_server:5.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8ACDF399-AE56-4130-8686-F8E4C9014DD9\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad en la funci\\u00f3n ap_some_auth_required en ap_some_auth_required del Servidor HTTP Apache en su versi\\u00f3n 2.4.x anteriores a la 2.4.14 no considera que una directiva Require puede estar asociada con el establecimiento de una autorizaci\\u00f3n en lugar de un ajuste de autenticaci\\u00f3n lo cual permite a atacantes remotos evadir las restricciones destinadas al acceso en circunstancias oportunas mediante el aprovechamiento de la presencia de un m\\u00f3dulo que se basa en el comportamiento en la API 2.2.\"}]",
"id": "CVE-2015-3185",
"lastModified": "2024-11-21T02:28:51.297",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2015-07-20T23:59:03.770",
"references": "[{\"url\": \"http://httpd.apache.org/security/vulnerabilities_24.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1666.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1667.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2957.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.apache.org/dist/httpd/CHANGES_2.4\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.debian.org/security/2015/dsa-3325\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/75965\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securitytracker.com/id/1032967\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.ubuntu.com/usn/USN-2686-1\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2708\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2709\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2710\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://support.apple.com/HT205217\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://support.apple.com/HT205219\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://support.apple.com/kb/HT205031\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://httpd.apache.org/security/vulnerabilities_24.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1666.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1667.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2957.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.apache.org/dist/httpd/CHANGES_2.4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.debian.org/security/2015/dsa-3325\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/75965\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1032967\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.ubuntu.com/usn/USN-2686-1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2708\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2709\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2710\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://support.apple.com/HT205217\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://support.apple.com/HT205219\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://support.apple.com/kb/HT205031\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2015-3185\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-07-20T23:59:03.770\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad en la funci\u00f3n ap_some_auth_required en ap_some_auth_required del Servidor HTTP Apache en su versi\u00f3n 2.4.x anteriores a la 2.4.14 no considera que una directiva Require puede estar asociada con el establecimiento de una autorizaci\u00f3n en lugar de un ajuste de autenticaci\u00f3n lo cual permite a atacantes remotos evadir las restricciones destinadas al acceso en circunstancias oportunas mediante el aprovechamiento de la presencia de un m\u00f3dulo que se basa en el comportamiento en la API 2.2.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"B5A6F2F3-4894-4392-8296-3B8DD2679084\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F38D3B7E-8429-473F-BB31-FC3583EE5A5B\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDC40E89-2D57-4988-913E-024BFB56B367\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6FCD3C8C-9BF8-4F30-981A-593EEAEB9EDD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"046487A3-752B-4D0F-8984-96486B828EAB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"89D2E052-51CD-4B57-A8B8-FAE51988D654\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EAA27058-BACF-4F94-8E3C-7D38EC302EC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8FEAB0DF-04A9-4F99-8666-0BADC5D642B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7D924D1-8A36-4C43-9E56-52814F9A6350\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DFA089AB-AF28-4AE1-AE39-6D1B8192A3DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"39CDFECC-E26D-47E0-976F-6629040B3764\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3ECBCB1-0675-41F5-857B-438F36925F63\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CB6CBFBF-74F6-42AF-BC79-AA53EA75F00B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF77159D-505A-475C-A137-4F89D4769B8F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7344422F-F65A-4000-A9EF-8D323DA29011\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E8B0A12E-E122-4189-A05E-4FEA43C19876\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x_server:5.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8ACDF399-AE56-4130-8686-F8E4C9014DD9\"}]}]}],\"references\":[{\"url\":\"http://httpd.apache.org/security/vulnerabilities_24.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1666.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1667.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2957.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.apache.org/dist/httpd/CHANGES_2.4\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.debian.org/security/2015/dsa-3325\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/75965\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securitytracker.com/id/1032967\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2686-1\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2708\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2709\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2710\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://support.apple.com/HT205217\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://support.apple.com/HT205219\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://support.apple.com/kb/HT205031\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://httpd.apache.org/security/vulnerabilities_24.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1666.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1667.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2957.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.apache.org/dist/httpd/CHANGES_2.4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2015/dsa-3325\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/75965\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1032967\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2686-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2708\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2709\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2710\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.apple.com/HT205217\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.apple.com/HT205219\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.apple.com/kb/HT205031\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
RHSA-2017_2708
Vulnerability from csaf_redhat - Published: 2017-09-13 16:37 - Updated: 2024-11-14 23:37Summary
Red Hat Security Advisory: Red Hat JBoss Core Services security update
Severity
Important
Notes
Topic: An update is now available for Red Hat JBoss Core Services.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)
* It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185)
* A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)
Red Hat would like to thank OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Gaëtan Leurent (Inria) as the original reporters of CVE-2016-2183.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.
CWE-287 - Improper AuthenticationAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Core Services 1
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Core Services 1
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.
4.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Core Services 1
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
27 references
Acknowledgments
OpenVPN
Inria
Karthikeyan Bhargavan
Gaëtan Leurent
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Core Services.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was discovered that the httpd\u0027s mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)\n\n* It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185)\n\n* A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)\n\nRed Hat would like to thank OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Ga\u00ebtan Leurent (Inria) as the original reporters of CVE-2016-2183.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2708",
"url": "https://access.redhat.com/errata/RHSA-2017:2708"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp\u0026downloadType=securityPatches\u0026version=2.4.23",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp\u0026downloadType=securityPatches\u0026version=2.4.23"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-core-services/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-core-services/"
},
{
"category": "external",
"summary": "1243888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243888"
},
{
"category": "external",
"summary": "1369383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1369383"
},
{
"category": "external",
"summary": "1470748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1470748"
},
{
"category": "external",
"summary": "JBCS-329",
"url": "https://issues.redhat.com/browse/JBCS-329"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2708.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Core Services security update",
"tracking": {
"current_release_date": "2024-11-14T23:37:47+00:00",
"generator": {
"date": "2024-11-14T23:37:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2708",
"initial_release_date": "2017-09-13T16:37:52+00:00",
"revision_history": [
{
"date": "2017-09-13T16:37:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-13T16:37:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Core Services 1",
"product": {
"name": "Red Hat JBoss Core Services 1",
"product_id": "Red Hat JBoss Core Services 1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_core_services:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Core Services"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3185",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2015-07-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1243888"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Core Services 1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3185"
},
{
"category": "external",
"summary": "RHBZ#1243888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3185",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3185"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3185",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3185"
},
{
"category": "external",
"summary": "http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16",
"url": "http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16"
}
],
"release_date": "2015-07-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T16:37:52+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Core Services 1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2708"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss Core Services 1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4"
},
{
"acknowledgments": [
{
"names": [
"OpenVPN"
]
},
{
"names": [
"Karthikeyan Bhargavan",
"Ga\u00ebtan Leurent"
],
"organization": "Inria",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2016-2183",
"cwe": {
"id": "CWE-327",
"name": "Use of a Broken or Risky Cryptographic Algorithm"
},
"discovery_date": "2016-08-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1369383"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenSSL security update RHSA-2016:1940 mitigates this issue by lowering priority of DES cipher suites so they are not preferred over cipher suites using AES. For compatibility reasons, DES cipher suites remain enabled by default and included in the set of cipher suites identified by the HIGH cipher string. Future updates may move them to MEDIUM or not enable them by default.\n\nNSS addressed this issue by implementing limits on the amount of plain text which can be encrypted by using the same key. Once the limit is reached, the keys will need to be re-negotiated manually. This change will be available in nss-3.27.\n\nGnuTLS is not affected by this issue, since it prioritizes AES before 3DES in the cipher list.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Core Services 1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2183"
},
{
"category": "external",
"summary": "RHBZ#1369383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1369383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2183",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/2548661",
"url": "https://access.redhat.com/articles/2548661"
},
{
"category": "external",
"summary": "https://access.redhat.com/errata/RHSA-2016:1940",
"url": "https://access.redhat.com/errata/RHSA-2016:1940"
},
{
"category": "external",
"summary": "https://sweet32.info/",
"url": "https://sweet32.info/"
}
],
"release_date": "2016-08-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T16:37:52+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Core Services 1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2708"
},
{
"category": "workaround",
"details": "1.SSL/TLS configurations should prefer AES over DES. Versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7 already do so. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 3DES is listed below the AES-256 cipher and above the AES-128 cipher, therefore AES-256 based ciphersuite should not be disabled on the server.\n2. Servers using OpenSSL, should not disable AES-128 and AES-256 ciphersuites. Versions of Apache shipped with Red Hat Enterprise Linux use the default cipher string, in which AES is preferred over DES/3DES based ciphersuites.\n\nFor JBoss Middleware, and Java mitigations, please review this knowledge base article:\n\nhttps://access.redhat.com/articles/2598471\n\nThis can be mitigated on OpenShift Container Platform (OCP) by disabling the vulnerable TLS cipher suite in the applicable component. TLS configuration options for OCP are described here:\n\nhttps://access.redhat.com/articles/5348961",
"product_ids": [
"Red Hat JBoss Core Services 1"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Core Services 1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)"
},
{
"cve": "CVE-2017-9788",
"cwe": {
"id": "CWE-456",
"name": "Missing Initialization of a Variable"
},
"discovery_date": "2017-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1470748"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the httpd\u0027s mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "httpd: Uninitialized memory reflection in mod_auth_digest",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Core Services 1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-9788"
},
{
"category": "external",
"summary": "RHBZ#1470748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1470748"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-9788",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-9788"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-9788",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9788"
},
{
"category": "external",
"summary": "https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34",
"url": "https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34"
},
{
"category": "external",
"summary": "https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27"
}
],
"release_date": "2017-07-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T16:37:52+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Core Services 1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2708"
},
{
"category": "workaround",
"details": "If you do not use digest authentication, do not load the \"auth_digest_module\".\n\nFor example, on RHEL 7, this can be done by commenting out or removing the\n\"LoadModule auth_digest_module modules/mod_auth_digest.so\"\nline within the /etc/httpd/conf.modules.d/00-base.conf configuration file and restarting the service.\n\nYou can then use the \"httpd -t -D DUMP_MODULES\" command to verify that the module is no longer loaded.",
"product_ids": [
"Red Hat JBoss Core Services 1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss Core Services 1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "httpd: Uninitialized memory reflection in mod_auth_digest"
}
]
}
RHSA-2017_2709
Vulnerability from csaf_redhat - Published: 2017-09-13 16:48 - Updated: 2024-11-14 23:37Summary
Red Hat Security Advisory: Red Hat JBoss Core Services security update
Severity
Important
Notes
Topic: An update is now available for JBoss Core Services on Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)
* It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185)
* A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)
Red Hat would like to thank OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Gaëtan Leurent (Inria) as the original reporters of CVE-2016-2183.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.
