It is because the release process adds: - "lang": "eng", - "time": "2024-07-01", - "value": "2.4.60 released"
But it does not go back to cveprocess.a.o, so you cannot continue to edit on cveprocess.a.o and replace the content/ here. On Wed, Jul 3, 2024 at 8:13 AM Eric Covener <[email protected]> wrote: > > On Wed, Jul 3, 2024 at 8:09 AM <[email protected]> wrote: > > > > This is an automated email from the ASF dual-hosted git repository. > > > > git-site-role pushed a commit to branch asf-site > > in repository https://gitbox.apache.org/repos/asf/httpd-site.git > > > > > > The following commit(s) were added to refs/heads/asf-site by this push: > > new f918752 Automatic Site Publish by Buildbot > > f918752 is described below > > > > commit f91875275839c194cc80cd7e56b26e2682cd627a > > Author: buildbot <[email protected]> > > AuthorDate: Wed Jul 3 12:08:19 2024 +0000 > > > > Automatic Site Publish by Buildbot > > --- > > output/security/json/CVE-2024-38473.json | 184 > > ++++++++++++++--------------- > > output/security/vulnerabilities-httpd.json | 22 ++-- > > output/security/vulnerabilities_24.html | 9 -- > > 3 files changed, 101 insertions(+), 114 deletions(-) > > > > diff --git a/output/security/json/CVE-2024-38473.json > > b/output/security/json/CVE-2024-38473.json > > index 3a07f16..5b99730 100644 > > --- a/output/security/json/CVE-2024-38473.json > > +++ b/output/security/json/CVE-2024-38473.json > > @@ -1,98 +1,96 @@ > > { > > - "containers": { > > - "cna": { > > - "affected": [ > > - { > > - "defaultStatus": "unaffected", > > - "product": "Apache HTTP Server", > > - "vendor": "Apache Software Foundation", > > - "versions": [ > > - { > > - "lessThanOrEqual": "2.4.59", > > - "status": "affected", > > - "version": "2.4.0", > > - "versionType": "semver" > > - } > > - ] > > - } > > - ], > > - "credits": [ > > - { > > - "lang": "en", > > - "type": "finder", > > - "value": "Orange Tsai (@orange_8361) from DEVCORE" > > - } > > - ], > > - "descriptions": [ > > - { > > - "lang": "en", > > - "supportingMedia": [ > > - { > > - "base64": false, > > - "type": "text/html", > > - "value": "Encoding problem in mod_proxy in Apache HTTP > > Server 2.4.59 and earlier allows request URLs with incorrect encoding to be > > sent to backend services, potentially bypassing authentication via crafted > > requests.<br>Users are recommended to upgrade to version 2.4.60, which > > fixes this issue." > > - } > > - ], > > - "value": "Encoding problem in mod_proxy in Apache HTTP Server > > 2.4.59 and earlier allows request URLs with incorrect encoding to be sent > > to backend services, potentially bypassing authentication via crafted > > requests.\nUsers are recommended to upgrade to version 2.4.60, which fixes > > this issue." > > - } > > - ], > > - "metrics": [ > > - { > > - "other": { > > - "content": { > > - "text": "moderate" > > + "containers": { > > + "cna": { > > + "affected": [ > > + { > > + "defaultStatus": "unaffected", > > + "product": "Apache HTTP Server", > > + "vendor": "Apache Software Foundation", > > + "versions": [ > > + { > > + "lessThanOrEqual": "2.4.59", > > + "status": "affected", > > + "version": "2.4.0", > > + "versionType": "semver" > > + } > > + ] > > + } > > + ], > > + "credits": [ > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Orange Tsai (@orange_8361) from DEVCORE" > > + } > > + ], > > + "descriptions": [ > > + { > > + "lang": "en", > > + "supportingMedia": [ > > + { > > + "base64": false, > > + "type": "text/html", > > + "value": "Encoding problem in mod_proxy in > > Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect > > encoding to be sent to backend services, potentially bypassing > > authentication via crafted requests. This affects configurations where > > mechanisms other than ProxyPass/ProxyPassMatch or RewriteRule