httpd.xml

<Vulns>   <Vulnerability added="2012-04-12" gvid="ID101059" id="101059" modified="2012-07-17" published="1998-08-07" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-1999-1199</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.2</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载Apache 1.3.2： 
&lt;a href=&quot; 
http://www.apache.org&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-199808-009</cnnvd>      <cvsscode>10.0</cvsscode>      <severity>Critical</severity>      <Description>当客户端发送有同头名的大量标题时，存在一个严重的问题。Apache耗尽内存以简单地存储所接收的数据本身，比所需的时间要快。即随着接受的标头越来越多，内存使用也越来越快，而不是以恒定的速率增加。这使得基于该方法的拒绝服务攻击更有效，从而导致Apache以恒定的速率使用内存，因为攻击者发送较少的数据。</Description>      <name>apache httpd：多个头拒绝服务漏洞（CVE-1999-1199）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101060" id="101060" modified="2017-11-09" published="2000-05-31" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">1284</id>         
             <id name="CVE">CVE-2000-0505</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">4575</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.14</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://www.apache.org/websrc/cvsweb.cgi/apache-1.3/src/os/win32/util_win32.c.diff?r1=1.33&amp;r2=1.34&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/websrc/cvsweb.cgi/apache-1.3/src/os/win32/util_win32.c.diff?r1=1.33&amp;r2=1.34&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200005-109</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>在Windows系统Apache上的安全漏洞允许用户通过发送一个精心构造的请求，查看目录列表而不是默认的HTML页面。</Description>      <name>apache httpd：请求会导致在NT上显示目录列表（CVE-2000-0505）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101061" id="101061" modified="2017-11-09" published="2000-12-19" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">1728</id>         
             <id name="CALDERA">CSSA-2000-035.0</id>         
             <id name="CVE">CVE-2000-0913</id>         
             <id name="MANDRAKE">MDKSA-2000:060</id>         
             <id name="REDHAT">RHSA-2000:088</id>         
             <id name="REDHAT">RHSA-2000:095</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">5310</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.14</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://www.apache.org&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org&lt;/a&gt; 
MandrakeSoft 
------------ 
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2000:060)以及相应补丁: 
MDKSA-2000:060：apache update 
链接：&lt;a href=&quot; 
http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-060.php3&quot; target=&quot;_blank&quot;&gt; 
http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-060.php3&lt;/a&gt; 
补丁下载： 
 &lt;a href=&quot;ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates&quot; target=&quot;_blank&quot;&gt;ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates&lt;/a&gt; 
 &lt;a href=&quot;ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates&quot; target=&quot;_blank&quot;&gt;ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates&lt;/a&gt; 
RedHat 
------ 
RedHat已经为此发布了一个安全公告(RHSA-2000:088-04)以及相应补丁: 
RHSA-2000:088-04：Updated apache, php, mod_perl, and auth_ldap packages available. 
链接：&lt;a href=&quot;https://www.redhat.com/support/errata/RHSA-2000-088.html&quot; target=&quot;_blank&quot;&gt;https://www.redhat.com/support/errata/RHSA-2000-088.html&lt;/a&gt; 
补丁下载： 
Red Hat Linux 5.2: 
alpha: 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/alpha/apache-1.3.14-2.5.x.alpha.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/alpha/apache-1.3.14-2.5.x.alpha.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/alpha/apache-devel-1.3.14-2.5.x.alpha.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/alpha/apache-devel-1.3.14-2.5.x.alpha.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/alpha/mod_perl-1.19-2.alpha.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/alpha/mod_perl-1.19-2.alpha.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/alpha/php-3.0.17-1.5.x.alpha.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/alpha/php-3.0.17-1.5.x.alpha.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/alpha/php-manual-3.0.17-1.5.x.alpha.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/alpha/php-manual-3.0.17-1.5.x.alpha.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/alpha/php-pgsql-3.0.17-1.5.x.alpha.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/alpha/php-pgsql-3.0.17-1.5.x.alpha.rpm&lt;/a&gt; 
