cvelistv5 - cve-2003-0020

cve-2003-0020

Vulnerability from cvelistv5

Published

2004-09-01 04:00

Modified

2024-08-08 01:36

Severity ?

Summary

Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.

References

URL	Tags
cve@mitre.org	http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html	Broken Link
cve@mitre.org	http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046	Third Party Advisory
cve@mitre.org	http://marc.info/?l=bugtraq&m=104612710031920&w=2	Third Party Advisory
cve@mitre.org	http://marc.info/?l=bugtraq&m=108369640424244&w=2	Third Party Advisory
cve@mitre.org	http://marc.info/?l=bugtraq&m=108437852004207&w=2	Third Party Advisory
cve@mitre.org	http://marc.info/?l=bugtraq&m=108731648532365&w=2	Third Party Advisory
cve@mitre.org	http://security.gentoo.org/glsa/glsa-200405-22.xml	Third Party Advisory
cve@mitre.org	http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1	Broken Link
cve@mitre.org	http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1	Broken Link
cve@mitre.org	http://www.iss.net/security_center/static/11412.php	Broken Link
cve@mitre.org	http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050	Broken Link
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-082.html	Third Party Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-083.html	Third Party Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-104.html	Third Party Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-139.html	Third Party Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-243.html	Third Party Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-244.html	Third Party Advisory
cve@mitre.org	http://www.securityfocus.com/bid/9930	Third Party Advisory, VDB Entry
cve@mitre.org	http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643	Mailing List, Third Party Advisory
cve@mitre.org	http://www.trustix.org/errata/2004/0017	Broken Link
cve@mitre.org	http://www.trustix.org/errata/2004/0027	Broken Link
cve@mitre.org	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109	Third Party Advisory
cve@mitre.org	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150	Third Party Advisory
cve@mitre.org	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://marc.info/?l=bugtraq&m=104612710031920&w=2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://marc.info/?l=bugtraq&m=108369640424244&w=2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://marc.info/?l=bugtraq&m=108437852004207&w=2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://marc.info/?l=bugtraq&m=108731648532365&w=2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://security.gentoo.org/glsa/glsa-200405-22.xml	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.iss.net/security_center/static/11412.php	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-082.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-083.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-104.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-139.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-243.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-244.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/9930	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.trustix.org/errata/2004/0017	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.trustix.org/errata/2004/0027	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114	Third Party Advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-08T01:36:25.351Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "57628",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUNALERT",
                     "x_transferred",
                  ],
                  url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1",
               },
               {
                  name: "RHSA-2003:243",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2003-243.html",
               },
               {
                  name: "APPLE-SA-2004-05-03",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_APPLE",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=bugtraq&m=108369640424244&w=2",
               },
               {
                  name: "101555",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUNALERT",
                     "x_transferred",
                  ],
                  url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1",
               },
               {
                  name: "SSRT4717",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_HP",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=bugtraq&m=108731648532365&w=2",
               },
               {
                  name: "RHSA-2003:139",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2003-139.html",
               },
               {
                  name: "2004-0027",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_TRUSTIX",
                     "x_transferred",
                  ],
                  url: "http://www.trustix.org/errata/2004/0027",
               },
               {
                  name: "20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=bugtraq&m=108437852004207&w=2",
               },
               {
                  name: "SSA:2004-133",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SLACKWARE",
                     "x_transferred",
                  ],
                  url: "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643",
               },
               {
                  name: "RHSA-2003:244",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2003-244.html",
               },
               {
                  name: "GLSA-200405-22",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "http://security.gentoo.org/glsa/glsa-200405-22.xml",
               },
               {
                  name: "MDKSA-2003:050",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRAKE",
                     "x_transferred",
                  ],
                  url: "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050",
               },
               {
                  name: "20030224 Terminal Emulator Security Issues",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=bugtraq&m=104612710031920&w=2",
               },
               {
                  name: "apache-esc-seq-injection(11412)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "http://www.iss.net/security_center/static/11412.php",
               },
               {
                  name: "2004-0017",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_TRUSTIX",
                     "x_transferred",
                  ],
                  url: "http://www.trustix.org/errata/2004/0017",
               },
               {
                  name: "oval:org.mitre.oval:def:150",
                  tags: [
                     "vdb-entry",
                     "signature",
                     "x_refsource_OVAL",
                     "x_transferred",
                  ],
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150",
               },
               {
                  name: "MDKSA-2004:046",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRAKE",
                     "x_transferred",
                  ],
                  url: "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046",
               },
               {
                  name: "oval:org.mitre.oval:def:4114",
                  tags: [
                     "vdb-entry",
                     "signature",
                     "x_refsource_OVAL",
                     "x_transferred",
                  ],
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114",
               },
               {
                  name: "20030224 Terminal Emulator Security Issues",
                  tags: [
                     "mailing-list",
                     "x_refsource_VULNWATCH",
                     "x_transferred",
                  ],
                  url: "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html",
               },
               {
                  name: "9930",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/9930",
               },
               {
                  name: "RHSA-2003:083",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2003-083.html",
               },
               {
                  name: "RHSA-2003:104",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2003-104.html",
               },
               {
                  name: "oval:org.mitre.oval:def:100109",
                  tags: [
                     "vdb-entry",
                     "signature",
                     "x_refsource_OVAL",
                     "x_transferred",
                  ],
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109",
               },
               {
                  name: "RHSA-2003:082",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2003-082.html",
               },
               {
                  name: "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073140 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073149 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210606 svn commit: r1075470 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2003-02-24T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-06-06T10:09:35",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "57628",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUNALERT",
               ],
               url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1",
            },
            {
               name: "RHSA-2003:243",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2003-243.html",
            },
            {
               name: "APPLE-SA-2004-05-03",
               tags: [
                  "vendor-advisory",
                  "x_refsource_APPLE",
               ],
               url: "http://marc.info/?l=bugtraq&m=108369640424244&w=2",
            },
            {
               name: "101555",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUNALERT",
               ],
               url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1",
            },
            {
               name: "SSRT4717",
               tags: [
                  "vendor-advisory",
                  "x_refsource_HP",
               ],
               url: "http://marc.info/?l=bugtraq&m=108731648532365&w=2",
            },
            {
               name: "RHSA-2003:139",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2003-139.html",
            },
            {
               name: "2004-0027",
               tags: [
                  "vendor-advisory",
                  "x_refsource_TRUSTIX",
               ],
               url: "http://www.trustix.org/errata/2004/0027",
            },
            {
               name: "20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "http://marc.info/?l=bugtraq&m=108437852004207&w=2",
            },
            {
               name: "SSA:2004-133",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SLACKWARE",
               ],
               url: "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643",
            },
            {
               name: "RHSA-2003:244",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2003-244.html",
            },
            {
               name: "GLSA-200405-22",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "http://security.gentoo.org/glsa/glsa-200405-22.xml",
            },
            {
               name: "MDKSA-2003:050",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRAKE",
               ],
               url: "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050",
            },
            {
               name: "20030224 Terminal Emulator Security Issues",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "http://marc.info/?l=bugtraq&m=104612710031920&w=2",
            },
            {
               name: "apache-esc-seq-injection(11412)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "http://www.iss.net/security_center/static/11412.php",
            },
            {
               name: "2004-0017",
               tags: [
                  "vendor-advisory",
                  "x_refsource_TRUSTIX",
               ],
               url: "http://www.trustix.org/errata/2004/0017",
            },
            {
               name: "oval:org.mitre.oval:def:150",
               tags: [
                  "vdb-entry",
                  "signature",
                  "x_refsource_OVAL",
               ],
               url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150",
            },
            {
               name: "MDKSA-2004:046",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRAKE",
               ],
               url: "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046",
            },
            {
               name: "oval:org.mitre.oval:def:4114",
               tags: [
                  "vdb-entry",
                  "signature",
                  "x_refsource_OVAL",
               ],
               url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114",
            },
            {
               name: "20030224 Terminal Emulator Security Issues",
               tags: [
                  "mailing-list",
                  "x_refsource_VULNWATCH",
               ],
               url: "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html",
            },
            {
               name: "9930",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/9930",
            },
            {
               name: "RHSA-2003:083",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2003-083.html",
            },
            {
               name: "RHSA-2003:104",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2003-104.html",
            },
            {
               name: "oval:org.mitre.oval:def:100109",
               tags: [
                  "vdb-entry",
                  "signature",
                  "x_refsource_OVAL",
               ],
               url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109",
            },
            {
               name: "RHSA-2003:082",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2003-082.html",
            },
            {
               name: "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20210330 svn commit: r1073140 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20210330 svn commit: r1073149 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20210606 svn commit: r1075470 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2003-0020",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "57628",
                     refsource: "SUNALERT",
                     url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1",
                  },
                  {
                     name: "RHSA-2003:243",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2003-243.html",
                  },
                  {
                     name: "APPLE-SA-2004-05-03",
                     refsource: "APPLE",
                     url: "http://marc.info/?l=bugtraq&m=108369640424244&w=2",
                  },
                  {
                     name: "101555",
                     refsource: "SUNALERT",
                     url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1",
                  },
                  {
                     name: "SSRT4717",
                     refsource: "HP",
                     url: "http://marc.info/?l=bugtraq&m=108731648532365&w=2",
                  },
                  {
                     name: "RHSA-2003:139",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2003-139.html",
                  },
                  {
                     name: "2004-0027",
                     refsource: "TRUSTIX",
                     url: "http://www.trustix.org/errata/2004/0027",
                  },
                  {
                     name: "20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)",
                     refsource: "BUGTRAQ",
                     url: "http://marc.info/?l=bugtraq&m=108437852004207&w=2",
                  },
                  {
                     name: "SSA:2004-133",
                     refsource: "SLACKWARE",
                     url: "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643",
                  },
                  {
                     name: "RHSA-2003:244",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2003-244.html",
                  },
                  {
                     name: "GLSA-200405-22",
                     refsource: "GENTOO",
                     url: "http://security.gentoo.org/glsa/glsa-200405-22.xml",
                  },
                  {
                     name: "MDKSA-2003:050",
                     refsource: "MANDRAKE",
                     url: "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050",
                  },
                  {
                     name: "20030224 Terminal Emulator Security Issues",
                     refsource: "BUGTRAQ",
                     url: "http://marc.info/?l=bugtraq&m=104612710031920&w=2",
                  },
                  {
                     name: "apache-esc-seq-injection(11412)",
                     refsource: "XF",
                     url: "http://www.iss.net/security_center/static/11412.php",
                  },
                  {
                     name: "2004-0017",
                     refsource: "TRUSTIX",
                     url: "http://www.trustix.org/errata/2004/0017",
                  },
                  {
                     name: "oval:org.mitre.oval:def:150",
                     refsource: "OVAL",
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150",
                  },
                  {
                     name: "MDKSA-2004:046",
                     refsource: "MANDRAKE",
                     url: "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046",
                  },
                  {
                     name: "oval:org.mitre.oval:def:4114",
                     refsource: "OVAL",
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114",
                  },
                  {
                     name: "20030224 Terminal Emulator Security Issues",
                     refsource: "VULNWATCH",
                     url: "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html",
                  },
                  {
                     name: "9930",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/9930",
                  },
                  {
                     name: "RHSA-2003:083",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2003-083.html",
                  },
                  {
                     name: "RHSA-2003:104",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2003-104.html",
                  },
                  {
                     name: "oval:org.mitre.oval:def:100109",
                     refsource: "OVAL",
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109",
                  },
                  {
                     name: "RHSA-2003:082",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2003-082.html",
                  },
                  {
                     name: "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073140 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073149 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210606 svn commit: r1075470 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2003-0020",
      datePublished: "2004-09-01T04:00:00",
      dateReserved: "2003-01-07T00:00:00",
      dateUpdated: "2024-08-08T01:36:25.351Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2003-0020\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2003-03-18T05:00:00.000\",\"lastModified\":\"2025-04-03T01:03:51.193\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.\"},{\"lang\":\"es\",\"value\":\"Apache no filtra secuencias de escape de terminales en sus archivos de registro de errores, lo que podría hacer más fácil para atacantes insertar estas secuencias en emuladores de terminal que tengan vulnerabilidades relacionadas con secuencias de escape.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3.0\",\"versionEndExcluding\":\"1.3.31\",\"matchCriteriaId\":\"44B59C66-C5B3-4682-BB43-A390B4093828\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.0.49\",\"matchCriteriaId\":\"28A956D5-032E-4DBE-8201-B60B44BDCF01\"}]}]}],\"references\":[{\"url\":\"http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://marc.info/?l=bugtraq&m=104612710031920&w=2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://marc.info/?l=bugtraq&m=108369640424244&w=2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://marc.info/?l=bugtraq&m=108437852004207&w=2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://marc.info/?l=bugtraq&m=108731648532365&w=2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://security.gentoo.org/glsa/glsa-200405-22.xml\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.iss.net/security_center/static/11412.php\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-082.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-083.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-104.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-139.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-243.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-244.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/9930\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.trustix.org/errata/2004/0017\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.trustix.org/errata/2004/0027\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://marc.info/?l=bugtraq&m=104612710031920&w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://marc.info/?l=bugtraq&m=108369640424244&w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://marc.info/?l=bugtraq&m=108437852004207&w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://marc.info/?l=bugtraq&m=108731648532365&w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://security.gentoo.org/glsa/glsa-200405-22.xml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.iss.net/security_center/static/11412.php\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-082.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-083.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-104.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-139.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-243.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-244.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/9930\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.trustix.org/errata/2004/0017\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.trustix.org/errata/2004/0027\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}],\"vendorComments\":[{\"organization\":\"Apache\",\"comment\":\"Fixed in Apache HTTP Server 2.0.49 and 1.3.31\\nhttp://httpd.apache.org/security/vulnerabilities_20.html\\nhttp://httpd.apache.org/security/vulnerabilities_13.html\",\"lastModified\":\"2008-07-02T00:00:00\"}]}}",
   },
}