with the 'P' > > flag are used to configure a request to be proxied, such as SetHandler or > > inadvertent proxying via CVE-2024-39573. Note that the [...] > > + } > > + ], > > + "value": "Encoding problem in mod_proxy in Apache HTTP > > Server 2.4.59 and earlier allows request URLs with incorrect encoding to be > > sent to backend services, potentially bypassing authentication via crafted > > requests. This affects configurations where mechanisms other than > > ProxyPass/ProxyPassMatch or RewriteRule with the 'P' flag are used to > > configure a request to be proxied, such as SetHandler or inadvertent > > proxying via CVE-2024-39573. Note that these alternate mecha [...] > > + } > > + ], > > + "metrics": [ > > + { > > + "other": { > > + "content": { > > + "text": "moderate" > > + }, > > + "type": "Textual description of severity" > > + } > > + } > > + ], > > + "problemTypes": [ > > + { > > + "descriptions": [ > > + { > > + "cweId": "CWE-116", > > + "description": "CWE-116 Improper Encoding or > > Escaping of Output", > > + "lang": "en", > > + "type": "CWE" > > + } > > + ] > > + } > > + ], > > + "providerMetadata": { > > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > }, > > - "type": "Textual description of severity" > > - } > > - } > > - ], > > - "problemTypes": [ > > - { > > - "descriptions": [ > > - { > > - "cweId": "CWE-116", > > - "description": "CWE-116 Improper Encoding or Escaping of > > Output", > > - "lang": "en", > > - "type": "CWE" > > + "references": [ > > + { > > + "tags": [ > > + "vendor-advisory" > > + ], > > + "url": > > "https://httpd.apache.org/security/vulnerabilities_24.html"; > > + } > > + ], > > + "source": { > > + "discovery": "UNKNOWN" > > + }, > > + "timeline": [ > > + { > > + "lang": "en", > > + "time": "2024-04-01T12:00:00.000Z", > > + "value": "reported" > > + } > > + ], > > + "title": "Apache HTTP Server proxy encoding problem", > > + "x_generator": { > > + "engine": "Vulnogram 0.1.0-dev" > > } > > - ] > > - } > > - ], > > - "providerMetadata": { > > - "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > - }, > > - "source": { > > - "discovery": "UNKNOWN" > > - }, > > - "timeline": [ > > - { > > - "lang": "en", > > - "time": "2024-04-01T12:00:00.000Z", > > - "value": "reported" > > - }, > > - { > > - "time": "2024-07-01", > > - "lang": "en", > > - "value": "fixed by r1918559, r1918666, r1918600, r1918625, > > r1918668 in 2.4.x" > > - }, > > - { > > - "lang": "eng", > > - "time": "2024-07-01", > > - "value": "2.4.60 released" > > } > > - ], > > - "title": "Apache HTTP Server proxy encoding problem", > > - "x_generator": { > > - "engine": "Vulnogram 0.1.0-dev" > > - } > > - } > > - }, > > - "cveMetadata": { > > - "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > > - "cveId": "CVE-2024-38473", > > - "serial": 1, > > - "state": "PUBLISHED" > > - }, > > - "dataType": "CVE_RECORD", > > - "dataVersion": "5.0" > > + }, > > + "cveMetadata": { > > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > > + "cveId": "CVE-2024-38473", > > + "serial": 1, > > + "state": "PUBLISHED" > > + }, > > + "dataType": "CVE_RECORD", > > + "dataVersion": "5.0" > > } > > diff --git a/output/security/vulnerabilities-httpd.json > > b/output/security/vulnerabilities-httpd.json > > index ddf1590..57e23bd 100644 > > --- a/output/security/vulnerabilities-httpd.json > > +++ b/output/security/vulnerabilities-httpd.json > > @@ -31904,10 +31904,10 @@ > > { > > "base64": false, > > "type": "text/html", > > - "value": "Encoding problem in mod_proxy in > > Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect > > encoding to be sent to backend services, potentially bypassing > > authentication via crafted requests.