CWE-287 - Improper AuthenticationAffected products
Fixed
19 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.
7.5 (High)
Affected products
Fixed
19 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.
4.8 (Medium)
Affected products
Fixed
19 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
27 references
Acknowledgments
OpenVPN
Inria
Karthikeyan Bhargavan
Gaëtan Leurent
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for JBoss Core Services on Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was discovered that the httpd\u0027s mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)\n\n* It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185)\n\n* A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)\n\nRed Hat would like to thank OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Ga\u00ebtan Leurent (Inria) as the original reporters of CVE-2016-2183.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2709",
"url": "https://access.redhat.com/errata/RHSA-2017:2709"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-core-services/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-core-services/"
},
{
"category": "external",
"summary": "1243888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243888"
},
{
"category": "external",
"summary": "1369383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1369383"
},
{
"category": "external",
"summary": "1470748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1470748"
},
{
"category": "external",
"summary": "JBCS-329",
"url": "https://issues.redhat.com/browse/JBCS-329"
},
{
"category": "external",
"summary": "JBCS-336",
"url": "https://issues.redhat.com/browse/JBCS-336"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2709.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Core Services security update",
"tracking": {
"current_release_date": "2024-11-14T23:37:19+00:00",
"generator": {
"date": "2024-11-14T23:37:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2709",
"initial_release_date": "2017-09-13T16:48:46+00:00",
"revision_history": [
{
"date": "2017-09-13T16:48:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-13T16:48:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Core Services on RHEL 7 Server",
"product": {
"name": "Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_core_services:1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Core Services"
},
{
"branches": [
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-static@1.0.2h-14.jbcs.el7?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-libs@1.0.2h-14.jbcs.el7?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-perl@1.0.2h-14.jbcs.el7?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl@1.0.2h-14.jbcs.el7?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-devel@1.0.2h-14.jbcs.el7?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-debuginfo@1.0.2h-14.jbcs.el7?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_session@2.4.23-122.jbcs.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-libs@2.4.23-122.jbcs.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_ssl@2.4.23-122.jbcs.el7?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-tools@2.4.23-122.jbcs.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_ldap@2.4.23-122.jbcs.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_proxy_html@2.4.23-122.jbcs.el7?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-selinux@2.4.23-122.jbcs.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-debuginfo@2.4.23-122.jbcs.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd@2.4.23-122.jbcs.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"product_id": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-devel@2.4.23-122.jbcs.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"product": {
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"product_id": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl@1.0.2h-14.jbcs.el7?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"product": {
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"product_id": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd@2.4.23-122.jbcs.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"product": {
"name": "jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"product_id": "jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-manual@2.4.23-122.jbcs.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src"
},
"product_reference": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch"
},
"product_reference": "jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src"
},
"product_reference": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server",
"product_id": "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64",
"relates_to_product_reference": "7Server-JBCS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3185",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2015-07-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1243888"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3185"
},
{
"category": "external",
"summary": "RHBZ#1243888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3185",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3185"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3185",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3185"
},
{
"category": "external",
"summary": "http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16",
"url": "http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16"
}
],
"release_date": "2015-07-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T16:48:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.",
"product_ids": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2709"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4"
},
{
"acknowledgments": [
{
"names": [
"OpenVPN"
]
},
{
"names": [
"Karthikeyan Bhargavan",
"Ga\u00ebtan Leurent"
],
"organization": "Inria",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2016-2183",
"cwe": {
"id": "CWE-327",
"name": "Use of a Broken or Risky Cryptographic Algorithm"
},
"discovery_date": "2016-08-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1369383"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenSSL security update RHSA-2016:1940 mitigates this issue by lowering priority of DES cipher suites so they are not preferred over cipher suites using AES. For compatibility reasons, DES cipher suites remain enabled by default and included in the set of cipher suites identified by the HIGH cipher string. Future updates may move them to MEDIUM or not enable them by default.\n\nNSS addressed this issue by implementing limits on the amount of plain text which can be encrypted by using the same key. Once the limit is reached, the keys will need to be re-negotiated manually. This change will be available in nss-3.27.\n\nGnuTLS is not affected by this issue, since it prioritizes AES before 3DES in the cipher list.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2183"
},
{
"category": "external",
"summary": "RHBZ#1369383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1369383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2183",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/2548661",
"url": "https://access.redhat.com/articles/2548661"
},
{
"category": "external",
"summary": "https://access.redhat.com/errata/RHSA-2016:1940",
"url": "https://access.redhat.com/errata/RHSA-2016:1940"
},
{
"category": "external",
"summary": "https://sweet32.info/",
"url": "https://sweet32.info/"
}
],
"release_date": "2016-08-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T16:48:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.",
"product_ids": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2709"
},
{
"category": "workaround",
"details": "1.SSL/TLS configurations should prefer AES over DES. Versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7 already do so. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 3DES is listed below the AES-256 cipher and above the AES-128 cipher, therefore AES-256 based ciphersuite should not be disabled on the server.\n2. Servers using OpenSSL, should not disable AES-128 and AES-256 ciphersuites. Versions of Apache shipped with Red Hat Enterprise Linux use the default cipher string, in which AES is preferred over DES/3DES based ciphersuites.\n\nFor JBoss Middleware, and Java mitigations, please review this knowledge base article:\n\nhttps://access.redhat.com/articles/2598471\n\nThis can be mitigated on OpenShift Container Platform (OCP) by disabling the vulnerable TLS cipher suite in the applicable component. TLS configuration options for OCP are described here:\n\nhttps://access.redhat.com/articles/5348961",
"product_ids": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)"
},
{
"cve": "CVE-2017-9788",
"cwe": {
"id": "CWE-456",
"name": "Missing Initialization of a Variable"
},
"discovery_date": "2017-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1470748"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the httpd\u0027s mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "httpd: Uninitialized memory reflection in mod_auth_digest",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-9788"
},
{
"category": "external",
"summary": "RHBZ#1470748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1470748"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-9788",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-9788"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-9788",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9788"
},
{
"category": "external",
"summary": "https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34",
"url": "https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34"
},
{
"category": "external",
"summary": "https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27"
}
],
"release_date": "2017-07-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T16:48:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.",
"product_ids": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2709"
},
{
"category": "workaround",
"details": "If you do not use digest authentication, do not load the \"auth_digest_module\".\n\nFor example, on RHEL 7, this can be done by commenting out or removing the\n\"LoadModule auth_digest_module modules/mod_auth_digest.so\"\nline within the /etc/httpd/conf.modules.d/00-base.conf configuration file and restarting the service.\n\nYou can then use the \"httpd -t -D DUMP_MODULES\" command to verify that the module is no longer loaded.",
"product_ids": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"products": [
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el7.noarch",
"7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.src",
"7Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7.x86_64",
"7Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "httpd: Uninitialized memory reflection in mod_auth_digest"
}
]
}
RHSA-2017_2710
Vulnerability from csaf_redhat - Published: 2017-09-13 16:49 - Updated: 2024-11-14 23:37Summary
Red Hat Security Advisory: Red Hat JBoss Core Services security update
Severity
Important
Notes
Topic: An update is now available for JBoss Core Services on Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)
* It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185)
* A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)
Red Hat would like to thank OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Gaëtan Leurent (Inria) as the original reporters of CVE-2016-2183.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.
CWE-287 - Improper AuthenticationAffected products
Fixed
35 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.
7.5 (High)
Affected products
Fixed
35 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.