sparc: 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/sparc/apache-1.3.14-2.5.x.sparc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/sparc/apache-1.3.14-2.5.x.sparc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/sparc/apache-devel-1.3.14-2.5.x.sparc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/sparc/apache-devel-1.3.14-2.5.x.sparc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/sparc/mod_perl-1.19-2.sparc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/sparc/mod_perl-1.19-2.sparc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/sparc/php-3.0.17-1.5.x.sparc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/sparc/php-3.0.17-1.5.x.sparc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/sparc/php-manual-3.0.17-1.5.x.sparc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/sparc/php-manual-3.0.17-1.5.x.sparc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/sparc/php-pgsql-3.0.17-1.5.x.sparc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/sparc/php-pgsql-3.0.17-1.5.x.sparc.rpm&lt;/a&gt; 
i386: 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/i386/apache-1.3.14-2.5.x.i386.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/i386/apache-1.3.14-2.5.x.i386.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/i386/apache-devel-1.3.14-2.5.x.i386.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/i386/apache-devel-1.3.14-2.5.x.i386.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/i386/mod_perl-1.19-2.i386.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/i386/mod_perl-1.19-2.i386.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/i386/php-3.0.17-1.5.x.i386.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/i386/php-3.0.17-1.5.x.i386.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/i386/php-manual-3.0.17-1.5.x.i386.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/i386/php-manual-3.0.17-1.5.x.i386.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/5.2/i386/php-pgsql-3.0.17-1.5.x.i386.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/5.2/i386/php-pgsql-3.0.17-1.5.x.i386.rpm&lt;/a&gt; 
sources: 
&lt;a href=&quot;ftp://updates.red</Solutions>      <cnnvd>CNNVD-200012-143</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_rewrite和特定的正则表达式用于RewriteRule指令。审查验证您的Web服务器配置。重写模块，mod_rewrite可允许访问Web服务器上的任何文件。该漏洞发生仅使用在重写规则指示正则表达式引用的某些特定情况下：如果一个重写规则的目标包含正则表达式引用然后攻击者将能够访问服务器上的任何文件</Description>      <name>apache httpd：包含引用的重写规则允许访问任何文件（CVE-2000-0913）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101062" id="101062" modified="2013-06-06" published="2000-10-13" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2000-1204</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.9</low>                     
                               <high inclusive="0">1.3.14</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd>CNNVD-200010-002</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_vhost_alias。审查验证您的Web服务器配置。如果cgi-bin目录在文件根目录下运行，大型虚拟主机模块的用户安全问题，mod_vhost_alias导致源被发送至CGI。然而，在根目录下运行的cgi-bin目录不合常规。</Description>      <name>apache httpd：大规模的虚拟主机可以显示CGI源（CVE-2000-1204）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101063" id="101063" modified="2013-08-22" published="2000-02-01" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2000-1205</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">10938</id>         
             <id name="XF">35597</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
* 删除printenv脚本。 
厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://httpd.apache.org/info/css-security/apache_1.3.11_css_patch.txt&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/info/css-security/apache_1.3.11_css_patch.txt&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200002-010</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>Apache容易受跨站点脚本问题的影响。结果表明，如果服务器或脚本处理的请求不小心编码显示给用户的所有信息，恶意的HTML标签可以嵌入到客户端的Web请求中。利用这些漏洞的攻击者可以，例如，获取访问您使用的私有历史记录的副本给你验证到其他网站。</Description>      <name>apache httpd：跨站点脚本可以揭示私人会话信息（CVE-2000-1205）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101064" id="101064" modified="2013-06-06" published="1999-08-20" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2000-1206</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.11</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载1.3.27或之后版本： 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-199908-040</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_rewrite，mod_vhost_alias。审查验证您的Web服务器配置。可能会出现安全问题，使用大规模基于域名的虚拟主机（使用新的mod_vhost_alias模块）或特殊mod_rewrite规则的网站。</Description>      <name>apache httpd：大规模的虚拟主机安全问题（CVE-2000-1206）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101065" id="101065" modified="2015-02-13" published="2001-10-30" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">22083</id>         