<br>Users are recommended to upgrade to > > version 2.4.60, which fixes this issue." > > + "value": "Encoding problem in mod_proxy in > > Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect > > encoding to be sent to backend services, potentially bypassing > > authentication via crafted requests. This affects configurations where > > mechanisms other than ProxyPass/ProxyPassMatch or RewriteRule with the 'P' > > flag are used to configure a request to be proxied, such as SetHandler or > > inadvertent proxying via CVE-2024-39573. Note that [...] > > } > > ], > > - "value": "Encoding problem in mod_proxy in Apache > > HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding > > to be sent to backend services, potentially bypassing authentication via > > crafted requests.\nUsers are recommended to upgrade to version 2.4.60, > > which fixes this issue." > > + "value": "Encoding problem in mod_proxy in Apache > > HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding > > to be sent to backend services, potentially bypassing authentication via > > crafted requests. This affects configurations where mechanisms other than > > ProxyPass/ProxyPassMatch or RewriteRule with the 'P' flag are used to > > configure a request to be proxied, such as SetHandler or inadvertent > > proxying via CVE-2024-39573. Note that these alternate m [...] > > } > > ], > > "metrics": [ > > @@ -31935,6 +31935,14 @@ > > "providerMetadata": { > > "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > }, > > + "references": [ > > + { > > + "tags": [ > > + "vendor-advisory" > > + ], > > + "url": > > "https://httpd.apache.org/security/vulnerabilities_24.html"; > > + } > > + ], > > "source": { > > "discovery": "UNKNOWN" > > }, > > @@ -31943,16 +31951,6 @@ > > "lang": "en", > > "time": "2024-04-01T12:00:00.000Z", > > "value": "reported" > > - }, > > - { > > - "time": "2024-07-01", > > - "lang": "en", > > - "value": "fixed by r1918559, r1918666, r1918600, > > r1918625, r1918668 in 2.4.x" > > - }, > > - { > > - "lang": "eng", > > - "time": "2024-07-01", > > - "value": "2.4.60 released" > > } > > ], > > "title": "Apache HTTP Server proxy encoding problem", > > diff --git a/output/security/vulnerabilities_24.html > > b/output/security/vulnerabilities_24.html > > index b5a3385..503e743 100644 > > --- a/output/security/vulnerabilities_24.html > > +++ b/output/security/vulnerabilities_24.html > > @@ -110,15 +110,6 @@ h1:hover > .headerlink, h2:hover > .headerlink, > > h3:hover > .headerlink, h4:hover > > <tr><td class="cve-header">Update 2.4.60 released</td><td > > class="cve-value">2024-07-01</td></tr> > > <tr><td class="cve-header">Affects</td><td > > class="cve-value"><=2.4.59</td></tr> > > </table></dd> > > -<dt><h3 id="CVE-2024-38473">moderate: <name name="CVE-2024-38473">Apache > > HTTP Server proxy encoding problem</name> > > -(<a > > href="https://www.cve.org/CVERecord?id=CVE-2024-38473";>CVE-2024-38473</a>)</h3></dt> > > -<dd><p>Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and > > earlier allows request URLs with incorrect encoding to be sent to backend > > services, potentially bypassing authentication via crafted > > requests.</p><p>Users are recommended to upgrade to version 2.4.60, which > > fixes this issue.</p> > > -<p>Acknowledgements: finder: Orange Tsai (@orange_8361) from DEVCORE</p> > > -<table class="table"><tr><td class="cve-header">Reported to security > > team</td><td class="cve-value">2024-04-01</td></tr> > > -<tr><td class="cve-header">fixed by r1918559, r1918666, r1918600, > > r1918625, r1918668 in 2.4.x</td><td class="cve-value">2024-07-01</td></tr> > > -<tr><td class="cve-header">Update 2.4.60 released</td><td > > class="cve-value">2024-07-01</td></tr> > > -<tr><td class="cve-header">Affects</td><td > > class="cve-value"><=2.4.59</td></tr> > > -</table></dd> > > sigh, looking at why it removed the updated entry. -- Eric Covener [email protected]