rhsa-2003_243

Vulnerability from csaf_redhat

Published

2003-09-22 08:34

Modified

2024-11-21 22:48

Summary

Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities

Notes

Topic

Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Linux 7.1, 7.2, and 7.3.

Details

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. Ben Laurie found a bug in the optional renegotiation code in mod_ssl which can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0192 to this issue. Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0020 to this issue. It is possible to get Apache 1.3 to get into an infinite loop handling internal redirects and nested subrequests. A patch for this issue adds a new LimitInternalRecursion directive. All users of the Apache HTTP Web Server are advised to upgrade to the applicable errata packages, which contain back-ported fixes correcting these issues. After the errata packages are installed, restart the Web service by running the following command: /sbin/service httpd restart

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Linux 7.1, 7.2, and 7.3.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences.  The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:243",
            url: "https://access.redhat.com/errata/RHSA-2003:243",
         },
         {
            category: "external",
            summary: "http://www.apacheweek.com/issues/03-07-11#security",
            url: "http://www.apacheweek.com/issues/03-07-11#security",
         },
         {
            category: "external",
            summary: "60281",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=60281",
         },
         {
            category: "external",
            summary: "72245",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=72245",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_243.json",
         },
      ],
      title: "Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities",
      tracking: {
         current_release_date: "2024-11-21T22:48:37+00:00",
         generator: {
            date: "2024-11-21T22:48:37+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:243",
         initial_release_date: "2003-09-22T08:34:00+00:00",
         revision_history: [
            {
               date: "2003-09-22T08:34:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-09-22T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:48:37+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Linux 7.1",
                        product: {
                           name: "Red Hat Linux 7.1",
                           product_id: "Red Hat Linux 7.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:7.1",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux 7.2",
                        product: {
                           name: "Red Hat Linux 7.2",
                           product_id: "Red Hat Linux 7.2",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:7.2",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux 7.3",
                        product: {
                           name: "Red Hat Linux 7.3",
                           product_id: "Red Hat Linux 7.3",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:7.3",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 7.1",
               "Red Hat Linux 7.2",
               "Red Hat Linux 7.3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:34:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Linux 7.1",
                  "Red Hat Linux 7.2",
                  "Red Hat Linux 7.3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:243",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0192",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616998",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
               title: "Statement",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 7.1",
               "Red Hat Linux 7.2",
               "Red Hat Linux 7.3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0192",
            },
            {
               category: "external",
               summary: "RHBZ#1616998",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616998",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
            },
         ],
         release_date: "2003-07-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:34:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Linux 7.1",
                  "Red Hat Linux 7.2",
                  "Red Hat Linux 7.3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:243",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003:139

Vulnerability from csaf_redhat

Published

2003-04-09 16:31

Modified

2024-11-21 22:44

Summary

Red Hat Security Advisory: : Updated httpd packages fix security vulnerabilities.

Notes

Topic

Updated httpd packages which fix a number of security issues are now available for Red Hat Linux 8.0 and 9.

Details

The Apache HTTP Web Server is a secure, efficient, and extensible Web server that provides HTTP services. A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a significant denial of service (DoS) by sending requests containing lots of linefeed characters. Apache 2.0 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. All users of the Apache HTTP Web Server are advised to upgrade to the applicable errata packages containing back-ported fixes applied to Apache version 2.0.40. After the errata packages are installed, restart the Web service by running the following command: /sbin/service httpd restart

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Low",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated httpd packages which fix a number of security issues are\nnow available for Red Hat Linux 8.0 and 9.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP Web Server is a secure, efficient, and extensible Web\nserver that provides HTTP services.\n\nA memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause\na significant denial of service (DoS) by sending requests containing lots\nof linefeed characters.\n\nApache 2.0 does not filter terminal escape sequences from its access logs,\nwhich could make it easier for attackers to insert those sequences into\nterminal emulators containing vulnerabilities related to escape sequences.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences. \n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages containing back-ported fixes applied to Apache\nversion 2.0.40.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:139",
            url: "https://access.redhat.com/errata/RHSA-2003:139",
         },
         {
            category: "external",
            summary: "http://www.apacheweek.com/issues/03-04-04#security",
            url: "http://www.apacheweek.com/issues/03-04-04#security",
         },
         {
            category: "external",
            summary: "http://marc.theaimsgroup.com/?l=bugtraq&m=104931360606484",
            url: "http://marc.theaimsgroup.com/?l=bugtraq&m=104931360606484",
         },
         {
            category: "external",
            summary: "http://www.idefense.com/advisory/04.08.03.txt",
            url: "http://www.idefense.com/advisory/04.08.03.txt",
         },
         {
            category: "external",
            summary: "73428",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=73428",
         },
         {
            category: "external",
            summary: "82142",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=82142",
         },
         {
            category: "external",
            summary: "82587",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=82587",
         },
         {
            category: "external",
            summary: "86254",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=86254",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_139.json",
         },
      ],
      title: "Red Hat Security Advisory: : Updated httpd packages fix security vulnerabilities.",
      tracking: {
         current_release_date: "2024-11-21T22:44:42+00:00",
         generator: {
            date: "2024-11-21T22:44:42+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:139",
         initial_release_date: "2003-04-09T16:31:00+00:00",
         revision_history: [
            {
               date: "2003-04-09T16:31:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-04-09T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:44:42+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Linux 8.0",
                        product: {
                           name: "Red Hat Linux 8.0",
                           product_id: "Red Hat Linux 8.0",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:8.0",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux 9",
                        product: {
                           name: "Red Hat Linux 9",
                           product_id: "Red Hat Linux 9",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:9",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 8.0",
               "Red Hat Linux 9",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-04-09T16:31:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Red Hat Linux 8.0",
                  "Red Hat Linux 9",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:139",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0083",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616961",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 8.0",
               "Red Hat Linux 9",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0083",
            },
            {
               category: "external",
               summary: "RHBZ#1616961",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616961",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-04-09T16:31:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Red Hat Linux 8.0",
                  "Red Hat Linux 9",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:139",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0132",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616977",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 8.0",
               "Red Hat Linux 9",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0132",
            },
            {
               category: "external",
               summary: "RHBZ#1616977",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616977",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0132",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0132",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0132",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0132",
            },
         ],
         release_date: "2003-04-02T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-04-09T16:31:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Red Hat Linux 8.0",
                  "Red Hat Linux 9",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:139",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003:082

Vulnerability from csaf_redhat

Published

2003-03-03 09:16

Modified

2024-11-21 22:41

Summary

Red Hat Security Advisory: apache, openssl, php, tomcat security update for Stronghold

Notes

Topic

Updated versions of Stronghold 4 cross-platform are available to fix a number of vulnerabilities in OpenSSL, Apache, PHP, and Tomcat. Also included in this update are bug fixes for mod_proxy and the mod_authz_ldap package.

Details

Stronghold 4 cross platform contains a number of open source technologies such as OpenSSL, Apache, and PHP. A number of issues have been found in versions of these projects: In a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin Vuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS. An active attacker may be able to use timing observations to distinguish between two different error cases: cipher padding errors and MAC verification errors. Over multiple connections this can leak sufficient information to be able to retrieve the plain text of a common, fixed block. In order for an attack to be successful an attacker must be able to act as a man-in-the-middle to intercept and modify multiple connections which all involve a common fixed plain text block (such as a password), and have good network conditions that allow small changes in timing to be reliably observed. The Apache Web server does not prevent escape sequences from being written to the error log. This could allow an attacker to embed arbitrary escape sequences into the log file. A recent paper by HD Moore highlighted several issues where common terminal emulator software (such as xterm) can be remotely abused or exploited by displaying arbitrary escape sequences. The MySQL client library (libmysqlclient) used in the PHP MySQL extension in PHP versions earlier than 4.3.0 does not properly verify length fields for certain responses in the read_rows or read_one_row routines, which allows a malicious server to cause a denial of service and possibly execute arbitrary code. A source code exposure vulnerability has been found that affects Tomcat versions 4.0.0 through 4.0.5 and 4.1.0 through 4.1.12, in a variant of the issue addressed in RHSA-2002:217. Using a carefully crafted request, a remote attacker can read the source code of any deployed JSP file. In addition to the security fixes, two bug fixes have also been applied: If Apache is configured to act as a reverse proxy by specifying the backend server using a numeric IP address, the mod_proxy module will perform a redundant reverse DNS lookup on the IP address, causing a delay in request processing. A bug in mod_authz_ldap version 0.21 and earlier prevent authentication being performed by other Apache modules (such as filed-based authentication using mod_auth) when the mod_authz_ldap module is loaded. Stronghold 4 cross platform contains OpenSSL 0.9.6c, Apache 1.3.22, PHP 4.1.2, Tomcat 4.0.5, and mod_authz_ldap 0.19, and is therefore vulnerable to these issues. Users of Stronghold are advised to update to the errata versions of Stronghold 4 which contain backported security fixes and are not vulnerable to these issues.