             <id name="CVE">CVE-2001-0729</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.20</low>                     
                               <high inclusive="0">1.3.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://www.apache.org&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200110-133</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>在Apache1.3.20的Win32移植中发现一个漏洞。提交长URI的客户端可能会返回一个目录列表，而不是默认的索引页。</Description>      <name>apache httpd：请求会导致显示目录列表（CVE-2001-0729）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101066" id="101066" modified="2013-08-22" published="2001-10-30" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CONECTIVA">CLA-2001:430</id>         
             <id name="CVE">CVE-2001-0730</id>         
             <id name="MANDRAKE">MDKSA-2001:077</id>         
             <id name="REDHAT">RHSA-2001:126</id>         
             <id name="REDHAT">RHSA-2001:164</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">7419</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd>CNNVD-200110-141</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有在分割日志文件的支持程序使用。审查验证您的Web服务器配置。在拆分日志文件的支持计划中发现一个漏洞。有特制的主机：标头的请求可能允许系统上具有.log扩展任何文件被写入。</Description>      <name>apache HTTPD：分割日志文件可导致被写入任意日志文件（CVE-2001-0730）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101067" id="101067" modified="2013-08-22" published="2001-10-01" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">3009</id>         
             <id name="CVE">CVE-2001-0731</id>         
             <id name="MANDRAKE">MDKSA-2001:077</id>         
             <id name="REDHAT">RHSA-2001:126</id>         
             <id name="REDHAT">RHSA-2001:164</id>         
             <id name="SGI">20020301-01-P</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">8275</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>
 
解决方法： 
 
 
 
建议您在httpd.conf中关闭&quot;Index&quot;选项。 
</Solutions>      <cnnvd>CNNVD-200110-003</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞影响，如果仅多视图用于协商目录索引。审查验证您的Web服务器配置。当多视图用于协商目录索引时发现一个漏洞。在一些配置中，带有M= D的QUERY_STRING请求URI可以返回目录列表，而不是预期的索引页。</Description>      <name>apache httpd：多视图可能会显示一个目录列表（CVE-2001-0731）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101068" id="101068" modified="2013-08-22" published="2001-03-12" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">2503</id>         
             <id name="CVE">CVE-2001-0925</id>         
             <id name="DEBIAN">DSA-067</id>         
             <id name="MANDRAKE">MDKSA-2001:077</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">6921</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.11</low>                     
                               <high inclusive="0">1.3.19</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200103-004</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_autoindex，mod_dir，mod_negotiation模块。审查验证您的Web服务器配置。如果使用多道斜线人工创建长路径，默认安装会导致mod_negotiation模块和mod_dir或mod_autoindex显示目录列表而不是多视点index.html文件。</Description>      <name>apache httpd：请求会导致显示目录列表（CVE-2001-0925）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101069" id="101069" modified="2013-08-22" published="2001-05-12" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">2740</id>         
             <id name="CVE">CVE-2001-1342</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">6527</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.20</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载Apache 1.3.20版本： 
&lt;a href=&quot; 
http://httpd.apache.org/dist/httpd/apache_1.3.20.tar.gz&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/dist/httpd/apache_1.3.20.tar.gz&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200105-086</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>在Apache 1.3中的Win32和OS2端口发现一个漏洞。客户端提交一个精心构造的URI会引起子进程中出现一般保护错误，造就了它必须由运营商来清除，以恢复运行的消息框。此漏洞推出任何标识的手段来破坏服务器而非引入一个可能的拒绝服务攻击。</Description>      <name>apache httpd：Win32和OS2上的拒绝服务攻击（CVE-2001-1342）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101070" id="101070" modified="2013-08-22" published="2002-03-21" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">4335</id>         
             <id name="CVE">CVE-2002-0061</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">8589</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.24</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
