FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

apache24 -- multiple vulnerabilities

Affected packages
apache24 < 2.4.16


VuXML ID a12494c1-2af4-11e5-86ff-14dae9d210b8
Discovery 2015-02-04
Entry 2015-07-15

Jim Jagielski reports:

CVE-2015-3183 ( core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters.

CVE-2015-3185 ( Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook.

CVE-2015-0253 ( core: Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531.

CVE-2015-0228 ( mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash.


CVE Name CVE-2015-0228
CVE Name CVE-2015-0253
CVE Name CVE-2015-3183
CVE Name CVE-2015-3185