4.8 (Medium)
Affected products
Fixed
35 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
27 references
Acknowledgments
OpenVPN
Inria
Karthikeyan Bhargavan
Gaëtan Leurent
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for JBoss Core Services on Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was discovered that the httpd\u0027s mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)\n\n* It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185)\n\n* A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)\n\nRed Hat would like to thank OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Ga\u00ebtan Leurent (Inria) as the original reporters of CVE-2016-2183.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2710",
"url": "https://access.redhat.com/errata/RHSA-2017:2710"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-core-services/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-core-services/"
},
{
"category": "external",
"summary": "1243888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243888"
},
{
"category": "external",
"summary": "1369383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1369383"
},
{
"category": "external",
"summary": "1470748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1470748"
},
{
"category": "external",
"summary": "JBCS-329",
"url": "https://issues.redhat.com/browse/JBCS-329"
},
{
"category": "external",
"summary": "JBCS-337",
"url": "https://issues.redhat.com/browse/JBCS-337"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2710.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Core Services security update",
"tracking": {
"current_release_date": "2024-11-14T23:37:15+00:00",
"generator": {
"date": "2024-11-14T23:37:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2710",
"initial_release_date": "2017-09-13T16:49:04+00:00",
"revision_history": [
{
"date": "2017-09-13T16:49:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-13T16:49:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Core Services on RHEL 6 Server",
"product": {
"name": "Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_core_services:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Core Services"
},
{
"branches": [
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-static@1.0.2h-14.jbcs.el6?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-libs@1.0.2h-14.jbcs.el6?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-perl@1.0.2h-14.jbcs.el6?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl@1.0.2h-14.jbcs.el6?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-debuginfo@1.0.2h-14.jbcs.el6?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-devel@1.0.2h-14.jbcs.el6?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-debuginfo@2.4.23-122.jbcs.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_session@2.4.23-122.jbcs.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_ldap@2.4.23-122.jbcs.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_ssl@2.4.23-122.jbcs.el6?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-libs@2.4.23-122.jbcs.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-tools@2.4.23-122.jbcs.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_proxy_html@2.4.23-122.jbcs.el6?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-selinux@2.4.23-122.jbcs.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd@2.4.23-122.jbcs.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"product": {
"name": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"product_id": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-devel@2.4.23-122.jbcs.el6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"product_id": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-static@1.0.2h-14.jbcs.el6?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"product_id": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-libs@1.0.2h-14.jbcs.el6?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"product_id": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-perl@1.0.2h-14.jbcs.el6?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"product_id": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl@1.0.2h-14.jbcs.el6?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"product_id": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-debuginfo@1.0.2h-14.jbcs.el6?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"product_id": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl-devel@1.0.2h-14.jbcs.el6?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"product_id": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-debuginfo@2.4.23-122.jbcs.el6?arch=i686"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"product_id": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_session@2.4.23-122.jbcs.el6?arch=i686"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"product_id": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_ldap@2.4.23-122.jbcs.el6?arch=i686"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"product_id": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_ssl@2.4.23-122.jbcs.el6?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"product_id": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-libs@2.4.23-122.jbcs.el6?arch=i686"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"product_id": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-tools@2.4.23-122.jbcs.el6?arch=i686"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"product_id": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-mod_proxy_html@2.4.23-122.jbcs.el6?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"product_id": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-selinux@2.4.23-122.jbcs.el6?arch=i686"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"product_id": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd@2.4.23-122.jbcs.el6?arch=i686"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"product": {
"name": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"product_id": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-devel@2.4.23-122.jbcs.el6?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"product": {
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"product_id": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-openssl@1.0.2h-14.jbcs.el6?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"product": {
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"product_id": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd@2.4.23-122.jbcs.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"product": {
"name": "jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"product_id": "jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jbcs-httpd24-httpd-manual@2.4.23-122.jbcs.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src"
},
"product_reference": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch"
},
"product_reference": "jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src"
},
"product_reference": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686"
},
"product_reference": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"relates_to_product_reference": "6Server-JBCS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64 as a component of Red Hat JBoss Core Services on RHEL 6 Server",
"product_id": "6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
},
"product_reference": "jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64",
"relates_to_product_reference": "6Server-JBCS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3185",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2015-07-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1243888"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3185"
},
{
"category": "external",
"summary": "RHBZ#1243888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3185",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3185"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3185",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3185"
},
{
"category": "external",
"summary": "http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16",
"url": "http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16"
}
],
"release_date": "2015-07-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T16:49:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.",
"product_ids": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2710"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4"
},
{
"acknowledgments": [
{
"names": [
"OpenVPN"
]
},
{
"names": [
"Karthikeyan Bhargavan",
"Ga\u00ebtan Leurent"
],
"organization": "Inria",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2016-2183",
"cwe": {
"id": "CWE-327",
"name": "Use of a Broken or Risky Cryptographic Algorithm"
},
"discovery_date": "2016-08-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1369383"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenSSL security update RHSA-2016:1940 mitigates this issue by lowering priority of DES cipher suites so they are not preferred over cipher suites using AES. For compatibility reasons, DES cipher suites remain enabled by default and included in the set of cipher suites identified by the HIGH cipher string. Future updates may move them to MEDIUM or not enable them by default.\n\nNSS addressed this issue by implementing limits on the amount of plain text which can be encrypted by using the same key. Once the limit is reached, the keys will need to be re-negotiated manually. This change will be available in nss-3.27.\n\nGnuTLS is not affected by this issue, since it prioritizes AES before 3DES in the cipher list.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2183"
},
{
"category": "external",
"summary": "RHBZ#1369383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1369383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2183",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/2548661",
"url": "https://access.redhat.com/articles/2548661"
},
{
"category": "external",
"summary": "https://access.redhat.com/errata/RHSA-2016:1940",
"url": "https://access.redhat.com/errata/RHSA-2016:1940"
},
{
"category": "external",
"summary": "https://sweet32.info/",
"url": "https://sweet32.info/"
}
],
"release_date": "2016-08-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T16:49:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.",
"product_ids": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2710"
},
{
"category": "workaround",
"details": "1.SSL/TLS configurations should prefer AES over DES. Versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7 already do so. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 3DES is listed below the AES-256 cipher and above the AES-128 cipher, therefore AES-256 based ciphersuite should not be disabled on the server.\n2. Servers using OpenSSL, should not disable AES-128 and AES-256 ciphersuites. Versions of Apache shipped with Red Hat Enterprise Linux use the default cipher string, in which AES is preferred over DES/3DES based ciphersuites.\n\nFor JBoss Middleware, and Java mitigations, please review this knowledge base article:\n\nhttps://access.redhat.com/articles/2598471\n\nThis can be mitigated on OpenShift Container Platform (OCP) by disabling the vulnerable TLS cipher suite in the applicable component. TLS configuration options for OCP are described here:\n\nhttps://access.redhat.com/articles/5348961",
"product_ids": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)"
},
{
"cve": "CVE-2017-9788",
"cwe": {
"id": "CWE-456",
"name": "Missing Initialization of a Variable"
},
"discovery_date": "2017-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1470748"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the httpd\u0027s mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "httpd: Uninitialized memory reflection in mod_auth_digest",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-9788"
},
{
"category": "external",
"summary": "RHBZ#1470748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1470748"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-9788",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-9788"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-9788",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9788"
},
{
"category": "external",
"summary": "https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34",
"url": "https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34"
},
{
"category": "external",
"summary": "https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27"
}
],
"release_date": "2017-07-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T16:49:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.",
"product_ids": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2710"
},
{
"category": "workaround",
"details": "If you do not use digest authentication, do not load the \"auth_digest_module\".\n\nFor example, on RHEL 7, this can be done by commenting out or removing the\n\"LoadModule auth_digest_module modules/mod_auth_digest.so\"\nline within the /etc/httpd/conf.modules.d/00-base.conf configuration file and restarting the service.\n\nYou can then use the \"httpd -t -D DUMP_MODULES\" command to verify that the module is no longer loaded.",
"product_ids": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"products": [
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-libs-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.23-122.jbcs.el6.noarch",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_session-0:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.23-122.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.src",
"6Server-JBCS:jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6.x86_64",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.i686",
"6Server-JBCS:jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "httpd: Uninitialized memory reflection in mod_auth_digest"
}
]
}
SUSE-SU-2015:1851-1
Vulnerability from csaf_suse - Published: 2015-10-22 09:19 - Updated: 2015-10-22 09:19Summary
Security update for apache2
Severity
Moderate
Notes
Title of the patch: Security update for apache2
Description of the patch:
The Apache2 webserver was updated to fix several issues:
Security issues fixed:
- The chunked transfer coding implementation in the Apache HTTP Server
did not properly parse chunk headers, which allowed remote attackers to
conduct HTTP request smuggling attacks via a crafted request, related
to mishandling of large chunk-size values and invalid chunk-extension
characters in modules/http/http_filters.c. [bsc#938728, CVE-2015-3183]
- The LOGJAM security issue was addressed by: [bnc#931723 CVE-2015-4000]
* changing the SSLCipherSuite cipherstring to disable export cipher
suites and deploy Ephemeral Elliptic-Curve Diffie-Hellman (ECDHE)
ciphers.
* Adjust 'gensslcert' script to generate a strong and unique Diffie
Hellman Group and append it to the server certificate file.
- The ap_some_auth_required function in server/request.c in the Apache
HTTP Server 2.4.x did not consider that a Require directive may be
associated with an authorization setting rather than an authentication
setting, which allowed remote attackers to bypass intended access
restrictions in opportunistic circumstances by leveraging the presence
of a module that relies on the 2.2 API behavior.
[bnc#938723 bnc#939516 CVE-2015-3185]
- Tomcat mod_jk information leak due to incorrect JkMount/JkUnmount
directives processing [bnc#927845 CVE-2014-8111]
Other bugs fixed:
- Now provides a suse_maintenance_mmn_# [bnc#915666].
