On Sat, Apr 4, 2020 at 11:27 AM William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Sat, Apr 4, 2020 at 10:23 AM Daniel Ruggeri <drugg...@primary.net> > wrote: > >> Hi, all; >> I'm not sure what mechanism is used to generate >> https://httpd.apache.org/security/vulnerabilities_24.html from >> >> https://svn.apache.org/repos/asf/httpd/site/trunk/content/security/vulnerabilities-httpd.xml >> , >> > > https://svn.apache.org/repos/asf/httpd/site/trunk/content/security/vulnerabilities-httpd.page/securitydb.xsl > > >> an anomaly has been reported to me in response to the security >> announcements from last release. >> >> For both CVE-2020-1934 and CVE-2020-1927, the source file says >> "Apache HTTP Server versions 2.4.0 to 2.4.41" in the description, but >> the rendered result is "Apache HTTP Server versions 2.4.0 to 2.41". If >> anyone has pointers on how the site build happens, I can look into it >> further. >> > > Something in that xslt translation is treating the revision number > numerically, > and not as a string. > Looking close, it isn't clear why any version/numeric text handling should occur by the xslt that would lose the '.4' segment from any .xml within the context of; <security updated="20200401"> <issue reported="20200103" public="20200401"> <cve name="CVE-2020-1934"/> <description> <p> Tag attributes legitimately broken apart for version processing include; <fixed base="2.4" version="2.4.42" date=""/> <affects prod="httpd" version="2.4.41"/> (Those fixed date tags need fixing as well.) > If it's too complicated a fix, I'm OK with removing that line from >> the description. The CVE reports must include the version vulnerability >> info in the description, but it's not really a requirement for the site >> (I was just keeping them consistent). >> > For our xml records, we derive that information as illustrated, so that line was redundant. (Also note spelling, and these descriptions are much more terse than the usual descriptions the project has provided.) low: mod_proxy_ftp use of uninitialized value (CVE-2020-1934 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1934>) Apache HTTP Server versions 2.4.0 to 2.41 mod_proxy_ftp use of uninitialized value with maliciosu FTP backend. Acknowledgements: The issue was discovered by Chamal De Silva Reported to security team 3rd January 2020 Issue public 1st April 2020 Affects 2.4.41, 2.4.40, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0low: mod_rewrite CWE-601 open redirect (CVE-2020-1927 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927>) Apache HTTP Server versions 2.4.0 to 2.41 Some mod_rewrite configurations vulnerable to open redirect. Acknowledgements: The issue was discovered by Fabrice Perez Reported to security team 5th December 2019 Issue public 1st April 2020 Affects 2.4.41, 2.4.40, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0