The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
http://rhn.redhat.com/errata/RHSA-2015-0325.html
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1627749
http://svn.apache.org/viewvc?view=revision&revision=1624234
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
http://www.securityfocus.com/bid/71656
http://www.securitytracker.com/id/1031005
http://www.ubuntu.com/usn/USN-2523-1
https://bugzilla.redhat.com/show_bug.cgi?id=1149709
https://exchange.xforce.ibmcloud.com/vulnerabilities/97027
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://security.gentoo.org/glsa/201610-02
OR
cpe:2.3:a:apache:apache_http_server:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache_http_server:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache_http_server:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache_http_server:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache_http_server:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache_http_server:2.4.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache_http_server:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache_http_server:2.4.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache_http_server:2.4.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache_http_server:2.4.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache_http_server:*:*:*:*:*:*:*:* versions up to 2.4.10 (inclusive)
ID | Name | Product | Family | Severity |
---|---|---|---|---|
124922 | EulerOS Virtualization 3.0.1.0 : httpd (EulerOS-SA-2019-1419) | Nessus | Huawei Local Security Checks | high |
98907 | Apache 2.4.x < 2.4.12 Multiple Vulnerabilities | Web Application Scanning | Component Vulnerability | medium |
93903 | GLSA-201610-02 : Apache: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | medium |
87458 | RHEL 7 : JBoss Web Server (RHSA-2015:2660) | Nessus | Red Hat Local Security Checks | high |
87457 | RHEL 6 : JBoss Web Server (RHSA-2015:2659) | Nessus | Red Hat Local Security Checks | high |
8981 | Mac OS X < 10.10.5 Multiple Vulnerabilities | Nessus Network Monitor | Operating System Detection | high |
86066 | Mac OS X : OS X Server < 5.0.3 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | critical |
85409 | Mac OS X Multiple Vulnerabilities (Security Update 2015-006) | Nessus | MacOS X Local Security Checks | high |
85408 | Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | high |
83945 | SUSE SLES12 Security Update : apache2 (SUSE-SU-2015:0974-1) | Nessus | SuSE Local Security Checks | medium |
82916 | Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : httpd (SSA:2015-111-03) | Nessus | Slackware Local Security Checks | medium |
82657 | SuSE 11.3 Security Update : apache2 (SAT Patch Number 10533) | Nessus | SuSE Local Security Checks | medium |
82346 | Mandriva Linux Security Advisory : apache (MDVSA-2015:093) | Nessus | Mandriva Local Security Checks | medium |
82252 | Scientific Linux Security Update : httpd on SL7.x x86_64 (20150305) | Nessus | Scientific Linux Local Security Checks | medium |
82216 | Debian DLA-71-1 : apache2 security update | Nessus | Debian Local Security Checks | medium |
81888 | CentOS 7 : httpd (CESA-2015:0325) | Nessus | CentOS Local Security Checks | medium |
81837 | Fedora 21 : httpd-2.4.10-15.fc21 (2014-17195) | Nessus | Fedora Local Security Checks | medium |
81802 | Oracle Linux 7 : httpd (ELSA-2015-0325) | Nessus | Oracle Linux Local Security Checks | medium |
81755 | Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : apache2 vulnerabilities (USN-2523-1) | Nessus | Ubuntu Local Security Checks | medium |
81629 | RHEL 7 : httpd (RHSA-2015:0325) | Nessus | Red Hat Local Security Checks | medium |
81581 | Fedora 20 : httpd-2.4.10-2.fc20 (2014-17153) | Nessus | Fedora Local Security Checks | medium |
8937 | Apache HTTP Server 2.4 < 2.4.12 DoS | Nessus Network Monitor | Web Servers | medium |
81329 | Amazon Linux AMI : httpd24 (ALAS-2015-483) | Nessus | Amazon Linux Local Security Checks | medium |
81126 | Apache 2.4.x < 2.4.12 Multiple Vulnerabilities | Nessus | Web Servers | medium |
81116 | FreeBSD : apache24 -- several vulnerabilities (5804b9d4-a959-11e4-9363-20cf30e32f6d) | Nessus | FreeBSD Local Security Checks | medium |