- Hardcoded modules in the %files [bnc#444878].
- Fixed the IfModule directive around SSLSessionCache [bnc#911159].
- allow only TCP ports in Yast2 firewall files [bnc#931002]
- fixed a regression when some LDAP searches or comparisons might be done
with the wrong credentials when a backend connection is reused
[bnc#930228]
- Fixed split-logfile2 script [bnc#869790]
- remove the changed MODULE_MAGIC_NUMBER_MINOR from which confuses
modules the way that they expect functionality that our apache does
not provide [bnc#915666]
- gensslcert: CN now defaults to `hostname -f` [bnc#949766], fix
help [bnc#949771]
Patchnames: SUSE-SLE-SDK-12-2015-772,SUSE-SLE-SERVER-12-2015-772,SUSE-Storage-1.0-2015-772
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
60 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThe Apache2 webserver was updated to fix several issues:\n\nSecurity issues fixed:\n- The chunked transfer coding implementation in the Apache HTTP Server\n did not properly parse chunk headers, which allowed remote attackers to\n conduct HTTP request smuggling attacks via a crafted request, related\n to mishandling of large chunk-size values and invalid chunk-extension\n characters in modules/http/http_filters.c. [bsc#938728, CVE-2015-3183]\n- The LOGJAM security issue was addressed by: [bnc#931723 CVE-2015-4000]\n * changing the SSLCipherSuite cipherstring to disable export cipher\n suites and deploy Ephemeral Elliptic-Curve Diffie-Hellman (ECDHE)\n ciphers.\n * Adjust \u0027gensslcert\u0027 script to generate a strong and unique Diffie\n Hellman Group and append it to the server certificate file.\n- The ap_some_auth_required function in server/request.c in the Apache\n HTTP Server 2.4.x did not consider that a Require directive may be\n associated with an authorization setting rather than an authentication\n setting, which allowed remote attackers to bypass intended access\n restrictions in opportunistic circumstances by leveraging the presence\n of a module that relies on the 2.2 API behavior.\n [bnc#938723 bnc#939516 CVE-2015-3185]\n- Tomcat mod_jk information leak due to incorrect JkMount/JkUnmount\n directives processing [bnc#927845 CVE-2014-8111] \n\nOther bugs fixed:\n- Now provides a suse_maintenance_mmn_# [bnc#915666].\n- Hardcoded modules in the %files [bnc#444878].\n- Fixed the IfModule directive around SSLSessionCache [bnc#911159].\n- allow only TCP ports in Yast2 firewall files [bnc#931002]\n- fixed a regression when some LDAP searches or comparisons might be done \n with the wrong credentials when a backend connection is reused\n [bnc#930228]\n- Fixed split-logfile2 script [bnc#869790]\n- remove the changed MODULE_MAGIC_NUMBER_MINOR from which confuses\n modules the way that they expect functionality that our apache does\n not provide [bnc#915666]\n- gensslcert: CN now defaults to `hostname -f` [bnc#949766], fix\n help [bnc#949771]\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-SDK-12-2015-772,SUSE-SLE-SERVER-12-2015-772,SUSE-Storage-1.0-2015-772",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2015_1851-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2015:1851-1",
"url": "https://www.suse.com/support/update/announcement/2015/suse-su-20151851-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2015:1851-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2015-October/001653.html"
},
{
"category": "self",
"summary": "SUSE Bug 444878",
"url": "https://bugzilla.suse.com/444878"
},
{
"category": "self",
"summary": "SUSE Bug 869790",
"url": "https://bugzilla.suse.com/869790"
},
{
"category": "self",
"summary": "SUSE Bug 911159",
"url": "https://bugzilla.suse.com/911159"
},
{
"category": "self",
"summary": "SUSE Bug 915666",
"url": "https://bugzilla.suse.com/915666"
},
{
"category": "self",
"summary": "SUSE Bug 927845",
"url": "https://bugzilla.suse.com/927845"
},
{
"category": "self",
"summary": "SUSE Bug 930228",
"url": "https://bugzilla.suse.com/930228"
},
{
"category": "self",
"summary": "SUSE Bug 931002",
"url": "https://bugzilla.suse.com/931002"
},
{
"category": "self",
"summary": "SUSE Bug 931723",
"url": "https://bugzilla.suse.com/931723"
},
{
"category": "self",
"summary": "SUSE Bug 938723",
"url": "https://bugzilla.suse.com/938723"
},
{
"category": "self",
"summary": "SUSE Bug 938728",
"url": "https://bugzilla.suse.com/938728"
},
{
"category": "self",
"summary": "SUSE Bug 939516",
"url": "https://bugzilla.suse.com/939516"
},
{
"category": "self",
"summary": "SUSE Bug 949766",
"url": "https://bugzilla.suse.com/949766"
},
{
"category": "self",
"summary": "SUSE Bug 949771",
"url": "https://bugzilla.suse.com/949771"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-8111 page",
"url": "https://www.suse.com/security/cve/CVE-2014-8111/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-3183 page",
"url": "https://www.suse.com/security/cve/CVE-2015-3183/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-3185 page",
"url": "https://www.suse.com/security/cve/CVE-2015-3185/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-4000 page",
"url": "https://www.suse.com/security/cve/CVE-2015-4000/"
}
],
"title": "Security update for apache2",
"tracking": {
"current_release_date": "2015-10-22T09:19:23Z",
"generator": {
"date": "2015-10-22T09:19:23Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2015:1851-1",
"initial_release_date": "2015-10-22T09:19:23Z",
"revision_history": [
{
"date": "2015-10-22T09:19:23Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache2-doc-2.4.10-14.10.1.noarch",
"product": {
"name": "apache2-doc-2.4.10-14.10.1.noarch",
"product_id": "apache2-doc-2.4.10-14.10.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "apache2-devel-2.4.10-14.10.1.ppc64le",
"product": {
"name": "apache2-devel-2.4.10-14.10.1.ppc64le",
"product_id": "apache2-devel-2.4.10-14.10.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache2-2.4.10-14.10.1.ppc64le",
"product": {
"name": "apache2-2.4.10-14.10.1.ppc64le",
"product_id": "apache2-2.4.10-14.10.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache2-example-pages-2.4.10-14.10.1.ppc64le",
"product": {
"name": "apache2-example-pages-2.4.10-14.10.1.ppc64le",
"product_id": "apache2-example-pages-2.4.10-14.10.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"product": {
"name": "apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"product_id": "apache2-mod_auth_kerb-5.4-2.4.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"product": {
"name": "apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"product_id": "apache2-mod_jk-1.2.40-2.6.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"product": {
"name": "apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"product_id": "apache2-mod_security2-2.8.0-3.4.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache2-prefork-2.4.10-14.10.1.ppc64le",
"product": {
"name": "apache2-prefork-2.4.10-14.10.1.ppc64le",
"product_id": "apache2-prefork-2.4.10-14.10.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache2-utils-2.4.10-14.10.1.ppc64le",
"product": {
"name": "apache2-utils-2.4.10-14.10.1.ppc64le",
"product_id": "apache2-utils-2.4.10-14.10.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache2-worker-2.4.10-14.10.1.ppc64le",
"product": {
"name": "apache2-worker-2.4.10-14.10.1.ppc64le",
"product_id": "apache2-worker-2.4.10-14.10.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "apache2-devel-2.4.10-14.10.1.s390x",
"product": {
"name": "apache2-devel-2.4.10-14.10.1.s390x",
"product_id": "apache2-devel-2.4.10-14.10.1.s390x"
}
},
{
"category": "product_version",
"name": "apache2-2.4.10-14.10.1.s390x",
"product": {
"name": "apache2-2.4.10-14.10.1.s390x",
"product_id": "apache2-2.4.10-14.10.1.s390x"
}
},
{
"category": "product_version",
"name": "apache2-example-pages-2.4.10-14.10.1.s390x",
"product": {
"name": "apache2-example-pages-2.4.10-14.10.1.s390x",
"product_id": "apache2-example-pages-2.4.10-14.10.1.s390x"
}
},
{
"category": "product_version",
"name": "apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"product": {
"name": "apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"product_id": "apache2-mod_auth_kerb-5.4-2.4.1.s390x"
}
},
{
"category": "product_version",
"name": "apache2-mod_jk-1.2.40-2.6.1.s390x",
"product": {
"name": "apache2-mod_jk-1.2.40-2.6.1.s390x",
"product_id": "apache2-mod_jk-1.2.40-2.6.1.s390x"
}
},
{
"category": "product_version",
"name": "apache2-mod_security2-2.8.0-3.4.1.s390x",
"product": {
"name": "apache2-mod_security2-2.8.0-3.4.1.s390x",
"product_id": "apache2-mod_security2-2.8.0-3.4.1.s390x"
}
},
{
"category": "product_version",
"name": "apache2-prefork-2.4.10-14.10.1.s390x",
"product": {
"name": "apache2-prefork-2.4.10-14.10.1.s390x",
"product_id": "apache2-prefork-2.4.10-14.10.1.s390x"
}
},
{
"category": "product_version",
"name": "apache2-utils-2.4.10-14.10.1.s390x",
"product": {
"name": "apache2-utils-2.4.10-14.10.1.s390x",
"product_id": "apache2-utils-2.4.10-14.10.1.s390x"
}
},
{
"category": "product_version",
"name": "apache2-worker-2.4.10-14.10.1.s390x",
"product": {
"name": "apache2-worker-2.4.10-14.10.1.s390x",
"product_id": "apache2-worker-2.4.10-14.10.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "apache2-devel-2.4.10-14.10.1.x86_64",
"product": {
"name": "apache2-devel-2.4.10-14.10.1.x86_64",
"product_id": "apache2-devel-2.4.10-14.10.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache2-2.4.10-14.10.1.x86_64",
"product": {
"name": "apache2-2.4.10-14.10.1.x86_64",
"product_id": "apache2-2.4.10-14.10.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache2-example-pages-2.4.10-14.10.1.x86_64",
"product": {
"name": "apache2-example-pages-2.4.10-14.10.1.x86_64",
"product_id": "apache2-example-pages-2.4.10-14.10.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"product": {
"name": "apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"product_id": "apache2-mod_auth_kerb-5.4-2.4.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache2-mod_jk-1.2.40-2.6.1.x86_64",
"product": {
"name": "apache2-mod_jk-1.2.40-2.6.1.x86_64",
"product_id": "apache2-mod_jk-1.2.40-2.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache2-mod_security2-2.8.0-3.4.1.x86_64",
"product": {
"name": "apache2-mod_security2-2.8.0-3.4.1.x86_64",
"product_id": "apache2-mod_security2-2.8.0-3.4.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache2-prefork-2.4.10-14.10.1.x86_64",
"product": {
"name": "apache2-prefork-2.4.10-14.10.1.x86_64",
"product_id": "apache2-prefork-2.4.10-14.10.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache2-utils-2.4.10-14.10.1.x86_64",
"product": {
"name": "apache2-utils-2.4.10-14.10.1.x86_64",
"product_id": "apache2-utils-2.4.10-14.10.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache2-worker-2.4.10-14.10.1.x86_64",
"product": {
"name": "apache2-worker-2.4.10-14.10.1.x86_64",
"product_id": "apache2-worker-2.4.10-14.10.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"product": {
"name": "apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"product_id": "apache2-mod_fastcgi-2.4.7-3.4.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Software Development Kit 12",
"product": {
"name": "SUSE Linux Enterprise Software Development Kit 12",
"product_id": "SUSE Linux Enterprise Software Development Kit 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-sdk:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12",
"product": {
"name": "SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 1.0",
"product": {
"name": "SUSE Enterprise Storage 1.0",
"product_id": "SUSE Enterprise Storage 1.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:1.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-devel-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Software Development Kit 12",
"product_id": "SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-devel-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-devel-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Software Development Kit 12",
"product_id": "SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-devel-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-devel-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Software Development Kit 12",
"product_id": "SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-devel-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-doc-2.4.10-14.10.1.noarch as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch"
},
"product_reference": "apache2-doc-2.4.10-14.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-example-pages-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-example-pages-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-example-pages-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-example-pages-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-example-pages-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-example-pages-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_auth_kerb-5.4-2.4.1.ppc64le as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le"