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated versions of Stronghold 4 cross-platform are available to fix a\nnumber of vulnerabilities in OpenSSL, Apache, PHP, and Tomcat.\n\nAlso included in this update are bug fixes for mod_proxy and the\nmod_authz_ldap package.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Stronghold 4 cross platform contains a number of open source technologies\nsuch as OpenSSL, Apache, and PHP. A number of issues have been found in\nversions of these projects:\n\nIn a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin\nVuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites\nin SSL and TLS. An active attacker may be able to use timing observations\nto distinguish between two different error cases: cipher padding errors and\nMAC verification errors. Over multiple connections this can leak\nsufficient information to be able to retrieve the plain text of a common,\nfixed block. In order for an attack to be successful an attacker must be\nable to act as a man-in-the-middle to intercept and modify multiple\nconnections which all involve a common fixed plain text block (such as a\npassword), and have good network conditions that allow small changes in\ntiming to be reliably observed.\n\nThe Apache Web server does not prevent escape sequences from being written\nto the error log. This could allow an attacker to embed arbitrary escape\nsequences into the log file. A recent paper by HD Moore highlighted\nseveral issues where common terminal emulator software (such as xterm) can\nbe remotely abused or exploited by displaying arbitrary escape sequences.\n\nThe MySQL client library (libmysqlclient) used in the PHP MySQL extension\nin PHP versions earlier than 4.3.0 does not properly verify length fields\nfor certain responses in the read_rows or read_one_row routines, which\nallows a malicious server to cause a denial of service and possibly execute\narbitrary code.\n\nA source code exposure vulnerability has been found that affects Tomcat\nversions 4.0.0 through 4.0.5 and 4.1.0 through 4.1.12, in a variant of\nthe issue addressed in RHSA-2002:217. Using a carefully crafted request, a\nremote attacker can read the source code of any deployed JSP file.\n\nIn addition to the security fixes, two bug fixes have also been applied:\n\nIf Apache is configured to act as a reverse proxy by specifying the backend\nserver using a numeric IP address, the mod_proxy module will perform a\nredundant reverse DNS lookup on the IP address, causing a delay in request\nprocessing.\n\nA bug in mod_authz_ldap version 0.21 and earlier prevent\nauthentication being performed by other Apache modules (such as\nfiled-based authentication using mod_auth) when the mod_authz_ldap module\nis loaded.\n\nStronghold 4 cross platform contains OpenSSL 0.9.6c, Apache 1.3.22, PHP\n4.1.2, Tomcat 4.0.5, and mod_authz_ldap 0.19, and is therefore vulnerable\nto these issues. Users of Stronghold are advised to update to the errata\nversions of Stronghold 4 which contain backported security fixes and are\nnot vulnerable to these issues.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:082",
            url: "https://access.redhat.com/errata/RHSA-2003:082",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps",
            url: "http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps",
         },
         {
            category: "external",
            summary: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
            url: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
         },
         {
            category: "external",
            summary: "80057",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=80057",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_082.json",
         },
      ],
      title: "Red Hat Security Advisory: apache, openssl, php, tomcat security update for Stronghold",
      tracking: {
         current_release_date: "2024-11-21T22:41:49+00:00",
         generator: {
            date: "2024-11-21T22:41:49+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:082",
         initial_release_date: "2003-03-03T09:16:00+00:00",
         revision_history: [
            {
               date: "2003-03-03T09:16:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-02-27T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:41:49+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Stronghold 4",
                        product: {
                           name: "Red Hat Stronghold 4",
                           product_id: "Red Hat Stronghold 4",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:stronghold:4",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Stronghold Cross Platform",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2002-1376",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616897",
            },
         ],
         notes: [
            {
               category: "description",
               text: "libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x to 4.0.6, does not properly verify length fields for certain responses in the (1) read_rows or (2) read_one_row routines, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2002-1376",
            },
            {
               category: "external",
               summary: "RHBZ#1616897",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616897",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
               url: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
            },
         ],
         release_date: "2002-12-12T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2002-1394",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616907",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2002-1394",
            },
            {
               category: "external",
               summary: "RHBZ#1616907",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616907",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2002-1394",
               url: "https://www.cve.org/CVERecord?id=CVE-2002-1394",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2002-1394",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2002-1394",
            },
         ],
         release_date: "2002-10-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0078",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616956",
            },
         ],
         notes: [
            {
               category: "description",
               text: "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\"",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0078",
            },
            {
               category: "external",
               summary: "RHBZ#1616956",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616956",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
            },
         ],
         release_date: "2003-02-19T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003:243

Vulnerability from csaf_redhat

Published

2003-09-22 08:34

Modified

2024-11-21 22:48

Summary

Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities

Notes

Topic

Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Linux 7.1, 7.2, and 7.3.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Linux 7.1, 7.2, and 7.3.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences.  The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:243",
            url: "https://access.redhat.com/errata/RHSA-2003:243",
         },
         {
            category: "external",
            summary: "http://www.apacheweek.com/issues/03-07-11#security",
            url: "http://www.apacheweek.com/issues/03-07-11#security",
         },
         {
            category: "external",
            summary: "60281",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=60281",
         },
         {
            category: "external",
            summary: "72245",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=72245",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_243.json",
         },
      ],
      title: "Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities",
      tracking: {
         current_release_date: "2024-11-21T22:48:37+00:00",
         generator: {
            date: "2024-11-21T22:48:37+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:243",
         initial_release_date: "2003-09-22T08:34:00+00:00",
         revision_history: [
            {
               date: "2003-09-22T08:34:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-09-22T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:48:37+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Linux 7.1",
                        product: {
                           name: "Red Hat Linux 7.1",
                           product_id: "Red Hat Linux 7.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:7.1",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux 7.2",
                        product: {
                           name: "Red Hat Linux 7.2",
                           product_id: "Red Hat Linux 7.2",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:7.2",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux 7.3",
                        product: {
                           name: "Red Hat Linux 7.3",
                           product_id: "Red Hat Linux 7.3",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:7.3",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 7.1",
               "Red Hat Linux 7.2",
               "Red Hat Linux 7.3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:34:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Linux 7.1",
                  "Red Hat Linux 7.2",
                  "Red Hat Linux 7.3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:243",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0192",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616998",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
               title: "Statement",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 7.1",
               "Red Hat Linux 7.2",
               "Red Hat Linux 7.3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0192",
            },
            {
               category: "external",
               summary: "RHBZ#1616998",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616998",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
            },
         ],
         release_date: "2003-07-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:34:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Linux 7.1",
                  "Red Hat Linux 7.2",
                  "Red Hat Linux 7.3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:243",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003_082

Vulnerability from csaf_redhat

Published

2003-03-03 09:16

Modified

2024-11-21 22:41

Summary

Red Hat Security Advisory: apache, openssl, php, tomcat security update for Stronghold

Notes

Topic

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated versions of Stronghold 4 cross-platform are available to fix a\nnumber of vulnerabilities in OpenSSL, Apache, PHP, and Tomcat.\n\nAlso included in this update are bug fixes for mod_proxy and the\nmod_authz_ldap package.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Stronghold 4 cross platform contains a number of open source technologies\nsuch as OpenSSL, Apache, and PHP. A number of issues have been found in\nversions of these projects:\n\nIn a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin\nVuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites\nin SSL and TLS. An active attacker may be able to use timing observations\nto distinguish between two different error cases: cipher padding errors and\nMAC verification errors. Over multiple connections this can leak\nsufficient information to be able to retrieve the plain text of a common,\nfixed block. In order for an attack to be successful an attacker must be\nable to act as a man-in-the-middle to intercept and modify multiple\nconnections which all involve a common fixed plain text block (such as a\npassword), and have good network conditions that allow small changes in\ntiming to be reliably observed.\n\nThe Apache Web server does not prevent escape sequences from being written\nto the error log. This could allow an attacker to embed arbitrary escape\nsequences into the log file. A recent paper by HD Moore highlighted\nseveral issues where common terminal emulator software (such as xterm) can\nbe remotely abused or exploited by displaying arbitrary escape sequences.\n\nThe MySQL client library (libmysqlclient) used in the PHP MySQL extension\nin PHP versions earlier than 4.3.0 does not properly verify length fields\nfor certain responses in the read_rows or read_one_row routines, which\nallows a malicious server to cause a denial of service and possibly execute\narbitrary code.\n\nA source code exposure vulnerability has been found that affects Tomcat\nversions 4.0.0 through 4.0.5 and 4.1.0 through 4.1.12, in a variant of\nthe issue addressed in RHSA-2002:217. Using a carefully crafted request, a\nremote attacker can read the source code of any deployed JSP file.\n\nIn addition to the security fixes, two bug fixes have also been applied:\n\nIf Apache is configured to act as a reverse proxy by specifying the backend\nserver using a numeric IP address, the mod_proxy module will perform a\nredundant reverse DNS lookup on the IP address, causing a delay in request\nprocessing.\n\nA bug in mod_authz_ldap version 0.21 and earlier prevent\nauthentication being performed by other Apache modules (such as\nfiled-based authentication using mod_auth) when the mod_authz_ldap module\nis loaded.\n\nStronghold 4 cross platform contains OpenSSL 0.9.6c, Apache 1.3.22, PHP\n4.1.2, Tomcat 4.0.5, and mod_authz_ldap 0.19, and is therefore vulnerable\nto these issues. Users of Stronghold are advised to update to the errata\nversions of Stronghold 4 which contain backported security fixes and are\nnot vulnerable to these issues.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:082",
            url: "https://access.redhat.com/errata/RHSA-2003:082",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps",
            url: "http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps",
         },
         {
            category: "external",
            summary: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
            url: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
         },
         {
            category: "external",
            summary: "80057",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=80057",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_082.json",
         },
      ],
      title: "Red Hat Security Advisory: apache, openssl, php, tomcat security update for Stronghold",
      tracking: {
         current_release_date: "2024-11-21T22:41:49+00:00",
         generator: {
            date: "2024-11-21T22:41:49+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:082",
         initial_release_date: "2003-03-03T09:16:00+00:00",
         revision_history: [
            {
               date: "2003-03-03T09:16:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-02-27T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:41:49+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Stronghold 4",
                        product: {
                           name: "Red Hat Stronghold 4",
                           product_id: "Red Hat Stronghold 4",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:stronghold:4",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Stronghold Cross Platform",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2002-1376",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616897",
            },
         ],
         notes: [
            {
               category: "description",
               text: "libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x to 4.0.6, does not properly verify length fields for certain responses in the (1) read_rows or (2) read_one_row routines, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2002-1376",
            },
            {
               category: "external",
               summary: "RHBZ#1616897",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616897",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
               url: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
            },
         ],
         release_date: "2002-12-12T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2002-1394",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616907",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2002-1394",
            },
            {
               category: "external",
               summary: "RHBZ#1616907",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616907",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2002-1394",
               url: "https://www.cve.org/CVERecord?id=CVE-2002-1394",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2002-1394",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2002-1394",
            },
         ],
         release_date: "2002-10-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0078",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616956",
            },
         ],
         notes: [
            {
               category: "description",
               text: "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\"",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0078",
            },
            {
               category: "external",
               summary: "RHBZ#1616956",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616956",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
            },
         ],
         release_date: "2003-02-19T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003:104

Vulnerability from csaf_redhat

Published

2003-03-18 11:01

Modified

2024-11-21 22:41

Summary

Red Hat Security Advisory: apache, openssl, php security update for Stronghold

Notes

Topic

Updated versions of Stronghold 3.0 are available to fix a number of vulnerabilities in OpenSSL, Apache, and PHP.

Details

Stronghold 3.0 contains a number of open source technologies such as OpenSSL, Apache, and PHP. The following paragraphs describe a number of issues that have been found in versions of these projects. In a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin Vuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS. An active attacker may be able to use timing observations to distinguish between two different error cases: cipher padding errors and MAC verification errors. Over multiple connections this can leak sufficient information to be able to retrieve the plain text of a common, fixed block. In order for an attack to be successful an attacker must be able to act as a man-in-the-middle to intercept and modify multiple connections which all involve a common fixed plain text block (such as a password), and have good network conditions that allow small changes in timing to be reliably observed. The SSL timing attack announced recently by David Brumly and Dan Boneh is not fixed by this erratum; this new issue will be addressed by a future erratum release. The Apache Web server does not prevent escape sequences from being written to log files. This could allow an attacker to embed arbitrary escape sequences into log files. A recent paper by HD Moore highlighted several issues where common terminal emulator software (such as xterm) can be remotely abused or exploited by displaying arbitrary escape sequences. The MySQL client library (libmysqlclient) used in the PHP MySQL extension in PHP versions earlier than 4.3.0 does not properly verify length fields for certain responses in the read_rows or read_one_row routines, which allows a malicious server to cause a denial of service and possibly execute arbitrary code. Stronghold 3.0 contains OpenSSL 0.9.6b, Apache 1.3.22, and PHP 4.1.2 and is, therefore, vulnerable to these issues. Users of Stronghold are advised to update to the errata versions of Stronghold 3.0 which contain backported security fixes and are not vulnerable to these issues.