* 删除cgi-bin目录下所有批处理文件。 
厂商补丁： 
Apache Group 
------------ 
目前1.3.24win32和2.0.34-BETA win32的发行版本已经修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://www.apache.org&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200203-045</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产会受到该漏洞影响仅当使用批处理文件的CGI脚本时。审查验证您的Web服务器配置。Apache的Win32 1.3.24之前版本和2.0.34-β允许远程攻击者通过传递给批处理文件的CGI脚本参数执行任意指令。</Description>      <name>apache httpd：ApacheWin32远程命令执行（CVE-2002-0061）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101232" id="101232" modified="2018-04-17" published="2002-07-03" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">20005</id>         
             <id name="BID">5033</id>         
             <id name="CALDERA">CSSA-2002-029.0</id>         
             <id name="CALDERA">CSSA-2002-SCO.31</id>         
             <id name="CALDERA">CSSA-2002-SCO.32</id>         
             <id name="CERT">CA-2002-17</id>         
             <id name="CERT-VN">944335</id>         
             <id name="CONECTIVA">CLSA-2002:498</id>         
             <id name="CVE">CVE-2002-0392</id>         
             <id name="DEBIAN">DSA-131</id>         
             <id name="DEBIAN">DSA-132</id>         
             <id name="DEBIAN">DSA-133</id>         
             <id name="MANDRAKE">MDKSA-2002:039</id>         
             <id name="REDHAT">RHSA-2002:103</id>         
             <id name="REDHAT">RHSA-2002:117</id>         
             <id name="REDHAT">RHSA-2002:118</id>         
             <id name="REDHAT">RHSA-2002:126</id>         
             <id name="REDHAT">RHSA-2002:150</id>         
             <id name="REDHAT">RHSA-2003:106</id>         
             <id name="SGI">20020605-01-A</id>         
             <id name="SGI">20020605-01-I</id>         
             <id name="SUSE">SuSE-SA:2002:022</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">9249</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.26</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.37</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
此安全漏洞没有好的临时解决方案，由于已经有一个有效的攻击代码被发布，我们建议您立刻升级到Apache最新版本。 
厂商补丁： 
Apache Group 
------------ 
Apache Group已经为此发布了一个安全公告(SB-20020617)以及相应的升级程序: 
SB-20020617：Apache httpd: vulnerability with chunked encoding 
链接：&lt;a href=&quot; 
http://httpd.apache.org/info/security_bulletin_20020617.txt&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/info/security_bulletin_20020617.txt&lt;/a&gt; 
您可以在下列地址下载最新版本： 
Apache 1.3.26: 
Apache 2.0.39: 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt; 
Debian 
------ 
Debian已经为此发布了一个安全公告(DSA-131-1)以及相应补丁: 
DSA-131-1：Apache chunk handling vulnerability 
链接：&lt;a href=&quot; 
http://www.debian.org/security/2002/dsa-131&quot; target=&quot;_blank&quot;&gt; 
http://www.debian.org/security/2002/dsa-131&lt;/a&gt; 
补丁下载： 
Source archives: 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.1.diff.gz&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.1.diff.gz&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.1.dsc&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.1.dsc&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9.orig.tar.gz&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9.orig.tar.gz&lt;/a&gt; 
Architecture independent archives: 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-all/apache-doc_1.3.9-14.1_all.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-all/apache-doc_1.3.9-14.1_all.deb&lt;/a&gt; 
Alpha architecture: 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-common_1.3.9-14.1_alpha.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-common_1.3.9-14.1_alpha.deb&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-dev_1.3.9-14.1_alpha.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-dev_1.3.9-14.1_alpha.deb&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-alpha/apache_1.3.9-14.1_alpha.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-alpha/apache_1.3.9-14.1_alpha.deb&lt;/a&gt; 
ARM architecture: 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-arm/apache-common_1.3.9-14.1_arm.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-arm/apache-common_1.3.9-14.1_arm.deb&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-arm/apache-dev_1.3.9-14.1_arm.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-arm/apache-dev_1.3.9-14.1_arm.deb&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-arm/apache_1.3.9-14.1_arm.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-arm/apache_1.3.9-14.1_arm.deb&lt;/a&gt; 