},
"product_reference": "apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_auth_kerb-5.4-2.4.1.s390x as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x"
},
"product_reference": "apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_auth_kerb-5.4-2.4.1.x86_64 as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64"
},
"product_reference": "apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_jk-1.2.40-2.6.1.ppc64le as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le"
},
"product_reference": "apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_jk-1.2.40-2.6.1.s390x as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x"
},
"product_reference": "apache2-mod_jk-1.2.40-2.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_jk-1.2.40-2.6.1.x86_64 as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64"
},
"product_reference": "apache2-mod_jk-1.2.40-2.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_security2-2.8.0-3.4.1.ppc64le as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le"
},
"product_reference": "apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_security2-2.8.0-3.4.1.s390x as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x"
},
"product_reference": "apache2-mod_security2-2.8.0-3.4.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_security2-2.8.0-3.4.1.x86_64 as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64"
},
"product_reference": "apache2-mod_security2-2.8.0-3.4.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-prefork-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-prefork-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-prefork-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-prefork-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-prefork-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-prefork-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-utils-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-utils-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-utils-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-utils-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-utils-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-utils-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-worker-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-worker-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-worker-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-worker-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-worker-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Server 12",
"product_id": "SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-worker-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-doc-2.4.10-14.10.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch"
},
"product_reference": "apache2-doc-2.4.10-14.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-example-pages-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-example-pages-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-example-pages-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-example-pages-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-example-pages-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-example-pages-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_auth_kerb-5.4-2.4.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le"
},
"product_reference": "apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_auth_kerb-5.4-2.4.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x"
},
"product_reference": "apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_auth_kerb-5.4-2.4.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64"
},
"product_reference": "apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_jk-1.2.40-2.6.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le"
},
"product_reference": "apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_jk-1.2.40-2.6.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x"
},
"product_reference": "apache2-mod_jk-1.2.40-2.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_jk-1.2.40-2.6.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64"
},
"product_reference": "apache2-mod_jk-1.2.40-2.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_security2-2.8.0-3.4.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le"
},
"product_reference": "apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_security2-2.8.0-3.4.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x"
},
"product_reference": "apache2-mod_security2-2.8.0-3.4.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_security2-2.8.0-3.4.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64"
},
"product_reference": "apache2-mod_security2-2.8.0-3.4.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-prefork-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-prefork-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-prefork-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-prefork-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-prefork-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-prefork-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-utils-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-utils-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-utils-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-utils-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-utils-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-utils-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-worker-2.4.10-14.10.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le"
},
"product_reference": "apache2-worker-2.4.10-14.10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-worker-2.4.10-14.10.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x"
},
"product_reference": "apache2-worker-2.4.10-14.10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-worker-2.4.10-14.10.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64"
},
"product_reference": "apache2-worker-2.4.10-14.10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache2-mod_fastcgi-2.4.7-3.4.1.x86_64 as component of SUSE Enterprise Storage 1.0",
"product_id": "SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64"
},
"product_reference": "apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 1.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-8111",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-8111"
}
],
"notes": [
{
"category": "general",
"text": "Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-8111",
"url": "https://www.suse.com/security/cve/CVE-2014-8111"
},
{
"category": "external",
"summary": "SUSE Bug 927845 for CVE-2014-8111",
"url": "https://bugzilla.suse.com/927845"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-10-22T09:19:23Z",
"details": "moderate"
}
],
"title": "CVE-2014-8111"
},
{
"cve": "CVE-2015-3183",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-3183"
}
],
"notes": [
{
"category": "general",
"text": "The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-3183",
"url": "https://www.suse.com/security/cve/CVE-2015-3183"
},
{
"category": "external",
"summary": "SUSE Bug 938728 for CVE-2015-3183",
"url": "https://bugzilla.suse.com/938728"
},
{
"category": "external",
"summary": "SUSE Bug 948325 for CVE-2015-3183",
"url": "https://bugzilla.suse.com/948325"
},
{
"category": "external",
"summary": "SUSE Bug 949218 for CVE-2015-3183",
"url": "https://bugzilla.suse.com/949218"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-10-22T09:19:23Z",
"details": "moderate"
}
],
"title": "CVE-2015-3183"
},
{
"cve": "CVE-2015-3185",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-3185"
}
],
"notes": [
{
"category": "general",
"text": "The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-3185",
"url": "https://www.suse.com/security/cve/CVE-2015-3185"
},
{
"category": "external",
"summary": "SUSE Bug 938723 for CVE-2015-3185",
"url": "https://bugzilla.suse.com/938723"
},
{
"category": "external",
"summary": "SUSE Bug 939514 for CVE-2015-3185",
"url": "https://bugzilla.suse.com/939514"
},
{
"category": "external",
"summary": "SUSE Bug 939516 for CVE-2015-3185",
"url": "https://bugzilla.suse.com/939516"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-10-22T09:19:23Z",
"details": "moderate"
}
],
"title": "CVE-2015-3185"
},
{
"cve": "CVE-2015-4000",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-4000"
}
],
"notes": [
{
"category": "general",
"text": "The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the \"Logjam\" issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-4000",
"url": "https://www.suse.com/security/cve/CVE-2015-4000"
},
{
"category": "external",
"summary": "SUSE Bug 1074631 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/1074631"
},
{
"category": "external",
"summary": "SUSE Bug 1211968 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/1211968"
},
{
"category": "external",
"summary": "SUSE Bug 931600 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/931600"
},
{
"category": "external",
"summary": "SUSE Bug 931698 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/931698"
},
{
"category": "external",
"summary": "SUSE Bug 931723 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/931723"
},
{
"category": "external",
"summary": "SUSE Bug 931845 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/931845"
},
{
"category": "external",
"summary": "SUSE Bug 932026 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/932026"
},
{
"category": "external",
"summary": "SUSE Bug 932483 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/932483"
},
{
"category": "external",
"summary": "SUSE Bug 934789 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/934789"
},
{
"category": "external",
"summary": "SUSE Bug 935033 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/935033"
},
{
"category": "external",
"summary": "SUSE Bug 935540 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/935540"
},
{
"category": "external",
"summary": "SUSE Bug 935979 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/935979"
},
{
"category": "external",
"summary": "SUSE Bug 937202 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/937202"
},
{
"category": "external",
"summary": "SUSE Bug 937766 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/937766"
},
{
"category": "external",
"summary": "SUSE Bug 938248 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/938248"
},
{
"category": "external",
"summary": "SUSE Bug 938432 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/938432"
},
{
"category": "external",
"summary": "SUSE Bug 938895 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/938895"
},
{
"category": "external",
"summary": "SUSE Bug 938905 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/938905"
},
{
"category": "external",
"summary": "SUSE Bug 938906 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/938906"
},
{
"category": "external",
"summary": "SUSE Bug 938913 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/938913"
},
{
"category": "external",
"summary": "SUSE Bug 938945 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/938945"
},
{
"category": "external",
"summary": "SUSE Bug 943664 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/943664"
},
{
"category": "external",
"summary": "SUSE Bug 944729 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/944729"
},
{
"category": "external",
"summary": "SUSE Bug 945582 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/945582"
},
{
"category": "external",
"summary": "SUSE Bug 955589 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/955589"
},
{
"category": "external",
"summary": "SUSE Bug 980406 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/980406"
},
{
"category": "external",
"summary": "SUSE Bug 990592 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/990592"
},
{
"category": "external",
"summary": "SUSE Bug 994144 for CVE-2015-4000",
"url": "https://bugzilla.suse.com/994144"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-10-22T09:19:23Z",
"details": "important"
}
],
"title": "CVE-2015-4000"
}
]
}
VAR-201507-0017
Vulnerability from variot - Updated: 2024-07-23 21:13The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. The server is fast, reliable and extensible through a simple API. The vulnerability stems from the fact that when the program does not require authentication, the Require directive will still be used for authorization settings and in displayed in the configuration. 7) - x86_64
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: httpd24-httpd security update Advisory ID: RHSA-2015:1666-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1666.html Issue date: 2015-08-24 CVE Names: CVE-2015-0228 CVE-2015-0253 CVE-2015-3183 CVE-2015-3185 =====================================================================
- Summary:
Updated httpd24-httpd packages that fix multiple security issues are now available for Red Hat Software Collections 2.
Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
- Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
- Description:
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183)
It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185)
Note: This update introduces new a new API function, ap_some_authn_required(), which correctly indicates if a request is authenticated. External httpd modules using the old API function should be modified to use the new one to completely resolve this issue.
A denial of service flaw was found in the way the mod_lua httpd module processed certain WebSocket Ping requests. A remote attacker could send a specially crafted WebSocket Ping packet that would cause the httpd child process to crash. (CVE-2015-0228)
A NULL pointer dereference flaw was found in the way httpd generated certain error responses. A remote attacker could possibly use this flaw to crash the httpd child process using a request that triggers a certain HTTP error. (CVE-2015-0253)
All httpd24-httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd24-httpd service will be restarted automatically.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1202988 - CVE-2015-0228 httpd: Possible mod_lua crash due to websocket bug 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1243888 - CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4 1243891 - CVE-2015-0253 httpd: NULL pointer dereference crash with ErrorDocument 400 pointing to a local URL-path
- Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source: httpd24-httpd-2.4.12-4.el6.2.src.rpm
noarch: httpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm
x86_64: httpd24-httpd-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5):
Source: httpd24-httpd-2.4.12-4.el6.2.src.rpm
noarch: httpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm
x86_64: httpd24-httpd-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6):
Source: httpd24-httpd-2.4.12-4.el6.2.src.rpm
noarch: httpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm
x86_64: httpd24-httpd-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source: httpd24-httpd-2.4.12-4.el6.2.src.rpm
noarch: httpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm
x86_64: httpd24-httpd-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: httpd24-httpd-2.4.12-6.el7.1.src.rpm
noarch: httpd24-httpd-manual-2.4.12-6.el7.1.noarch.rpm
x86_64: httpd24-httpd-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.12-6.el7.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1):
Source: httpd24-httpd-2.4.12-6.el7.1.src.rpm
noarch: httpd24-httpd-manual-2.4.12-6.el7.1.noarch.rpm
x86_64: httpd24-httpd-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.12-6.el7.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source: httpd24-httpd-2.4.12-6.el7.1.src.rpm
noarch: httpd24-httpd-manual-2.4.12-6.el7.1.noarch.rpm
x86_64: httpd24-httpd-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.12-6.el7.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2015-0228 https://access.redhat.com/security/cve/CVE-2015-0253 https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/cve/CVE-2015-3185 https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFV22bPXlSAg2UNWIIRAmm2AKCI6AByn1Zlj/2R8aLKFD4hZno5VgCfcx8H y5DWl0MjeqKeAOHiddwyDdU= =yzQP -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . In some configurations, apache2 would fail to start with a spurious error message about the certificate chain. This update fixes this problem. For reference, the text of the original advisory follows:
Several vulnerabilities have been found in the Apache HTTPD server. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use.
CVE-2015-3185
A design error in the "ap_some_auth_required" function renders the
API unusuable in apache2 2.4.x.
The fix backports the new "ap_some_authn_required" API from 2.4.16.
This issue does not affect the oldstable distribution (wheezy).
In addition, the updated package for the oldstable distribution (wheezy) removes a limitation of the Diffie-Hellman (DH) parameters to 1024 bits. This limitation may potentially allow an attacker with very large computing resources, like a nation-state, to break DH key exchange by precomputation. The updated apache2 package also allows to configure custom DH parameters. More information is contained in the changelog.Debian.gz file. These improvements were already present in the stable, testing, and unstable distributions.
For the oldstable distribution (wheezy), this problem has been fixed in version 2.2.22-13+deb7u6.
The other distributions were not affected by the regression.
We recommend that you upgrade your apache2 packages. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
-
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. (CVE-2015-3185)
-
A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. Upstream acknowledges Karthikeyan Bhargavan (Inria) and GaA<<tan Leurent (Inria) as the original reporters of CVE-2016-2183. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. JIRA issues fixed (https://issues.jboss.org/):
JBCS-329 - Unable to load large CRL openssl problem JBCS-337 - Errata for httpd 2.4.23 SP2 RHEL 6
Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.16-i486-1_slack14.1.txz: Upgraded. This update fixes the following security issues: * CVE-2015-0253: Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. * CVE-2015-3183: core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. * CVE-2015-3185: Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0253 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185 ( Security fix ) +--------------------------+
Where to find the new packages: +-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you.
Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.16-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.16-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.16-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.16-x86_64-1_slack14.1.txz
Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.16-i586-1.txz
Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.16-x86_64-1.txz
MD5 signatures: +-------------+
Slackware 14.0 package: d78c9925e69ba6ce14d67fb67245981b httpd-2.4.16-i486-1_slack14.0.txz
Slackware x86_64 14.0 package: 1370e3c7e135bf07b65e73049099a942 httpd-2.4.16-x86_64-1_slack14.0.txz
Slackware 14.1 package: ea116c45bba8c80f59cfe0394a8f87fa httpd-2.4.16-i486-1_slack14.1.txz
Slackware x86_64 14.1 package: 8b5b1caa1fa203b07b529f77834fac16 httpd-2.4.16-x86_64-1_slack14.1.txz
Slackware -current package: 01ccb961f17bd14c1d157892af4c9f1d n/httpd-2.4.16-i586-1.txz
Slackware x86_64 -current package: 70a6644de3585007861e57cf08608843 n/httpd-2.4.16-x86_64-1.txz
Installation instructions: +------------------------+
Upgrade the package as root:
upgradepkg httpd-2.4.16-i486-1_slack14.1.txz
Then, restart Apache httpd:
/etc/rc.d/rc.httpd stop
/etc/rc.d/rc.httpd start
+-----+
Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com
+------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201507-0017",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "xcode",
"scope": "eq",
"trust": 2.4,
"vendor": "apple",
"version": "7.0"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "5.0.3"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.10.4"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.6"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.12"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.13"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.9"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.8"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.2"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.4"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "15.04"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "14.04"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.10"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.7"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "12.04"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": "2.4.14"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.9.5"
},
{
"model": "http server",
"scope": "lt",
"trust": 0.8,
"vendor": "apache",
"version": "2.4.x"
},
{
"model": "xcode",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "(os x yosemite v10.10.4 or later )"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.10 to 10.10.4"
},
{
"model": "macos server",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "5.0.3"
},
{
"model": "macos server",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "(os x yosemite v10.10.5 or later )"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-003799"
},
{
"db": "CNNVD",
"id": "CNNVD-201507-660"
},
{
"db": "NVD",
"id": "CVE-2015-3185"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x_server:5.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2015-3185"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "144136"
},
{
"db": "PACKETSTORM",
"id": "133278"
},
{
"db": "PACKETSTORM",
"id": "133281"
},
{
"db": "PACKETSTORM",
"id": "144135"
}
],
"trust": 0.4
},
"cve": "CVE-2015-3185",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2015-3185",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-81146",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2015-3185",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201507-660",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-81146",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2015-3185",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-81146"
},
{
"db": "VULMON",
"id": "CVE-2015-3185"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003799"
},
{
"db": "CNNVD",
"id": "CNNVD-201507-660"
},
{
"db": "NVD",