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated versions of Stronghold 3.0 are available to fix a number of\nvulnerabilities in OpenSSL, Apache, and PHP.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Stronghold 3.0 contains a number of open source technologies such as\nOpenSSL, Apache, and PHP. The following paragraphs describe a number of\nissues that have been found in versions of these projects.\n\nIn a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin\nVuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites\nin SSL and TLS. An active attacker may be able to use timing observations\nto distinguish between two different error cases: cipher padding errors and\nMAC verification errors. Over multiple connections this can leak\nsufficient information to be able to retrieve the plain text of a common,\nfixed block. In order for an attack to be successful an attacker must be\nable to act as a man-in-the-middle to intercept and modify multiple\nconnections which all involve a common fixed plain text block (such as a\npassword), and have good network conditions that allow small changes in\ntiming to be reliably observed.\n\nThe SSL timing attack announced recently by David Brumly and Dan Boneh\nis not fixed by this erratum; this new issue will be addressed by a\nfuture erratum release.\n\nThe Apache Web server does not prevent escape sequences from being written\nto log files. This could allow an attacker to embed arbitrary escape\nsequences into log files. A recent paper by HD Moore highlighted\nseveral issues where common terminal emulator software (such as xterm) can\nbe remotely abused or exploited by displaying arbitrary escape sequences.\n\nThe MySQL client library (libmysqlclient) used in the PHP MySQL extension\nin PHP versions earlier than 4.3.0 does not properly verify length fields\nfor certain responses in the read_rows or read_one_row routines, which\nallows a malicious server to cause a denial of service and possibly execute\narbitrary code.\n\nStronghold 3.0 contains OpenSSL 0.9.6b, Apache 1.3.22, and PHP\n4.1.2 and is, therefore, vulnerable to these issues. Users of Stronghold are\nadvised to update to the errata versions of Stronghold 3.0 which contain\nbackported security fixes and are not vulnerable to these issues.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:104",
            url: "https://access.redhat.com/errata/RHSA-2003:104",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "http://stronghold.redhat.com/",
            url: "http://stronghold.redhat.com/",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_104.json",
         },
      ],
      title: "Red Hat Security Advisory: apache, openssl, php security update for Stronghold",
      tracking: {
         current_release_date: "2024-11-21T22:41:57+00:00",
         generator: {
            date: "2024-11-21T22:41:57+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:104",
         initial_release_date: "2003-03-18T11:01:00+00:00",
         revision_history: [
            {
               date: "2003-03-18T11:01:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-03-18T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:41:57+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Stronghold 3",
                        product: {
                           name: "Red Hat Stronghold 3",
                           product_id: "Red Hat Stronghold 3",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:stronghold:3",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Stronghold Cross Platform",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2002-1376",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616897",
            },
         ],
         notes: [
            {
               category: "description",
               text: "libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x to 4.0.6, does not properly verify length fields for certain responses in the (1) read_rows or (2) read_one_row routines, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2002-1376",
            },
            {
               category: "external",
               summary: "RHBZ#1616897",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616897",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
               url: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
            },
         ],
         release_date: "2002-12-12T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0078",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616956",
            },
         ],
         notes: [
            {
               category: "description",
               text: "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\"",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0078",
            },
            {
               category: "external",
               summary: "RHBZ#1616956",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616956",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
            },
         ],
         release_date: "2003-02-19T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0083",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616961",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0083",
            },
            {
               category: "external",
               summary: "RHBZ#1616961",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616961",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003_104

Vulnerability from csaf_redhat

Published

2003-03-18 11:01

Modified

2024-11-21 22:41

Summary

Red Hat Security Advisory: apache, openssl, php security update for Stronghold

Notes

Topic

Updated versions of Stronghold 3.0 are available to fix a number of vulnerabilities in OpenSSL, Apache, and PHP.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated versions of Stronghold 3.0 are available to fix a number of\nvulnerabilities in OpenSSL, Apache, and PHP.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Stronghold 3.0 contains a number of open source technologies such as\nOpenSSL, Apache, and PHP. The following paragraphs describe a number of\nissues that have been found in versions of these projects.\n\nIn a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin\nVuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites\nin SSL and TLS. An active attacker may be able to use timing observations\nto distinguish between two different error cases: cipher padding errors and\nMAC verification errors. Over multiple connections this can leak\nsufficient information to be able to retrieve the plain text of a common,\nfixed block. In order for an attack to be successful an attacker must be\nable to act as a man-in-the-middle to intercept and modify multiple\nconnections which all involve a common fixed plain text block (such as a\npassword), and have good network conditions that allow small changes in\ntiming to be reliably observed.\n\nThe SSL timing attack announced recently by David Brumly and Dan Boneh\nis not fixed by this erratum; this new issue will be addressed by a\nfuture erratum release.\n\nThe Apache Web server does not prevent escape sequences from being written\nto log files. This could allow an attacker to embed arbitrary escape\nsequences into log files. A recent paper by HD Moore highlighted\nseveral issues where common terminal emulator software (such as xterm) can\nbe remotely abused or exploited by displaying arbitrary escape sequences.\n\nThe MySQL client library (libmysqlclient) used in the PHP MySQL extension\nin PHP versions earlier than 4.3.0 does not properly verify length fields\nfor certain responses in the read_rows or read_one_row routines, which\nallows a malicious server to cause a denial of service and possibly execute\narbitrary code.\n\nStronghold 3.0 contains OpenSSL 0.9.6b, Apache 1.3.22, and PHP\n4.1.2 and is, therefore, vulnerable to these issues. Users of Stronghold are\nadvised to update to the errata versions of Stronghold 3.0 which contain\nbackported security fixes and are not vulnerable to these issues.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:104",
            url: "https://access.redhat.com/errata/RHSA-2003:104",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "http://stronghold.redhat.com/",
            url: "http://stronghold.redhat.com/",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_104.json",
         },
      ],
      title: "Red Hat Security Advisory: apache, openssl, php security update for Stronghold",
      tracking: {
         current_release_date: "2024-11-21T22:41:57+00:00",
         generator: {
            date: "2024-11-21T22:41:57+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:104",
         initial_release_date: "2003-03-18T11:01:00+00:00",
         revision_history: [
            {
               date: "2003-03-18T11:01:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-03-18T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:41:57+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Stronghold 3",
                        product: {
                           name: "Red Hat Stronghold 3",
                           product_id: "Red Hat Stronghold 3",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:stronghold:3",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Stronghold Cross Platform",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2002-1376",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616897",
            },
         ],
         notes: [
            {
               category: "description",
               text: "libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x to 4.0.6, does not properly verify length fields for certain responses in the (1) read_rows or (2) read_one_row routines, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2002-1376",
            },
            {
               category: "external",
               summary: "RHBZ#1616897",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616897",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
               url: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
            },
         ],
         release_date: "2002-12-12T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0078",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616956",
            },
         ],
         notes: [
            {
               category: "description",
               text: "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\"",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0078",
            },
            {
               category: "external",
               summary: "RHBZ#1616956",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616956",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
            },
         ],
         release_date: "2003-02-19T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0083",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616961",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0083",
            },
            {
               category: "external",
               summary: "RHBZ#1616961",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616961",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         title: "security flaw",
      },
   ],
}

RHSA-2003:243

Vulnerability from csaf_redhat

Published

2003-09-22 08:34

Modified

2024-11-21 22:48

Summary

Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities

Notes

Topic

Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Linux 7.1, 7.2, and 7.3.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Linux 7.1, 7.2, and 7.3.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences.  The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:243",
            url: "https://access.redhat.com/errata/RHSA-2003:243",
         },
         {
            category: "external",
            summary: "http://www.apacheweek.com/issues/03-07-11#security",
            url: "http://www.apacheweek.com/issues/03-07-11#security",
         },
         {
            category: "external",
            summary: "60281",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=60281",
         },
         {
            category: "external",
            summary: "72245",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=72245",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_243.json",
         },
      ],
      title: "Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities",
      tracking: {
         current_release_date: "2024-11-21T22:48:37+00:00",
         generator: {
            date: "2024-11-21T22:48:37+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:243",
         initial_release_date: "2003-09-22T08:34:00+00:00",
         revision_history: [
            {
               date: "2003-09-22T08:34:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-09-22T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:48:37+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Linux 7.1",
                        product: {
                           name: "Red Hat Linux 7.1",
                           product_id: "Red Hat Linux 7.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:7.1",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux 7.2",
                        product: {
                           name: "Red Hat Linux 7.2",
                           product_id: "Red Hat Linux 7.2",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:7.2",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux 7.3",
                        product: {
                           name: "Red Hat Linux 7.3",
                           product_id: "Red Hat Linux 7.3",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:7.3",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 7.1",
               "Red Hat Linux 7.2",
               "Red Hat Linux 7.3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:34:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Linux 7.1",
                  "Red Hat Linux 7.2",
                  "Red Hat Linux 7.3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:243",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0192",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616998",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
               title: "Statement",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 7.1",
               "Red Hat Linux 7.2",
               "Red Hat Linux 7.3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0192",
            },
            {
               category: "external",
               summary: "RHBZ#1616998",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616998",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
            },
         ],
         release_date: "2003-07-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:34:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Linux 7.1",
                  "Red Hat Linux 7.2",
                  "Red Hat Linux 7.3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:243",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003_083

Vulnerability from csaf_redhat

Published

2003-06-18 10:49

Modified

2024-11-21 22:41

Summary

Red Hat Security Advisory: apache security update for Stronghold

Notes

Topic

Updated Apache packages are available which fix a security issue by preventing control characters from being written to the error log. The updated packages also include a minor bug fix for mod_proxy.

Details

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. The Apache Web server before 1.3.25 does not prevent escape sequences from being written to the error and access logs. This could allow an attacker to embed arbitrary escape sequences into the log file. A recent paper by HD Moore highlighted several issues where common terminal emulator software (such as xterm) can be remotely abused or exploited by displaying arbitrary escape sequences. If Apache is configured to act as a reverse proxy by specifying the backend server using a numeric IP address, the mod_proxy module will perform a redundant reverse DNS lookup on the IP address, causing a delay in request processing. Users are advised to install these updated packages which contain: a patched version of Apache which prevents control characters from being written to log files; and a patched version of mod_proxy which does not perform reverse DNS lookups unless necessary.

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Low",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated Apache packages are available which fix a security issue by\npreventing control characters from being written to the error log. The\nupdated packages also include a minor bug fix for mod_proxy.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nThe Apache Web server before 1.3.25 does not prevent escape sequences from\nbeing written to the error and access logs.  This could allow an attacker\nto embed arbitrary escape sequences into the log file.  A recent paper by\nHD Moore highlighted several issues where common terminal emulator software\n(such as xterm) can be remotely abused or exploited by displaying arbitrary\nescape sequences. \n\nIf Apache is configured to act as a reverse proxy by specifying the backend\nserver using a numeric IP address, the mod_proxy module will perform a\nredundant reverse DNS lookup on the IP address, causing a delay in request\nprocessing.\n\nUsers are advised to install these updated packages which contain: a\npatched version of Apache which prevents control characters from being \nwritten to log files; and a patched version of mod_proxy which does not\nperform reverse DNS lookups unless necessary.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:083",
            url: "https://access.redhat.com/errata/RHSA-2003:083",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#low",
            url: "https://access.redhat.com/security/updates/classification/#low",
         },
         {
            category: "external",
            summary: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
            url: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_083.json",
         },
      ],
      title: "Red Hat Security Advisory: apache security update for Stronghold",
      tracking: {
         current_release_date: "2024-11-21T22:41:54+00:00",
         generator: {
            date: "2024-11-21T22:41:54+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:083",
         initial_release_date: "2003-06-18T10:49:00+00:00",
         revision_history: [
            {
               date: "2003-06-18T10:49:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-06-18T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:41:54+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Stronghold 4 for Red Hat Enterprise Linux",
                        product: {
                           name: "Stronghold 4 for Red Hat Enterprise Linux",
                           product_id: "Stronghold 4 for Red Hat Enterprise Linux",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:rhel_stronghold:4",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Stronghold 4.0 for Red Hat Enterprise Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Stronghold 4 for Red Hat Enterprise Linux",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-06-18T10:49:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Stronghold 4 for Red Hat Enterprise Linux",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:083",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0083",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616961",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Stronghold 4 for Red Hat Enterprise Linux",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0083",
            },
            {
               category: "external",
               summary: "RHBZ#1616961",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616961",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-06-18T10:49:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Stronghold 4 for Red Hat Enterprise Linux",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:083",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003:244