Intel IA-32 architecture: 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-i386/apache-common_1.3.9-14.1_i386.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-i386/apache-common_1.3.9-14.1_i386.deb&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-i386/apache-dev_1.3.9-14.1_i386.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-i386/apache-dev_1.3.9-14.1_i386.deb&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-i386/apache_1.3.9-14.1_i386.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-i386/apache_1.3.9-14.1_i386.deb&lt;/a&gt; 
Motorola 680x0 architecture: 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-common_1.3.9-14.1_m68k.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-common_1.3.9-14.1_m68k.deb&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-dev_1.3.9-14.1_m68k.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-dev_1.3.9-14.1_m68k.deb&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-m68k/apache_1.3.9-14.1_m68k.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-m68k/apache_1.3.9-14.1_m68k.deb&lt;/a&gt; 
PowerPC architecture: 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-common_1.3.9-14.1_powerpc.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-common_1.3.9-14.1_powerpc.deb&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-dev_1.3.9-14.1_powerpc.deb&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-dev_1.3.9-14.1_powerpc.deb&lt;/a&gt; 
&lt;a href=&quot; 
http://security.debian.org/dists/stable/up&quot; target=&quot;_blank&quot;&gt; 
http://security.debian.org/dists/stable/up&lt;/a&gt; 
补丁安装方法： 
1. 手工安装补丁包： 
 首先，使用下面的命令来下载补丁软件： 
 # wget url (url是补丁下载链接地址) 
 然后，使用下面的命令来安装补丁： 
 # dpkg -i file.deb (file是相应的补丁名) 
2. 使用apt-get自动安装补丁包： 
 首先，使用下面的命令更新内部数据库： 
 # apt-get update 
 
 然后，使用下面的命令安装更新软件包： 
 # apt-get upgrade 
FreeBSD 
------- 
FreeBSD已经为此发布了一个安全公告(FreeBSD-SN-02:04)以及相应补丁: 
FreeBSD-SN-02:04：security issues in ports 
链接：&lt;a href=&quot;ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:04&quot; target=&quot;_blank&quot;&gt;ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:04&lt;/a&gt; .asc 
为了升级一个修复后的port包，可以采用下列两种方法中的任意一种： 
1) 更新您的&quot;Ports Collection&quot;，然后重建、重新安装port.您可以使用下列几个工具来使升级工作更简单： 
 /usr/ports/devel/portcheckout 
 /usr/ports/misc/porteasy 
 /usr/ports/sysutils/portupgrade 
2) 卸载旧的port软件包，从下列地址获取并安装一个新的包： 
[i386] 
&lt;a href=&quot;ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/&quot; target=&quot;_blank&quot;&gt;ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/&lt;/a&gt; 
OpenBSD 
------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot;ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/005_httpd.patch&quot; target=&quot;_blank&quot;&gt;ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/005_httpd.patch&lt;/a&gt; 
更多信息可以参考如下链接： 
&lt;a href=&quot; 
http://www.openbsd.org/errata.html#httpd&quot; target=&quot;_blank&quot;&gt; 
http://www.openbsd.org/errata.html#httpd&lt;/a&gt; 
RedHat 
------ 
RedHat已经为此发布了一个安全公告(RHSA-2002:103-13)以及相应补丁: 
RHSA-2002:103-13：Updated Apache packages fix chunked encoding issue 
链接：&lt;a href=&quot;https://www.redhat.com/support/errata/RHSA-2002-103.html&quot; target=&quot;_blank&quot;&gt;https://www.redhat.com/support/errata/RHSA-2002-103.html&lt;/a&gt; 
补丁下载： 
Red Hat Linux 6.2: 
SRPMS: 
&lt;a href=&quot;ftp://updates.redhat.com/6.2/en/os/SRPMS/apache-1.3.22-5.6.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/6.2/en/os/SRPMS/apache-1.3.22-5.6.src.rpm&lt;/a&gt; 
alpha: 
&lt;a href=&quot;ftp://updates.redhat.com/6.2/en/os/alpha/apache-1.3.22-5.6.alpha.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/6.2/en/os/alpha/apache-1.3.22-5.6.alpha.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/6.2/en/os/alpha/apache-devel-1.3.22-5.6.alpha.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/6.2/en/os/alpha/apache-devel-1.3.22-5.6.alpha.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/6.2/en/os/alpha/apache-manual-1.3.22-5.6.alpha.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/6.2/en/os/alpha/apache-manual-1.3.22-5.6.alpha.rpm&lt;/a&gt; 
i386: 
&lt;a href=&quot;ftp://updates.redhat.com/6.2/en/os/i386/apache-1.3.22-5.6.i386.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/6.2/en/os/i386/apache-1.3.22-5.6.i386.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/6.2/en/os/i386/apache-devel-1.3.22-5.6.i386.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/6.2/en/os/i386/apache-devel-1.3.22-5.6.i386.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/6.2/en/os/i386/apache-manual-1.3.22-5.6.i386.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/6.2/en/os/i386/apache-manual-1.3.22-5.6.i386.rpm&lt;/a&gt; 