"id": "CVE-2015-3185"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. The server is fast, reliable and extensible through a simple API. The vulnerability stems from the fact that when the program does not require authentication, the Require directive will still be used for authorization settings and in displayed in the configuration. 7) - x86_64\n\n3. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: httpd24-httpd security update\nAdvisory ID: RHSA-2015:1666-01\nProduct: Red Hat Software Collections\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2015-1666.html\nIssue date: 2015-08-24\nCVE Names: CVE-2015-0228 CVE-2015-0253 CVE-2015-3183 \n CVE-2015-3185 \n=====================================================================\n\n1. Summary:\n\nUpdated httpd24-httpd packages that fix multiple security issues are now\navailable for Red Hat Software Collections 2. \n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64\n\n3. Description:\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server. \n\nMultiple flaws were found in the way httpd parsed HTTP requests and\nresponses using chunked transfer encoding. A remote attacker could use\nthese flaws to create a specially crafted request, which httpd would decode\ndifferently from an HTTP proxy software in front of it, possibly leading to\nHTTP request smuggling attacks. (CVE-2015-3183)\n\nIt was discovered that in httpd 2.4, the internal API function\nap_some_auth_required() could incorrectly indicate that a request was\nauthenticated even when no authentication was used. An httpd module using\nthis API function could consequently allow access that should have been\ndenied. (CVE-2015-3185)\n\nNote: This update introduces new a new API function,\nap_some_authn_required(), which correctly indicates if a request is\nauthenticated. External httpd modules using the old API function should be\nmodified to use the new one to completely resolve this issue. \n\nA denial of service flaw was found in the way the mod_lua httpd module\nprocessed certain WebSocket Ping requests. A remote attacker could send a\nspecially crafted WebSocket Ping packet that would cause the httpd child\nprocess to crash. (CVE-2015-0228)\n\nA NULL pointer dereference flaw was found in the way httpd generated\ncertain error responses. A remote attacker could possibly use this flaw to\ncrash the httpd child process using a request that triggers a certain HTTP\nerror. (CVE-2015-0253)\n\nAll httpd24-httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After installing\nthe updated packages, the httpd24-httpd service will be restarted\nautomatically. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1202988 - CVE-2015-0228 httpd: Possible mod_lua crash due to websocket bug\n1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser\n1243888 - CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4\n1243891 - CVE-2015-0253 httpd: NULL pointer dereference crash with ErrorDocument 400 pointing to a local URL-path\n\n6. Package List:\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):\n\nSource:\nhttpd24-httpd-2.4.12-4.el6.2.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5):\n\nSource:\nhttpd24-httpd-2.4.12-4.el6.2.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6):\n\nSource:\nhttpd24-httpd-2.4.12-4.el6.2.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nhttpd24-httpd-2.4.12-4.el6.2.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm\nhttpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):\n\nSource:\nhttpd24-httpd-2.4.12-6.el7.1.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.12-6.el7.1.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-httpd-devel-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-httpd-tools-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_ldap-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_ssl-2.4.12-6.el7.1.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1):\n\nSource:\nhttpd24-httpd-2.4.12-6.el7.1.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.12-6.el7.1.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-httpd-devel-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-httpd-tools-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_ldap-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_ssl-2.4.12-6.el7.1.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nhttpd24-httpd-2.4.12-6.el7.1.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.12-6.el7.1.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-httpd-devel-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-httpd-tools-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_ldap-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm\nhttpd24-mod_ssl-2.4.12-6.el7.1.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2015-0228\nhttps://access.redhat.com/security/cve/CVE-2015-0253\nhttps://access.redhat.com/security/cve/CVE-2015-3183\nhttps://access.redhat.com/security/cve/CVE-2015-3185\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2015 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFV22bPXlSAg2UNWIIRAmm2AKCI6AByn1Zlj/2R8aLKFD4hZno5VgCfcx8H\ny5DWl0MjeqKeAOHiddwyDdU=\n=yzQP\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. In some configurations, apache2 would\nfail to start with a spurious error message about the certificate chain. \nThis update fixes this problem. For reference, the text of the original\nadvisory follows:\n\n\nSeveral vulnerabilities have been found in the Apache HTTPD server. A malicious client could force the\n server to misinterpret the request length, allowing cache poisoning\n or credential hijacking if an intermediary proxy is in use. \n\nCVE-2015-3185\n\n A design error in the \"ap_some_auth_required\" function renders the\n API unusuable in apache2 2.4.x. \n The fix backports the new \"ap_some_authn_required\" API from 2.4.16. \n This issue does not affect the oldstable distribution (wheezy). \n\n\nIn addition, the updated package for the oldstable distribution (wheezy)\nremoves a limitation of the Diffie-Hellman (DH) parameters to 1024 bits. \nThis limitation may potentially allow an attacker with very large\ncomputing resources, like a nation-state, to break DH key exchange by\nprecomputation. The updated apache2 package also allows to configure\ncustom DH parameters. More information is contained in the\nchangelog.Debian.gz file. \nThese improvements were already present in the stable, testing, and\nunstable distributions. \n\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 2.2.22-13+deb7u6. \n\nThe other distributions were not affected by the regression. \n\nWe recommend that you upgrade your apache2 packages. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. \n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23\nService Pack 2 serves as an update for Red Hat JBoss Core Services Apache\nHTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are\ndocumented in the Release Notes document linked to in the References. \n\nSecurity Fix(es):\n\n* It was discovered that the httpd\u0027s mod_auth_digest module did not\nproperly initialize memory before using it when processing certain headers\nrelated to digest authentication. (CVE-2015-3185)\n\n* A flaw was found in the way the DES/3DES cipher was used as part of the\nTLS/SSL protocol. A man-in-the-middle attacker could use this flaw to\nrecover some plaintext data by capturing large amounts of encrypted traffic\nbetween TLS/SSL server and client if the communication used a DES/3DES\nbased ciphersuite. Upstream\nacknowledges Karthikeyan Bhargavan (Inria) and GaA\u003c\u003ctan Leurent (Inria) as\nthe original reporters of CVE-2016-2183. For the update to take effect, all services linked to the\nOpenSSL library must be restarted, or the system rebooted. JIRA issues fixed (https://issues.jboss.org/):\n\nJBCS-329 - Unable to load large CRL openssl problem\nJBCS-337 - Errata for httpd 2.4.23 SP2 RHEL 6\n\n7. \n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n+--------------------------+\npatches/packages/httpd-2.4.16-i486-1_slack14.1.txz: Upgraded. \n This update fixes the following security issues:\n * CVE-2015-0253: Fix a crash with ErrorDocument 400 pointing to a local\n URL-path with the INCLUDES filter active, introduced in 2.4.11. \n * CVE-2015-3183: core: Fix chunk header parsing defect. Remove\n apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN\n filter, parse chunks in a single pass with zero copy. Limit accepted\n chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. \n * CVE-2015-3185: Replacement of ap_some_auth_required (unusable in Apache\n httpd 2.4) with new ap_some_authn_required and ap_force_authn hook. \n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0253\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185\n (* Security fix *)\n+--------------------------+\n\n\nWhere to find the new packages:\n+-----------------------------+\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you. \n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.16-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.16-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.16-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.16-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.16-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.16-x86_64-1.txz\n\n\nMD5 signatures:\n+-------------+\n\nSlackware 14.0 package:\nd78c9925e69ba6ce14d67fb67245981b httpd-2.4.16-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n1370e3c7e135bf07b65e73049099a942 httpd-2.4.16-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nea116c45bba8c80f59cfe0394a8f87fa httpd-2.4.16-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n8b5b1caa1fa203b07b529f77834fac16 httpd-2.4.16-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n01ccb961f17bd14c1d157892af4c9f1d n/httpd-2.4.16-i586-1.txz\n\nSlackware x86_64 -current package:\n70a6644de3585007861e57cf08608843 n/httpd-2.4.16-x86_64-1.txz\n\n\nInstallation instructions:\n+------------------------+\n\nUpgrade the package as root:\n# upgradepkg httpd-2.4.16-i486-1_slack14.1.txz\n\nThen, restart Apache httpd:\n\n# /etc/rc.d/rc.httpd stop\n# /etc/rc.d/rc.httpd start\n\n\n+-----+\n\nSlackware Linux Security Team\nhttp://slackware.com/gpg-key\nsecurity@slackware.com\n\n+------------------------------------------------------------------------+\n| To leave the slackware-security mailing list: |\n+------------------------------------------------------------------------+\n| Send an email to majordomo@slackware.com with this text in the body of |\n| the email message: |\n| |\n| unsubscribe slackware-security |\n| |\n| You will get a confirmation message back containing instructions to |\n| complete the process. Please do not reply to this email address",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-3185"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003799"
},
{
"db": "VULHUB",
"id": "VHN-81146"
},
{
"db": "VULMON",
"id": "CVE-2015-3185"
},
{
"db": "PACKETSTORM",
"id": "144136"
},
{
"db": "PACKETSTORM",
"id": "133278"
},
{
"db": "PACKETSTORM",
"id": "133281"
},
{
"db": "PACKETSTORM",
"id": "133129"
},
{
"db": "PACKETSTORM",
"id": "144135"
},
{
"db": "PACKETSTORM",
"id": "132743"
},
{
"db": "PACKETSTORM",
"id": "132922"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2015-3185",
"trust": 3.3
},
{
"db": "SECTRACK",
"id": "1032967",
"trust": 1.8
},
{
"db": "BID",
"id": "75965",
"trust": 1.8
},
{
"db": "JVN",
"id": "JVNVU99970459",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003799",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201507-660",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "144136",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "144135",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "144134",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-81146",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2015-3185",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "133278",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "133281",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "133129",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "132743",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "132922",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-81146"