Vulnerability from csaf_redhat

Published

2003-09-22 08:39

Modified

2024-11-21 22:48

Summary

Red Hat Security Advisory: apache security update

Notes

Topic

Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Enterprise Linux.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Enterprise Linux.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences.  The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:244",
            url: "https://access.redhat.com/errata/RHSA-2003:244",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#moderate",
            url: "https://access.redhat.com/security/updates/classification/#moderate",
         },
         {
            category: "external",
            summary: "http://www.apacheweek.com/issues/03-07-11#security",
            url: "http://www.apacheweek.com/issues/03-07-11#security",
         },
         {
            category: "external",
            summary: "98919",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=98919",
         },
         {
            category: "external",
            summary: "100430",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=100430",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_244.json",
         },
      ],
      title: "Red Hat Security Advisory: apache security update",
      tracking: {
         current_release_date: "2024-11-21T22:48:41+00:00",
         generator: {
            date: "2024-11-21T22:48:41+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:244",
         initial_release_date: "2003-09-22T08:39:00+00:00",
         revision_history: [
            {
               date: "2003-09-22T08:39:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-09-22T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:48:41+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                        product: {
                           name: "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                           product_id: "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::as",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux Advanced Workstation 2.1",
                        product: {
                           name: "Red Hat Linux Advanced Workstation 2.1",
                           product_id: "Red Hat Linux Advanced Workstation 2.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::aw",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux ES version 2.1",
                        product: {
                           name: "Red Hat Enterprise Linux ES version 2.1",
                           product_id: "Red Hat Enterprise Linux ES version 2.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::es",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux WS version 2.1",
                        product: {
                           name: "Red Hat Enterprise Linux WS version 2.1",
                           product_id: "Red Hat Enterprise Linux WS version 2.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::ws",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Enterprise Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
               "Red Hat Enterprise Linux ES version 2.1",
               "Red Hat Enterprise Linux WS version 2.1",
               "Red Hat Linux Advanced Workstation 2.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:39:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "Red Hat Enterprise Linux ES version 2.1",
                  "Red Hat Enterprise Linux WS version 2.1",
                  "Red Hat Linux Advanced Workstation 2.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:244",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0192",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616998",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
               title: "Statement",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
               "Red Hat Enterprise Linux ES version 2.1",
               "Red Hat Enterprise Linux WS version 2.1",
               "Red Hat Linux Advanced Workstation 2.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0192",
            },
            {
               category: "external",
               summary: "RHBZ#1616998",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616998",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
            },
         ],
         release_date: "2003-07-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:39:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "Red Hat Enterprise Linux ES version 2.1",
                  "Red Hat Enterprise Linux WS version 2.1",
                  "Red Hat Linux Advanced Workstation 2.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:244",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
   ],
}

RHSA-2003:139

Vulnerability from csaf_redhat

Published

2003-04-09 16:31

Modified

2024-11-21 22:44

Summary

Red Hat Security Advisory: : Updated httpd packages fix security vulnerabilities.

Notes

Topic

Updated httpd packages which fix a number of security issues are now available for Red Hat Linux 8.0 and 9.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Low",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated httpd packages which fix a number of security issues are\nnow available for Red Hat Linux 8.0 and 9.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP Web Server is a secure, efficient, and extensible Web\nserver that provides HTTP services.\n\nA memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause\na significant denial of service (DoS) by sending requests containing lots\nof linefeed characters.\n\nApache 2.0 does not filter terminal escape sequences from its access logs,\nwhich could make it easier for attackers to insert those sequences into\nterminal emulators containing vulnerabilities related to escape sequences.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences. \n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages containing back-ported fixes applied to Apache\nversion 2.0.40.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:139",
            url: "https://access.redhat.com/errata/RHSA-2003:139",
         },
         {
            category: "external",
            summary: "http://www.apacheweek.com/issues/03-04-04#security",
            url: "http://www.apacheweek.com/issues/03-04-04#security",
         },
         {
            category: "external",
            summary: "http://marc.theaimsgroup.com/?l=bugtraq&m=104931360606484",
            url: "http://marc.theaimsgroup.com/?l=bugtraq&m=104931360606484",
         },
         {
            category: "external",
            summary: "http://www.idefense.com/advisory/04.08.03.txt",
            url: "http://www.idefense.com/advisory/04.08.03.txt",
         },
         {
            category: "external",
            summary: "73428",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=73428",
         },
         {
            category: "external",
            summary: "82142",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=82142",
         },
         {
            category: "external",
            summary: "82587",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=82587",
         },
         {
            category: "external",
            summary: "86254",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=86254",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_139.json",
         },
      ],
      title: "Red Hat Security Advisory: : Updated httpd packages fix security vulnerabilities.",
      tracking: {
         current_release_date: "2024-11-21T22:44:42+00:00",
         generator: {
            date: "2024-11-21T22:44:42+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:139",
         initial_release_date: "2003-04-09T16:31:00+00:00",
         revision_history: [
            {
               date: "2003-04-09T16:31:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-04-09T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:44:42+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Linux 8.0",
                        product: {
                           name: "Red Hat Linux 8.0",
                           product_id: "Red Hat Linux 8.0",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:8.0",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux 9",
                        product: {
                           name: "Red Hat Linux 9",
                           product_id: "Red Hat Linux 9",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:9",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 8.0",
               "Red Hat Linux 9",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-04-09T16:31:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Red Hat Linux 8.0",
                  "Red Hat Linux 9",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:139",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0083",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616961",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 8.0",
               "Red Hat Linux 9",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0083",
            },
            {
               category: "external",
               summary: "RHBZ#1616961",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616961",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-04-09T16:31:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Red Hat Linux 8.0",
                  "Red Hat Linux 9",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:139",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0132",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616977",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 8.0",
               "Red Hat Linux 9",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0132",
            },
            {
               category: "external",
               summary: "RHBZ#1616977",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616977",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0132",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0132",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0132",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0132",
            },
         ],
         release_date: "2003-04-02T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-04-09T16:31:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Red Hat Linux 8.0",
                  "Red Hat Linux 9",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:139",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003_139

Vulnerability from csaf_redhat

Published

2003-04-09 16:31

Modified

2024-11-21 22:44

Summary

Red Hat Security Advisory: : Updated httpd packages fix security vulnerabilities.

Notes

Topic

Updated httpd packages which fix a number of security issues are now available for Red Hat Linux 8.0 and 9.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Low",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated httpd packages which fix a number of security issues are\nnow available for Red Hat Linux 8.0 and 9.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP Web Server is a secure, efficient, and extensible Web\nserver that provides HTTP services.\n\nA memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause\na significant denial of service (DoS) by sending requests containing lots\nof linefeed characters.\n\nApache 2.0 does not filter terminal escape sequences from its access logs,\nwhich could make it easier for attackers to insert those sequences into\nterminal emulators containing vulnerabilities related to escape sequences.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences. \n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages containing back-ported fixes applied to Apache\nversion 2.0.40.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:139",
            url: "https://access.redhat.com/errata/RHSA-2003:139",
         },
         {
            category: "external",
            summary: "http://www.apacheweek.com/issues/03-04-04#security",
            url: "http://www.apacheweek.com/issues/03-04-04#security",
         },
         {
            category: "external",
            summary: "http://marc.theaimsgroup.com/?l=bugtraq&m=104931360606484",
            url: "http://marc.theaimsgroup.com/?l=bugtraq&m=104931360606484",
         },
         {
            category: "external",
            summary: "http://www.idefense.com/advisory/04.08.03.txt",
            url: "http://www.idefense.com/advisory/04.08.03.txt",
         },
         {
            category: "external",
            summary: "73428",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=73428",
         },
         {
            category: "external",
            summary: "82142",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=82142",
         },
         {
            category: "external",
            summary: "82587",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=82587",
         },
         {
            category: "external",
            summary: "86254",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=86254",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_139.json",
         },
      ],
      title: "Red Hat Security Advisory: : Updated httpd packages fix security vulnerabilities.",
      tracking: {
         current_release_date: "2024-11-21T22:44:42+00:00",
         generator: {
            date: "2024-11-21T22:44:42+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:139",
         initial_release_date: "2003-04-09T16:31:00+00:00",
         revision_history: [
            {
               date: "2003-04-09T16:31:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-04-09T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:44:42+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Linux 8.0",
                        product: {
                           name: "Red Hat Linux 8.0",
                           product_id: "Red Hat Linux 8.0",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:8.0",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux 9",
                        product: {
                           name: "Red Hat Linux 9",
                           product_id: "Red Hat Linux 9",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:linux:9",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 8.0",
               "Red Hat Linux 9",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-04-09T16:31:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Red Hat Linux 8.0",
                  "Red Hat Linux 9",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:139",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0083",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616961",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 8.0",
               "Red Hat Linux 9",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0083",
            },
            {
               category: "external",
               summary: "RHBZ#1616961",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616961",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-04-09T16:31:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Red Hat Linux 8.0",
                  "Red Hat Linux 9",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:139",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0132",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616977",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Linux 8.0",
               "Red Hat Linux 9",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0132",
            },
            {
               category: "external",
               summary: "RHBZ#1616977",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616977",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0132",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0132",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0132",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0132",
            },
         ],
         release_date: "2003-04-02T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-04-09T16:31:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Red Hat Linux 8.0",
                  "Red Hat Linux 9",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:139",
            },
         ],
         title: "security flaw",
      },
   ],
}

RHSA-2003:083

Vulnerability from csaf_redhat

Published

2003-06-18 10:49

Modified

2024-11-21 22:41

Summary

Red Hat Security Advisory: apache security update for Stronghold

Notes

Topic

Updated Apache packages are available which fix a security issue by preventing control characters from being written to the error log. The updated packages also include a minor bug fix for mod_proxy.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Low",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated Apache packages are available which fix a security issue by\npreventing control characters from being written to the error log. The\nupdated packages also include a minor bug fix for mod_proxy.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nThe Apache Web server before 1.3.25 does not prevent escape sequences from\nbeing written to the error and access logs.  This could allow an attacker\nto embed arbitrary escape sequences into the log file.  A recent paper by\nHD Moore highlighted several issues where common terminal emulator software\n(such as xterm) can be remotely abused or exploited by displaying arbitrary\nescape sequences. \n\nIf Apache is configured to act as a reverse proxy by specifying the backend\nserver using a numeric IP address, the mod_proxy module will perform a\nredundant reverse DNS lookup on the IP address, causing a delay in request\nprocessing.\n\nUsers are advised to install these updated packages which contain: a\npatched version of Apache which prevents control characters from being \nwritten to log files; and a patched version of mod_proxy which does not\nperform reverse DNS lookups unless necessary.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:083",
            url: "https://access.redhat.com/errata/RHSA-2003:083",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#low",
            url: "https://access.redhat.com/security/updates/classification/#low",
         },
         {
            category: "external",
            summary: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
            url: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_083.json",
         },
      ],
      title: "Red Hat Security Advisory: apache security update for Stronghold",
      tracking: {
         current_release_date: "2024-11-21T22:41:54+00:00",
         generator: {
            date: "2024-11-21T22:41:54+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:083",
         initial_release_date: "2003-06-18T10:49:00+00:00",
         revision_history: [
            {
               date: "2003-06-18T10:49:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-06-18T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:41:54+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Stronghold 4 for Red Hat Enterprise Linux",
                        product: {
                           name: "Stronghold 4 for Red Hat Enterprise Linux",
                           product_id: "Stronghold 4 for Red Hat Enterprise Linux",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:rhel_stronghold:4",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Stronghold 4.0 for Red Hat Enterprise Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Stronghold 4 for Red Hat Enterprise Linux",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-06-18T10:49:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Stronghold 4 for Red Hat Enterprise Linux",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:083",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0083",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616961",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Stronghold 4 for Red Hat Enterprise Linux",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0083",
            },
            {
               category: "external",
               summary: "RHBZ#1616961",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616961",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-06-18T10:49:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Stronghold 4 for Red Hat Enterprise Linux",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:083",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003:083