sparc: 
&lt;a href=&quot;ftp://updates.redhat.com/6.2/en/os/sparc/apache-1.3.22-5.6.sparc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/6.2/en/os/sparc/apache-1.3.22-5.6.sparc.rpm&lt;/a&gt; 
</Solutions>      <cnnvd>CNNVD-200207-041</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>恶意请求可能会导致各种影响，从系统资源的相对无害的增加到拒绝服务攻击，以及在某些情况下执行任意远程代码的能力。</Description>      <name>apache httpd：Apache分块编码漏洞（CVE-2002-0392）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101071" id="101071" modified="2020-01-30" published="2002-09-05" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">5485</id>         
             <id name="BID">5486</id>         
             <id name="CVE">CVE-2002-0654</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">9875</id>         
             <id name="XF">9876</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.40</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了2.0.40以修复这个安全问题，请到厂商的主页下载最新版本： 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200209-023</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>一个路径曝光揭示存在于多视点类型映射协商（如默认的错误文件），其中一个模块会报告typemapped.VAR文件的完整路径时，多个文档或文件不能够提供服务。在CGI/ cgid另外一个路径，揭示曝光时的Apache无法调用脚本。该模块将报告与QUOT;不能创建子进程/path-to-script/script.pl&amp;quot;揭示了脚本的完整路径。</Description>      <name>apache httpd：路径揭示披露（CVE-2002-0654）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101227" id="101227" modified="2013-08-22" published="2002-08-12" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">5434</id>         
             <id name="CVE">CVE-2002-0661</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">9808</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.40</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
* 编辑httpd.conf文件，在第一个'Alias'或者'Redirect'指示前，增加如下全局服务配置： 
RedirectMatch 400 &quot;\\\.\.&quot; 
* 使用UNIX版本的Apache。 
厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了2.0.40以修复这个安全问题，请到厂商的主页下载最新版本： 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200208-118</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产会受到该漏洞影响仅如果某些文件系统配置都存在。审查验证您的Web服务器配置。一定的URI将绕过安全并允许用户调用或访问取决于系统配置中的任何文件。影响Windows，OS2，Netware和Cygwin平台。</Description>      <name>apache httpd：路径漏洞（CVE-2002-0661）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101072" id="101072" modified="2013-08-22" published="2002-10-11" version="2.0">      
        
        
        <cvss>(AV:L/AC:L/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Privilege Escalation</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">5884</id>         
             <id name="CONECTIVA">CLA-2002:530</id>         
             <id name="CVE">CVE-2002-0839</id>         
             <id name="DEBIAN">DSA-187</id>         
             <id name="DEBIAN">DSA-188</id>         
             <id name="DEBIAN">DSA-195</id>         
             <id name="MANDRAKE">MDKSA-2002:068</id>         
             <id name="SGI">20021105-01-I</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">10280</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.27</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Upgrade apache_1.3.27.tar.gz 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz&lt;/a&gt; 
OpenPKG Upgrade apache-1.3.22-1.0.5.src.rpm 
&lt;a href=&quot;ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.5.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.5.src.rpm&lt;/a&gt; 
OpenPKG Upgrade apache-1.3.26-1.1.1.src.rpm 
&lt;a href=&quot;ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.1.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.1.src.rpm&lt;/a&gt; 
Oracle 
------ 
Oracle已经为此发布了一个安全公告(OracleSA#45): 
OracleSA#45：Security Release of Apache 1.3.27 
链接：&lt;a href=&quot; 
http://otn.oracle.com/deploy/security/pdf/2002alert45rev1.pdf&quot; target=&quot;_blank&quot;&gt; 
http://otn.oracle.com/deploy/security/pdf/2002alert45rev1.pdf&lt;/a&gt; 
Oracle声称将在2002-10-08提供受影响软件的补丁。</Solutions>      <cnnvd>CNNVD-200210-255</cnnvd>      <cvsscode>7.2</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞影响，如果攻击者能够在Apache UID下执行代码。审查验证您的Web服务器配置。用于记分牌的共享内存的权限，允许在Apache UID下执行的攻击者发出信号至任何进程或导致本地拒绝服务攻击。</Description>      <name>apache httpd1：共享内存的权限会导致本地权限升级（CVE-2002-0839）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101233" id="101233" modified="2016-05-27" published="2002-10-11" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>DNS</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">5847</id>         