},
{
"db": "VULMON",
"id": "CVE-2015-3185"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003799"
},
{
"db": "PACKETSTORM",
"id": "144136"
},
{
"db": "PACKETSTORM",
"id": "133278"
},
{
"db": "PACKETSTORM",
"id": "133281"
},
{
"db": "PACKETSTORM",
"id": "133129"
},
{
"db": "PACKETSTORM",
"id": "144135"
},
{
"db": "PACKETSTORM",
"id": "132743"
},
{
"db": "PACKETSTORM",
"id": "132922"
},
{
"db": "CNNVD",
"id": "CNNVD-201507-660"
},
{
"db": "NVD",
"id": "CVE-2015-3185"
}
]
},
"id": "VAR-201507-0017",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-81146"
}
],
"trust": 0.01
},
"last_update_date": "2024-07-23T21:13:51.101000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Fixed in Apache httpd 2.4.16",
"trust": 0.8,
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"title": "APPLE-SA-2015-09-16-4 OS X Server 5.0.3",
"trust": 0.8,
"url": "http://lists.apple.com/archives/security-announce/2015/sep/msg00004.html"
},
{
"title": "APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006",
"trust": 0.8,
"url": "http://lists.apple.com/archives/security-announce/2015/aug/msg00001.html"
},
{
"title": "APPLE-SA-2015-09-16-2 Xcode 7.0",
"trust": 0.8,
"url": "http://lists.apple.com/archives/security-announce/2015/sep/msg00002.html"
},
{
"title": "HT205217",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht205217"
},
{
"title": "HT205219",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht205219"
},
{
"title": "HT205031",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht205031"
},
{
"title": "HT205217",
"trust": 0.8,
"url": "http://support.apple.com/ja-jp/ht205217"
},
{
"title": "HT205219",
"trust": 0.8,
"url": "http://support.apple.com/ja-jp/ht205219"
},
{
"title": "HT205031",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht205031"
},
{
"title": "Changes with Apache 2.4.14",
"trust": 0.8,
"url": "http://www.apache.org/dist/httpd/changes_2.4"
},
{
"title": "Oracle Solaris Third Party Bulletin - October 2015",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"title": "httpd-2.4.14",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=57056"
},
{
"title": "httpd-2.4.14",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=57055"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20172708 - security advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20172710 - security advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20172709 - security advisory"
},
{
"title": "Debian Security Advisories: DSA-3325-1 apache2 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=f6a16e3e13155cdb8edbd0ecf11552be"
},
{
"title": "Ubuntu Security Notice: apache2 vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-2686-1"
},
{
"title": "Red Hat: CVE-2015-3185",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=cve-2015-3185"
},
{
"title": "Amazon Linux AMI: ALAS-2015-579",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2015-579"
},
{
"title": "Tenable Security Advisories: [R4] SecurityCenter 5.0.2 Fixes Third-party Library",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=tns-2015-11"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20162957 - security advisory"
},
{
"title": "DC-2: Vulnhub Walkthrough",
"trust": 0.1,
"url": "https://github.com/vshaliii/dc-2-vulnhub-walkthrough "
},
{
"title": "Shodan Search Script",
"trust": 0.1,
"url": "https://github.com/firatesatoglu/shodansearch "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-3185"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003799"
},
{
"db": "CNNVD",
"id": "CNNVD-201507-660"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-81146"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003799"
},
{
"db": "NVD",
"id": "CVE-2015-3185"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "http://rhn.redhat.com/errata/rhsa-2015-1666.html"
},
{
"trust": 1.9,
"url": "http://rhn.redhat.com/errata/rhsa-2015-1667.html"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2017:2708"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2017:2709"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2017:2710"
},
{
"trust": 1.8,
"url": "http://lists.apple.com/archives/security-announce/2015/aug/msg00001.html"
},
{
"trust": 1.8,
"url": "http://lists.apple.com/archives/security-announce/2015/sep/msg00002.html"
},
{
"trust": 1.8,
"url": "http://lists.apple.com/archives/security-announce/2015/sep/msg00004.html"
},
{
"trust": 1.8,
"url": "http://www.securityfocus.com/bid/75965"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht205217"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht205219"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht205031"
},
{
"trust": 1.8,
"url": "http://www.debian.org/security/2015/dsa-3325"
},
{
"trust": 1.8,
"url": "http://rhn.redhat.com/errata/rhsa-2016-2957.html"
},
{
"trust": 1.8,
"url": "http://www.securitytracker.com/id/1032967"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html"
},
{
"trust": 1.8,
"url": "http://www.ubuntu.com/usn/usn-2686-1"
},
{
"trust": 1.2,
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 1.2,
"url": "http://www.apache.org/dist/httpd/changes_2.4"
},
{
"trust": 1.2,
"url": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708"
},
{
"trust": 1.2,
"url": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.9,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3185"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu99970459/index.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-3185"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3185"
},
{
"trust": 0.6,
"url": "httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 0.6,
"url": "http://"
},
{
"trust": 0.6,
"url": "httpd.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3ccvs."
},
{
"trust": 0.6,
"url": "httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708"
},
{
"trust": 0.6,
"url": "https://github.com/apache/"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3ccvs."
},
{
"trust": 0.6,
"url": "httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3ccvs."
},
{
"trust": 0.6,
"url": "httpd/changes_2.4"
},
{
"trust": 0.6,
"url": "http://www.apache.org/dist/"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3ccvs."
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2015-3185"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3183"
},
{
"trust": 0.4,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.4,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.2,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-core-services/"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2017-9788"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9788"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-2183"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2016-2183"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2015-3183"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0228"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0253"
},
{
"trust": 0.2,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.2,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/264.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/2686-1/"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/./dsa-3325"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2015-0228"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2015-0253"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3183"
},
{
"trust": 0.1,
"url": "http://slackware.com"
},
{
"trust": 0.1,
"url": "http://osuosl.org)"
},
{
"trust": 0.1,
"url": "http://slackware.com/gpg-key"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0253"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0228"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-81146"
},
{
"db": "VULMON",
"id": "CVE-2015-3185"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003799"
},
{
"db": "PACKETSTORM",
"id": "144136"
},
{
"db": "PACKETSTORM",
"id": "133278"
},
{
"db": "PACKETSTORM",
"id": "133281"
},
{
"db": "PACKETSTORM",
"id": "133129"
},
{
"db": "PACKETSTORM",
"id": "144135"
},
{
"db": "PACKETSTORM",
"id": "132743"
},
{
"db": "PACKETSTORM",
"id": "132922"
},
{
"db": "CNNVD",
"id": "CNNVD-201507-660"
},
{
"db": "NVD",
"id": "CVE-2015-3185"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-81146"
},
{
"db": "VULMON",
"id": "CVE-2015-3185"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003799"
},
{
"db": "PACKETSTORM",
"id": "144136"
},
{
"db": "PACKETSTORM",
"id": "133278"
},
{
"db": "PACKETSTORM",
"id": "133281"
},
{
"db": "PACKETSTORM",
"id": "133129"
},
{
"db": "PACKETSTORM",
"id": "144135"
},
{
"db": "PACKETSTORM",
"id": "132743"
},
{
"db": "PACKETSTORM",
"id": "132922"
},
{
"db": "CNNVD",
"id": "CNNVD-201507-660"
},
{
"db": "NVD",
"id": "CVE-2015-3185"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-07-20T00:00:00",
"db": "VULHUB",
"id": "VHN-81146"
},
{
"date": "2015-07-20T00:00:00",
"db": "VULMON",
"id": "CVE-2015-3185"
},
{
"date": "2015-07-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-003799"
},
{
"date": "2017-09-14T19:50:57",
"db": "PACKETSTORM",
"id": "144136"
},
{
"date": "2015-08-24T22:05:56",
"db": "PACKETSTORM",
"id": "133278"
},
{
"date": "2015-08-24T22:06:47",
"db": "PACKETSTORM",
"id": "133281"
},
{
"date": "2015-08-18T22:28:40",
"db": "PACKETSTORM",
"id": "133129"
},
{
"date": "2017-09-14T19:50:50",
"db": "PACKETSTORM",
"id": "144135"
},
{
"date": "2015-07-20T15:45:36",
"db": "PACKETSTORM",
"id": "132743"
},
{
"date": "2015-08-04T01:08:56",
"db": "PACKETSTORM",
"id": "132922"
},
{
"date": "2015-07-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201507-660"
},
{
"date": "2015-07-20T23:59:03.770000",
"db": "NVD",
"id": "CVE-2015-3185"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-10-27T00:00:00",
"db": "VULHUB",
"id": "VHN-81146"
},
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2015-3185"
},
{
"date": "2015-11-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-003799"
},
{
"date": "2021-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201507-660"
},
{
"date": "2023-11-07T02:25:31.337000",
"db": "NVD",
"id": "CVE-2015-3185"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "133278"
},
{
"db": "PACKETSTORM",
"id": "133281"
},
{
"db": "CNNVD",
"id": "CNNVD-201507-660"
}
],
"trust": 0.8
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache HTTP Server of server/request.c Inside ap_some_auth_required Vulnerabilities that prevent access restrictions in functions",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-003799"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control issues",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201507-660"
}
],
"trust": 0.6
}
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…