Vulnerability from csaf_redhat

Published

2003-06-18 10:49

Modified

2024-11-21 22:41

Summary

Red Hat Security Advisory: apache security update for Stronghold

Notes

Topic

Updated Apache packages are available which fix a security issue by preventing control characters from being written to the error log. The updated packages also include a minor bug fix for mod_proxy.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Low",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated Apache packages are available which fix a security issue by\npreventing control characters from being written to the error log. The\nupdated packages also include a minor bug fix for mod_proxy.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nThe Apache Web server before 1.3.25 does not prevent escape sequences from\nbeing written to the error and access logs.  This could allow an attacker\nto embed arbitrary escape sequences into the log file.  A recent paper by\nHD Moore highlighted several issues where common terminal emulator software\n(such as xterm) can be remotely abused or exploited by displaying arbitrary\nescape sequences. \n\nIf Apache is configured to act as a reverse proxy by specifying the backend\nserver using a numeric IP address, the mod_proxy module will perform a\nredundant reverse DNS lookup on the IP address, causing a delay in request\nprocessing.\n\nUsers are advised to install these updated packages which contain: a\npatched version of Apache which prevents control characters from being \nwritten to log files; and a patched version of mod_proxy which does not\nperform reverse DNS lookups unless necessary.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:083",
            url: "https://access.redhat.com/errata/RHSA-2003:083",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#low",
            url: "https://access.redhat.com/security/updates/classification/#low",
         },
         {
            category: "external",
            summary: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
            url: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_083.json",
         },
      ],
      title: "Red Hat Security Advisory: apache security update for Stronghold",
      tracking: {
         current_release_date: "2024-11-21T22:41:54+00:00",
         generator: {
            date: "2024-11-21T22:41:54+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:083",
         initial_release_date: "2003-06-18T10:49:00+00:00",
         revision_history: [
            {
               date: "2003-06-18T10:49:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-06-18T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:41:54+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Stronghold 4 for Red Hat Enterprise Linux",
                        product: {
                           name: "Stronghold 4 for Red Hat Enterprise Linux",
                           product_id: "Stronghold 4 for Red Hat Enterprise Linux",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:rhel_stronghold:4",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Stronghold 4.0 for Red Hat Enterprise Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Stronghold 4 for Red Hat Enterprise Linux",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-06-18T10:49:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Stronghold 4 for Red Hat Enterprise Linux",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:083",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0083",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616961",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Stronghold 4 for Red Hat Enterprise Linux",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0083",
            },
            {
               category: "external",
               summary: "RHBZ#1616961",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616961",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-06-18T10:49:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
               product_ids: [
                  "Stronghold 4 for Red Hat Enterprise Linux",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:083",
            },
         ],
         title: "security flaw",
      },
   ],
}

RHSA-2003:104

Vulnerability from csaf_redhat

Published

2003-03-18 11:01

Modified

2024-11-21 22:41

Summary

Red Hat Security Advisory: apache, openssl, php security update for Stronghold

Notes

Topic

Updated versions of Stronghold 3.0 are available to fix a number of vulnerabilities in OpenSSL, Apache, and PHP.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated versions of Stronghold 3.0 are available to fix a number of\nvulnerabilities in OpenSSL, Apache, and PHP.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Stronghold 3.0 contains a number of open source technologies such as\nOpenSSL, Apache, and PHP. The following paragraphs describe a number of\nissues that have been found in versions of these projects.\n\nIn a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin\nVuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites\nin SSL and TLS. An active attacker may be able to use timing observations\nto distinguish between two different error cases: cipher padding errors and\nMAC verification errors. Over multiple connections this can leak\nsufficient information to be able to retrieve the plain text of a common,\nfixed block. In order for an attack to be successful an attacker must be\nable to act as a man-in-the-middle to intercept and modify multiple\nconnections which all involve a common fixed plain text block (such as a\npassword), and have good network conditions that allow small changes in\ntiming to be reliably observed.\n\nThe SSL timing attack announced recently by David Brumly and Dan Boneh\nis not fixed by this erratum; this new issue will be addressed by a\nfuture erratum release.\n\nThe Apache Web server does not prevent escape sequences from being written\nto log files. This could allow an attacker to embed arbitrary escape\nsequences into log files. A recent paper by HD Moore highlighted\nseveral issues where common terminal emulator software (such as xterm) can\nbe remotely abused or exploited by displaying arbitrary escape sequences.\n\nThe MySQL client library (libmysqlclient) used in the PHP MySQL extension\nin PHP versions earlier than 4.3.0 does not properly verify length fields\nfor certain responses in the read_rows or read_one_row routines, which\nallows a malicious server to cause a denial of service and possibly execute\narbitrary code.\n\nStronghold 3.0 contains OpenSSL 0.9.6b, Apache 1.3.22, and PHP\n4.1.2 and is, therefore, vulnerable to these issues. Users of Stronghold are\nadvised to update to the errata versions of Stronghold 3.0 which contain\nbackported security fixes and are not vulnerable to these issues.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:104",
            url: "https://access.redhat.com/errata/RHSA-2003:104",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "http://stronghold.redhat.com/",
            url: "http://stronghold.redhat.com/",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_104.json",
         },
      ],
      title: "Red Hat Security Advisory: apache, openssl, php security update for Stronghold",
      tracking: {
         current_release_date: "2024-11-21T22:41:57+00:00",
         generator: {
            date: "2024-11-21T22:41:57+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:104",
         initial_release_date: "2003-03-18T11:01:00+00:00",
         revision_history: [
            {
               date: "2003-03-18T11:01:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-03-18T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:41:57+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Stronghold 3",
                        product: {
                           name: "Red Hat Stronghold 3",
                           product_id: "Red Hat Stronghold 3",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:stronghold:3",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Stronghold Cross Platform",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2002-1376",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616897",
            },
         ],
         notes: [
            {
               category: "description",
               text: "libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x to 4.0.6, does not properly verify length fields for certain responses in the (1) read_rows or (2) read_one_row routines, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2002-1376",
            },
            {
               category: "external",
               summary: "RHBZ#1616897",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616897",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
               url: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
            },
         ],
         release_date: "2002-12-12T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0078",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616956",
            },
         ],
         notes: [
            {
               category: "description",
               text: "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\"",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0078",
            },
            {
               category: "external",
               summary: "RHBZ#1616956",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616956",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
            },
         ],
         release_date: "2003-02-19T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0083",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616961",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 3",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0083",
            },
            {
               category: "external",
               summary: "RHBZ#1616961",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616961",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0083",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0083",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-18T11:01:00+00:00",
               details: "We have backported the security fixes for the versions of OpenSSL, Apache\nand PHP included in Stronghold 3. Stronghold 3.0 build code 3021 is now\navailable which includes these fixes, and can be downloaded from\nhttp://stronghold.redhat.com/sh3/\n\nFor information on how to upgrade between releases of Stronghold 3.0, see\nhttp://stronghold.redhat.com/support/upgrade-sh3.xml",
               product_ids: [
                  "Red Hat Stronghold 3",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:104",
            },
         ],
         title: "security flaw",
      },
   ],
}

RHSA-2003:082

Vulnerability from csaf_redhat

Published

2003-03-03 09:16

Modified

2024-11-21 22:41

Summary

Red Hat Security Advisory: apache, openssl, php, tomcat security update for Stronghold

Notes

Topic

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated versions of Stronghold 4 cross-platform are available to fix a\nnumber of vulnerabilities in OpenSSL, Apache, PHP, and Tomcat.\n\nAlso included in this update are bug fixes for mod_proxy and the\nmod_authz_ldap package.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Stronghold 4 cross platform contains a number of open source technologies\nsuch as OpenSSL, Apache, and PHP. A number of issues have been found in\nversions of these projects:\n\nIn a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin\nVuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites\nin SSL and TLS. An active attacker may be able to use timing observations\nto distinguish between two different error cases: cipher padding errors and\nMAC verification errors. Over multiple connections this can leak\nsufficient information to be able to retrieve the plain text of a common,\nfixed block. In order for an attack to be successful an attacker must be\nable to act as a man-in-the-middle to intercept and modify multiple\nconnections which all involve a common fixed plain text block (such as a\npassword), and have good network conditions that allow small changes in\ntiming to be reliably observed.\n\nThe Apache Web server does not prevent escape sequences from being written\nto the error log. This could allow an attacker to embed arbitrary escape\nsequences into the log file. A recent paper by HD Moore highlighted\nseveral issues where common terminal emulator software (such as xterm) can\nbe remotely abused or exploited by displaying arbitrary escape sequences.\n\nThe MySQL client library (libmysqlclient) used in the PHP MySQL extension\nin PHP versions earlier than 4.3.0 does not properly verify length fields\nfor certain responses in the read_rows or read_one_row routines, which\nallows a malicious server to cause a denial of service and possibly execute\narbitrary code.\n\nA source code exposure vulnerability has been found that affects Tomcat\nversions 4.0.0 through 4.0.5 and 4.1.0 through 4.1.12, in a variant of\nthe issue addressed in RHSA-2002:217. Using a carefully crafted request, a\nremote attacker can read the source code of any deployed JSP file.\n\nIn addition to the security fixes, two bug fixes have also been applied:\n\nIf Apache is configured to act as a reverse proxy by specifying the backend\nserver using a numeric IP address, the mod_proxy module will perform a\nredundant reverse DNS lookup on the IP address, causing a delay in request\nprocessing.\n\nA bug in mod_authz_ldap version 0.21 and earlier prevent\nauthentication being performed by other Apache modules (such as\nfiled-based authentication using mod_auth) when the mod_authz_ldap module\nis loaded.\n\nStronghold 4 cross platform contains OpenSSL 0.9.6c, Apache 1.3.22, PHP\n4.1.2, Tomcat 4.0.5, and mod_authz_ldap 0.19, and is therefore vulnerable\nto these issues. Users of Stronghold are advised to update to the errata\nversions of Stronghold 4 which contain backported security fixes and are\nnot vulnerable to these issues.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:082",
            url: "https://access.redhat.com/errata/RHSA-2003:082",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps",
            url: "http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps",
         },
         {
            category: "external",
            summary: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
            url: "http://www.digitaldefense.net/labs/papers/Termulation.txt",
         },
         {
            category: "external",
            summary: "80057",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=80057",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_082.json",
         },
      ],
      title: "Red Hat Security Advisory: apache, openssl, php, tomcat security update for Stronghold",
      tracking: {
         current_release_date: "2024-11-21T22:41:49+00:00",
         generator: {
            date: "2024-11-21T22:41:49+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:082",
         initial_release_date: "2003-03-03T09:16:00+00:00",
         revision_history: [
            {
               date: "2003-03-03T09:16:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-02-27T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:41:49+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Stronghold 4",
                        product: {
                           name: "Red Hat Stronghold 4",
                           product_id: "Red Hat Stronghold 4",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:stronghold:4",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Stronghold Cross Platform",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2002-1376",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616897",
            },
         ],
         notes: [
            {
               category: "description",
               text: "libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x to 4.0.6, does not properly verify length fields for certain responses in the (1) read_rows or (2) read_one_row routines, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2002-1376",
            },
            {
               category: "external",
               summary: "RHBZ#1616897",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616897",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
               url: "https://www.cve.org/CVERecord?id=CVE-2002-1376",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2002-1376",
            },
         ],
         release_date: "2002-12-12T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2002-1394",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616907",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2002-1394",
            },
            {
               category: "external",
               summary: "RHBZ#1616907",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616907",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2002-1394",
               url: "https://www.cve.org/CVERecord?id=CVE-2002-1394",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2002-1394",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2002-1394",
            },
         ],
         release_date: "2002-10-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0078",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616956",
            },
         ],
         notes: [
            {
               category: "description",
               text: "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\"",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Stronghold 4",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0078",
            },
            {
               category: "external",
               summary: "RHBZ#1616956",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616956",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0078",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
            },
         ],
         release_date: "2003-02-19T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-03-03T09:16:00+00:00",
               details: "Fixed Stronghold 4 packages are now available via the update agent service; run\n\n$ bin/agent\n\nfrom the Stronghold 4 install root to upgrade an existing Stronghold 4\ninstallation to the new package versions. After upgrading Stronghold, the\nserver must be completely restarted by running the following commands from\nthe install root:\n\n$ bin/stop-server\n$ bin/stop-tomcat\n$ bin/start-tomcat\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nsee http://stronghold.redhat.com/support/upgrade-sh4",
               product_ids: [
                  "Red Hat Stronghold 4",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:082",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
   ],
}

