Detections
Analytics

MiracleLinux 3 : httpd-2.2.3-76.0.1.AXS3 (AXSA:2013-45:01)

medium Nessus Plugin ID 289813

Synopsis

The remote MiracleLinux host is missing one or more security updates.

Description

The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2013-45:01 advisory.

 The Apache HTTP Server is a powerful, efficient, and extensible web server.
 Security issues fixed with this release:
 CVE-2008-0455 Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) 406 Not Acceptable or (2) 300 Multiple Choices HTTP response when the extension is omitted in a request for the file.
 CVE-2008-0456 CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) 406 Not Acceptable or (2) 300 Multiple Choices HTTP response when the extension is omitted in a request for the file.
 CVE-2012-2687 Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
 Fixed bugs:
 Previously, the validity of /etc/pki/tls/private/localhost.key was not checked before running the %post script for the mod_ssl package: If /etc/pki/tls/certs/localhost.crt did not exist and localhost.key was present but invalid and upgrading httpd with mod_ssl failed. This has been fixed.
 Added a patch to disable non-FIPS functionality in the mod_ssl module when running in FIPS mode so that httpd starts as expected under FIPS mode.
 Previously, the httpd exit codes were not LSB compliant. This has been fixed and httpd now returns 1 as an exist status code.
 Fixed the handling of long chunk-lines (32 bytes or more).
 Fixed header merging for 304 case.
 Fixed the response-line strings handling when run in a proxy set up so that response-lines without a description string are properly returned to the client.
 Previously, a bug in the mod_mem_cache module could result in a cached entity becoming corrupt when aborting an HTTP connection. This has been fixed.
 Enhancements:
 Added support for the LDAPReferrals configuration directive.
 The mod_proxy_ajp module now supports the ProxyErrorOverride directive Now, if the /etc/sysconfig/httpd-disable-posttrans file exists, the %posttrans scriptlet will not automatically restarts the httpd service after a package upgrade.
 The output of httpd -S now includes configured alias names for each virtual host.
 mod_ssl using the _DN_userID (like SSL_CLIENT_S_DN_userID) now expose new certificate variable names.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://tsn.miraclelinux.com/en/node/3666

Plugin Details

Severity: Medium

ID: 289813

File Name: miracle_linux_AXSA-2013-45.nasl

Version: 1.1

Type: local

Published: 1/16/2026

Updated: 1/16/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2008-0455

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:miracle:linux:mod_ssl, p-cpe:/a:miracle:linux:httpd, cpe:/o:miracle:linux:3, p-cpe:/a:miracle:linux:httpd-devel, p-cpe:/a:miracle:linux:httpd-manual

Required KB Items: Host/local_checks_enabled, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/25/2013

Vulnerability Publication Date: 1/21/2008

Reference Information

CVE: CVE-2008-0455, CVE-2008-0456, CVE-2012-2687