rhsa-2003_244

Vulnerability from csaf_redhat

Published

2003-09-22 08:39

Modified

2024-11-21 22:48

Summary

Red Hat Security Advisory: apache security update

Notes

Topic

Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Enterprise Linux.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Enterprise Linux.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences.  The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:244",
            url: "https://access.redhat.com/errata/RHSA-2003:244",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#moderate",
            url: "https://access.redhat.com/security/updates/classification/#moderate",
         },
         {
            category: "external",
            summary: "http://www.apacheweek.com/issues/03-07-11#security",
            url: "http://www.apacheweek.com/issues/03-07-11#security",
         },
         {
            category: "external",
            summary: "98919",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=98919",
         },
         {
            category: "external",
            summary: "100430",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=100430",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_244.json",
         },
      ],
      title: "Red Hat Security Advisory: apache security update",
      tracking: {
         current_release_date: "2024-11-21T22:48:41+00:00",
         generator: {
            date: "2024-11-21T22:48:41+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:244",
         initial_release_date: "2003-09-22T08:39:00+00:00",
         revision_history: [
            {
               date: "2003-09-22T08:39:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-09-22T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:48:41+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                        product: {
                           name: "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                           product_id: "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::as",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux Advanced Workstation 2.1",
                        product: {
                           name: "Red Hat Linux Advanced Workstation 2.1",
                           product_id: "Red Hat Linux Advanced Workstation 2.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::aw",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux ES version 2.1",
                        product: {
                           name: "Red Hat Enterprise Linux ES version 2.1",
                           product_id: "Red Hat Enterprise Linux ES version 2.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::es",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux WS version 2.1",
                        product: {
                           name: "Red Hat Enterprise Linux WS version 2.1",
                           product_id: "Red Hat Enterprise Linux WS version 2.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::ws",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Enterprise Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
               "Red Hat Enterprise Linux ES version 2.1",
               "Red Hat Enterprise Linux WS version 2.1",
               "Red Hat Linux Advanced Workstation 2.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:39:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "Red Hat Enterprise Linux ES version 2.1",
                  "Red Hat Enterprise Linux WS version 2.1",
                  "Red Hat Linux Advanced Workstation 2.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:244",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0192",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616998",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
               title: "Statement",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
               "Red Hat Enterprise Linux ES version 2.1",
               "Red Hat Enterprise Linux WS version 2.1",
               "Red Hat Linux Advanced Workstation 2.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0192",
            },
            {
               category: "external",
               summary: "RHBZ#1616998",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616998",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
            },
         ],
         release_date: "2003-07-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:39:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "Red Hat Enterprise Linux ES version 2.1",
                  "Red Hat Enterprise Linux WS version 2.1",
                  "Red Hat Linux Advanced Workstation 2.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:244",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
   ],
}

RHSA-2003:244

Vulnerability from csaf_redhat

Published

2003-09-22 08:39

Modified

2024-11-21 22:48

Summary

Red Hat Security Advisory: apache security update

Notes

Topic

Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Enterprise Linux.

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Enterprise Linux.",
            title: "Topic",
         },
         {
            category: "general",
            text: "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences.  The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2003:244",
            url: "https://access.redhat.com/errata/RHSA-2003:244",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#moderate",
            url: "https://access.redhat.com/security/updates/classification/#moderate",
         },
         {
            category: "external",
            summary: "http://www.apacheweek.com/issues/03-07-11#security",
            url: "http://www.apacheweek.com/issues/03-07-11#security",
         },
         {
            category: "external",
            summary: "98919",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=98919",
         },
         {
            category: "external",
            summary: "100430",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=100430",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_244.json",
         },
      ],
      title: "Red Hat Security Advisory: apache security update",
      tracking: {
         current_release_date: "2024-11-21T22:48:41+00:00",
         generator: {
            date: "2024-11-21T22:48:41+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2003:244",
         initial_release_date: "2003-09-22T08:39:00+00:00",
         revision_history: [
            {
               date: "2003-09-22T08:39:00+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2003-09-22T00:00:00+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-21T22:48:41+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                        product: {
                           name: "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                           product_id: "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::as",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Linux Advanced Workstation 2.1",
                        product: {
                           name: "Red Hat Linux Advanced Workstation 2.1",
                           product_id: "Red Hat Linux Advanced Workstation 2.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::aw",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux ES version 2.1",
                        product: {
                           name: "Red Hat Enterprise Linux ES version 2.1",
                           product_id: "Red Hat Enterprise Linux ES version 2.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::es",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux WS version 2.1",
                        product: {
                           name: "Red Hat Enterprise Linux WS version 2.1",
                           product_id: "Red Hat Enterprise Linux WS version 2.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:2.1::ws",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Enterprise Linux",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2003-0020",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616937",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
               "Red Hat Enterprise Linux ES version 2.1",
               "Red Hat Enterprise Linux WS version 2.1",
               "Red Hat Linux Advanced Workstation 2.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0020",
            },
            {
               category: "external",
               summary: "RHBZ#1616937",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616937",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0020",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
            },
         ],
         release_date: "2003-02-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:39:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "Red Hat Enterprise Linux ES version 2.1",
                  "Red Hat Enterprise Linux WS version 2.1",
                  "Red Hat Linux Advanced Workstation 2.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:244",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "security flaw",
      },
      {
         cve: "CVE-2003-0192",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1616998",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "security flaw",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
               title: "Statement",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
               "Red Hat Enterprise Linux ES version 2.1",
               "Red Hat Enterprise Linux WS version 2.1",
               "Red Hat Linux Advanced Workstation 2.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2003-0192",
            },
            {
               category: "external",
               summary: "RHBZ#1616998",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1616998",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
               url: "https://www.cve.org/CVERecord?id=CVE-2003-0192",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
            },
         ],
         release_date: "2003-07-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2003-09-22T08:39:00+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
               product_ids: [
                  "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "Red Hat Enterprise Linux ES version 2.1",
                  "Red Hat Enterprise Linux WS version 2.1",
                  "Red Hat Linux Advanced Workstation 2.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2003:244",
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "security flaw",
      },
   ],
}

fkie_cve-2003-0020

Vulnerability from fkie_nvd

Published

2003-03-18 05:00

Modified

2025-04-03 01:03

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html	Broken Link
cve@mitre.org	http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046	Third Party Advisory
cve@mitre.org	http://marc.info/?l=bugtraq&m=104612710031920&w=2	Third Party Advisory
cve@mitre.org	http://marc.info/?l=bugtraq&m=108369640424244&w=2	Third Party Advisory
cve@mitre.org	http://marc.info/?l=bugtraq&m=108437852004207&w=2	Third Party Advisory
cve@mitre.org	http://marc.info/?l=bugtraq&m=108731648532365&w=2	Third Party Advisory
cve@mitre.org	http://security.gentoo.org/glsa/glsa-200405-22.xml	Third Party Advisory
cve@mitre.org	http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1	Broken Link
cve@mitre.org	http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1	Broken Link
cve@mitre.org	http://www.iss.net/security_center/static/11412.php	Broken Link
cve@mitre.org	http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050	Broken Link
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-082.html	Third Party Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-083.html	Third Party Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-104.html	Third Party Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-139.html	Third Party Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-243.html	Third Party Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-244.html	Third Party Advisory
cve@mitre.org	http://www.securityfocus.com/bid/9930	Third Party Advisory, VDB Entry
cve@mitre.org	http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643	Mailing List, Third Party Advisory
cve@mitre.org	http://www.trustix.org/errata/2004/0017	Broken Link
cve@mitre.org	http://www.trustix.org/errata/2004/0027	Broken Link
cve@mitre.org	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109	Third Party Advisory
cve@mitre.org	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150	Third Party Advisory
cve@mitre.org	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://marc.info/?l=bugtraq&m=104612710031920&w=2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://marc.info/?l=bugtraq&m=108369640424244&w=2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://marc.info/?l=bugtraq&m=108437852004207&w=2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://marc.info/?l=bugtraq&m=108731648532365&w=2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://security.gentoo.org/glsa/glsa-200405-22.xml	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.iss.net/security_center/static/11412.php	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-082.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-083.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-104.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-139.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-243.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-244.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/9930	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.trustix.org/errata/2004/0017	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.trustix.org/errata/2004/0027	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114	Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	http_server	*
	apache	http_server	*

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "44B59C66-C5B3-4682-BB43-A390B4093828",
                     versionEndExcluding: "1.3.31",
                     versionStartIncluding: "1.3.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "28A956D5-032E-4DBE-8201-B60B44BDCF01",
                     versionEndExcluding: "2.0.49",
                     versionStartIncluding: "2.0.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
      },
      {
         lang: "es",
         value: "Apache no filtra secuencias de escape de terminales en sus archivos de registro de errores, lo que podría hacer más fácil para atacantes insertar estas secuencias en emuladores de terminal que tengan vulnerabilidades relacionadas con secuencias de escape.",
      },
   ],
   id: "CVE-2003-0020",
   lastModified: "2025-04-03T01:03:51.193",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 5,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
   },
   published: "2003-03-18T05:00:00.000",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://marc.info/?l=bugtraq&m=104612710031920&w=2",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://marc.info/?l=bugtraq&m=108369640424244&w=2",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://marc.info/?l=bugtraq&m=108437852004207&w=2",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://marc.info/?l=bugtraq&m=108731648532365&w=2",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://security.gentoo.org/glsa/glsa-200405-22.xml",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "http://www.iss.net/security_center/static/11412.php",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-082.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-083.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-104.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-139.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-243.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-244.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://www.securityfocus.com/bid/9930",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "http://www.trustix.org/errata/2004/0017",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "http://www.trustix.org/errata/2004/0027",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://marc.info/?l=bugtraq&m=104612710031920&w=2",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://marc.info/?l=bugtraq&m=108369640424244&w=2",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://marc.info/?l=bugtraq&m=108437852004207&w=2",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://marc.info/?l=bugtraq&m=108731648532365&w=2",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://security.gentoo.org/glsa/glsa-200405-22.xml",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "http://www.iss.net/security_center/static/11412.php",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-082.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-083.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-104.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-139.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-243.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.redhat.com/support/errata/RHSA-2003-244.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://www.securityfocus.com/bid/9930",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "http://www.trustix.org/errata/2004/0017",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "http://www.trustix.org/errata/2004/0027",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vendorComments: [
      {
         comment: "Fixed in Apache HTTP Server 2.0.49 and 1.3.31\nhttp://httpd.apache.org/security/vulnerabilities_20.html\nhttp://httpd.apache.org/security/vulnerabilities_13.html",
         lastModified: "2008-07-02T00:00:00",
         organization: "Apache",
      },
   ],
   vulnStatus: "Deferred",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-Other",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

ghsa-cc5w-cgc4-9qf7

Vulnerability from github

Published

2022-04-29 01:25

Modified

2025-04-03 03:52

Details

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2003-0020",
   ],
   database_specific: {
      cwe_ids: [],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2003-03-18T05:00:00Z",
      severity: "MODERATE",
   },
   details: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
   id: "GHSA-cc5w-cgc4-9qf7",
   modified: "2025-04-03T03:52:50Z",
   published: "2022-04-29T01:25:40Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
      },
      {
         type: "WEB",
         url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114",
      },
      {
         type: "WEB",
         url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150",
      },
      {
         type: "WEB",
         url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         type: "WEB",
         url: "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html",
      },
      {
         type: "WEB",
         url: "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046",
      },
      {
         type: "WEB",
         url: "http://marc.info/?l=bugtraq&m=104612710031920&w=2",
      },
      {
         type: "WEB",
         url: "http://marc.info/?l=bugtraq&m=108369640424244&w=2",
      },
      {
         type: "WEB",
         url: "http://marc.info/?l=bugtraq&m=108437852004207&w=2",
      },
      {
         type: "WEB",
         url: "http://marc.info/?l=bugtraq&m=108731648532365&w=2",
      },
      {
         type: "WEB",
         url: "http://security.gentoo.org/glsa/glsa-200405-22.xml",
      },
      {
         type: "WEB",
         url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1",
      },
      {
         type: "WEB",
         url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1",
      },
      {
         type: "WEB",
         url: "http://www.iss.net/security_center/static/11412.php",
      },
      {
         type: "WEB",
         url: "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050",
      },
      {
         type: "WEB",
         url: "http://www.redhat.com/support/errata/RHSA-2003-082.html",
      },
      {
         type: "WEB",
         url: "http://www.redhat.com/support/errata/RHSA-2003-083.html",
      },
      {
         type: "WEB",
         url: "http://www.redhat.com/support/errata/RHSA-2003-104.html",
      },
      {
         type: "WEB",
         url: "http://www.redhat.com/support/errata/RHSA-2003-139.html",
      },
      {
         type: "WEB",
         url: "http://www.redhat.com/support/errata/RHSA-2003-243.html",
      },
      {
         type: "WEB",
         url: "http://www.redhat.com/support/errata/RHSA-2003-244.html",
      },
      {
         type: "WEB",
         url: "http://www.securityfocus.com/bid/9930",
      },
      {
         type: "WEB",
         url: "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643",
      },
      {
         type: "WEB",
         url: "http://www.trustix.org/errata/2004/0017",
      },
      {
         type: "WEB",
         url: "http://www.trustix.org/errata/2004/0027",
      },
   ],
   schema_version: "1.4.0",
   severity: [],
}

gsd-2003-0020

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2003-0020

Aliases

CVE-2003-0020

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2003-0020",
      description: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
      id: "GSD-2003-0020",
      references: [
         "https://www.suse.com/security/cve/CVE-2003-0020.html",
         "https://access.redhat.com/errata/RHSA-2003:244",
         "https://access.redhat.com/errata/RHSA-2003:243",
         "https://access.redhat.com/errata/RHSA-2003:139",
         "https://access.redhat.com/errata/RHSA-2003:104",
         "https://access.redhat.com/errata/RHSA-2003:083",
         "https://access.redhat.com/errata/RHSA-2003:082",
      ],
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2003-0020",
         ],
         details: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
         id: "GSD-2003-0020",
         modified: "2023-12-13T01:22:13.765549Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "cve@mitre.org",
            ID: "CVE-2003-0020",
            STATE: "PUBLIC",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "n/a",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "n/a",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "n/a",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
               },
            ],
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "n/a",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "57628",
                  refsource: "SUNALERT",
                  url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1",
               },
               {
                  name: "RHSA-2003:243",
                  refsource: "REDHAT",
                  url: "http://www.redhat.com/support/errata/RHSA-2003-243.html",
               },
               {
                  name: "APPLE-SA-2004-05-03",
                  refsource: "APPLE",
                  url: "http://marc.info/?l=bugtraq&m=108369640424244&w=2",
               },
               {
                  name: "101555",
                  refsource: "SUNALERT",
                  url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1",
               },
               {
                  name: "SSRT4717",
                  refsource: "HP",
                  url: "http://marc.info/?l=bugtraq&m=108731648532365&w=2",
               },
               {
                  name: "RHSA-2003:139",
                  refsource: "REDHAT",
                  url: "http://www.redhat.com/support/errata/RHSA-2003-139.html",
               },
               {
                  name: "2004-0027",
                  refsource: "TRUSTIX",
                  url: "http://www.trustix.org/errata/2004/0027",
               },
               {
                  name: "20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)",
                  refsource: "BUGTRAQ",
                  url: "http://marc.info/?l=bugtraq&m=108437852004207&w=2",
               },
               {
                  name: "SSA:2004-133",
                  refsource: "SLACKWARE",
                  url: "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643",
               },
               {
                  name: "RHSA-2003:244",
                  refsource: "REDHAT",
                  url: "http://www.redhat.com/support/errata/RHSA-2003-244.html",
               },
               {
                  name: "GLSA-200405-22",
                  refsource: "GENTOO",
                  url: "http://security.gentoo.org/glsa/glsa-200405-22.xml",
               },
               {
                  name: "MDKSA-2003:050",
                  refsource: "MANDRAKE",
                  url: "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050",
               },
               {
                  name: "20030224 Terminal Emulator Security Issues",
                  refsource: "BUGTRAQ",
                  url: "http://marc.info/?l=bugtraq&m=104612710031920&w=2",
               },
               {
                  name: "apache-esc-seq-injection(11412)",
                  refsource: "XF",
                  url: "http://www.iss.net/security_center/static/11412.php",
               },
               {
                  name: "2004-0017",
                  refsource: "TRUSTIX",
                  url: "http://www.trustix.org/errata/2004/0017",
               },
               {
                  name: "oval:org.mitre.oval:def:150",
                  refsource: "OVAL",
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150",
               },
               {
                  name: "MDKSA-2004:046",
                  refsource: "MANDRAKE",
                  url: "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046",
               },
               {
                  name: "oval:org.mitre.oval:def:4114",
                  refsource: "OVAL",
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114",
               },
               {
                  name: "20030224 Terminal Emulator Security Issues",
                  refsource: "VULNWATCH",
                  url: "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html",
               },
               {
                  name: "9930",
                  refsource: "BID",
                  url: "http://www.securityfocus.com/bid/9930",
               },
               {
                  name: "RHSA-2003:083",
                  refsource: "REDHAT",
                  url: "http://www.redhat.com/support/errata/RHSA-2003-083.html",
               },
               {
                  name: "RHSA-2003:104",
                  refsource: "REDHAT",
                  url: "http://www.redhat.com/support/errata/RHSA-2003-104.html",
               },
               {
                  name: "oval:org.mitre.oval:def:100109",
                  refsource: "OVAL",
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109",
               },
               {
                  name: "RHSA-2003:082",
                  refsource: "REDHAT",
                  url: "http://www.redhat.com/support/errata/RHSA-2003-082.html",
               },
               {
                  name: "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073140 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073149 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210606 svn commit: r1075470 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E",
               },
            ],
         },
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "1.3.31",
                        versionStartIncluding: "1.3.0",
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "2.0.49",
                        versionStartIncluding: "2.0.0",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2003-0020",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "NVD-CWE-Other",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "9930",
                     refsource: "BID",
                     tags: [
                        "Third Party Advisory",
                        "VDB Entry",
                     ],
                     url: "http://www.securityfocus.com/bid/9930",
                  },
                  {
                     name: "apache-esc-seq-injection(11412)",
                     refsource: "XF",
                     tags: [
                        "Broken Link",
                     ],
                     url: "http://www.iss.net/security_center/static/11412.php",
                  },
                  {
                     name: "20030224 Terminal Emulator Security Issues",
                     refsource: "VULNWATCH",
                     tags: [
                        "Broken Link",
                     ],
                     url: "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html",
                  },
                  {
                     name: "GLSA-200405-22",
                     refsource: "GENTOO",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://security.gentoo.org/glsa/glsa-200405-22.xml",
                  },
                  {
                     name: "MDKSA-2003:050",
                     refsource: "MANDRAKE",
                     tags: [
                        "Broken Link",
                     ],
                     url: "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050",
                  },
                  {
                     name: "MDKSA-2004:046",
                     refsource: "MANDRAKE",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046",
                  },
                  {
                     name: "RHSA-2003:082",
                     refsource: "REDHAT",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://www.redhat.com/support/errata/RHSA-2003-082.html",
                  },
                  {
                     name: "RHSA-2003:083",
                     refsource: "REDHAT",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://www.redhat.com/support/errata/RHSA-2003-083.html",
                  },
                  {
                     name: "RHSA-2003:104",
                     refsource: "REDHAT",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://www.redhat.com/support/errata/RHSA-2003-104.html",
                  },
                  {
                     name: "RHSA-2003:139",
                     refsource: "REDHAT",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://www.redhat.com/support/errata/RHSA-2003-139.html",
                  },
                  {
                     name: "RHSA-2003:243",
                     refsource: "REDHAT",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://www.redhat.com/support/errata/RHSA-2003-243.html",
                  },
                  {
                     name: "RHSA-2003:244",
                     refsource: "REDHAT",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://www.redhat.com/support/errata/RHSA-2003-244.html",
                  },
                  {
                     name: "SSA:2004-133",
                     refsource: "SLACKWARE",
                     tags: [
                        "Mailing List",
                        "Third Party Advisory",
                     ],
                     url: "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643",
                  },
                  {
                     name: "57628",
                     refsource: "SUNALERT",
                     tags: [
                        "Broken Link",
                     ],
                     url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1",
                  },
                  {
                     name: "101555",
                     refsource: "SUNALERT",
                     tags: [
                        "Broken Link",
                     ],
                     url: "http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1",
                  },
                  {
                     name: "2004-0017",
                     refsource: "TRUSTIX",
                     tags: [
                        "Broken Link",
                     ],
                     url: "http://www.trustix.org/errata/2004/0017",
                  },
                  {
                     name: "2004-0027",
                     refsource: "TRUSTIX",
                     tags: [
                        "Broken Link",
                     ],
                     url: "http://www.trustix.org/errata/2004/0027",
                  },
                  {
                     name: "20030224 Terminal Emulator Security Issues",
                     refsource: "BUGTRAQ",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://marc.info/?l=bugtraq&m=104612710031920&w=2",
                  },
                  {
                     name: "APPLE-SA-2004-05-03",
                     refsource: "APPLE",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://marc.info/?l=bugtraq&m=108369640424244&w=2",
                  },
                  {
                     name: "SSRT4717",
                     refsource: "HP",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://marc.info/?l=bugtraq&m=108731648532365&w=2",
                  },
                  {
                     name: "20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)",
                     refsource: "BUGTRAQ",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "http://marc.info/?l=bugtraq&m=108437852004207&w=2",
                  },
                  {
                     name: "oval:org.mitre.oval:def:4114",
                     refsource: "OVAL",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4114",
                  },
                  {
                     name: "oval:org.mitre.oval:def:150",
                     refsource: "OVAL",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A150",
                  },
                  {
                     name: "oval:org.mitre.oval:def:100109",
                     refsource: "OVAL",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100109",
                  },
                  {
                     name: "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     tags: [
                        "Mailing List",
                        "Vendor Advisory",
                     ],
                     url: "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     tags: [
                        "Mailing List",
                        "Vendor Advisory",
                     ],
                     url: "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     tags: [
                        "Mailing List",
                        "Vendor Advisory",
                     ],
                     url: "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     tags: [
                        "Mailing List",
                        "Vendor Advisory",
                     ],
                     url: "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073140 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073149 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210606 svn commit: r1075470 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E",
                  },
               ],
            },
         },
         impact: {
            baseMetricV2: {
               cvssV2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "NONE",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
               exploitabilityScore: 10,
               impactScore: 2.9,
               obtainAllPrivilege: false,
               obtainOtherPrivilege: false,
               obtainUserPrivilege: false,
               severity: "MEDIUM",
               userInteractionRequired: false,
            },
         },
         lastModifiedDate: "2021-06-06T11:15Z",
         publishedDate: "2003-03-18T05:00Z",
      },
   },
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from cvelistv5

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from fkie_nvd

Vulnerability from github

Vulnerability from gsd

Tags

Sightings

Nomenclature