             <id name="CERT-VN">240329</id>         
             <id name="CONECTIVA">CLA-2002:530</id>         
             <id name="CVE">CVE-2002-0840</id>         
             <id name="DEBIAN">DSA-187</id>         
             <id name="DEBIAN">DSA-188</id>         
             <id name="DEBIAN">DSA-195</id>         
             <id name="MANDRAKE">MDKSA-2002:068</id>         
             <id name="REDHAT">RHSA-2002:222</id>         
             <id name="REDHAT">RHSA-2002:243</id>         
             <id name="REDHAT">RHSA-2002:244</id>         
             <id name="REDHAT">RHSA-2002:248</id>         
             <id name="REDHAT">RHSA-2002:251</id>         
             <id name="REDHAT">RHSA-2003:106</id>         
             <id name="SGI">20021105-02-I</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">10241</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.27</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.43</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200210-265</cnnvd>      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞影响，如果仅UseCanonicalName是关闭并且是为了支持通配符DNS的存在。审查验证您的Web服务器配置。Apache 2.0至2.0.43版本和1.3.x至1.3.26版本默认错误页面中的跨站点脚本（XSS）漏洞，当UseCanonicalName是＆QUOT;关＆QUOT;和支持通配符DNS的存在，允许远程攻击者通过访主机：标头像其他网页访客执行脚本。</Description>      <name>apache httpd：使用错误页面XSS通配符DNS（CVE-2002-0840）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101073" id="101073" modified="2015-02-13" published="2002-10-11" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">5887</id>         
             <id name="BID">5995</id>         
             <id name="BID">5996</id>         
             <id name="CONECTIVA">CLA-2002:530</id>         
             <id name="CONECTIVA">CLSA-2002:530</id>         
             <id name="CVE">CVE-2002-0843</id>         
             <id name="DEBIAN">DSA-187</id>         
             <id name="DEBIAN">DSA-188</id>         
             <id name="DEBIAN">DSA-195</id>         
             <id name="MANDRAKE">MDKSA-2002:068</id>         
             <id name="SGI">20021105-01-I</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">10281</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.27</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>Please see the references for vendor advisories and fixes. 
This issue has been addressed in Apache 1.3.27. 
Sun Cobalt RaQ 4 
&lt;ul&gt;&lt;li&gt; 
Sun RaQ4-All-Security-2.0.1-16343.pkg 
&lt;a href=&quot; 
http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-All-Security-2.0.1-16343.pkg&quot;&gt; 
http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-All-Security-2.0. 
1-16343.pkg&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Sun Cobalt RaQ XTR 
&lt;ul&gt;&lt;li&gt; 
Sun RaQ550-All-Security-0.0.1-16343.pkg 
&lt;a href=&quot; 
http://ftp.cobalt.sun.com/pub/packages/raq550/all/RaQ550-All-Security-0.0.1-16343.pkg&quot;&gt; 
http://ftp.cobalt.sun.com/pub/packages/raq550/all/RaQ550-All-Security- 
0.0.1-16343.pkg&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
Sun RaQXTR-All-Security-1.0.1-16343.pkg 
&lt;a href=&quot; 
http://ftp.cobalt.sun.com/pub/packages/raqxtr/eng/RaQXTR-All-Security-1.0.1-16343.pkg&quot;&gt; 
http://ftp.cobalt.sun.com/pub/packages/raqxtr/eng/RaQXTR-All-Security- 
1.0.1-16343.pkg&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Sun Cobalt RaQ 550 
&lt;ul&gt;&lt;li&gt; 
Sun RaQ550-All-Security-0.0.1-16343.pkg 
&lt;a href=&quot; 
http://ftp.cobalt.sun.com/pub/packages/raq550/all/RaQ550-All-Security-0.0.1-16343.pkg&quot;&gt; 
http://ftp.cobalt.sun.com/pub/packages/raq550/all/RaQ550-All-Security- 
0.0.1-16343.pkg&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Sun Cobalt Qube 3 
&lt;ul&gt;&lt;li&gt; 
Sun Qube3-All-Security-4.0.1-16343.pkg 
&lt;a href=&quot; 
http://ftp.cobalt.sun.com/pub/packages/qube3/ml/Qube3-All-Security-4.0.1-16343.pkg&quot;&gt; 
http://ftp.cobalt.sun.com/pub/packages/qube3/ml/Qube3-All-Security-4.0 
.1-16343.pkg&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 1.3.19 
&lt;ul&gt;&lt;li&gt; 
EnGarde Secure Linux apache-1.3.27-1.0.32.i386.rpm 
&lt;a href=&quot;ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i386/apache-1.3.27-1.0.32.i386.rpm&quot;&gt;ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i386/apache-1.3. 
27-1.0.32.i386.rpm&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
EnGarde Secure Linux apache-1.3.27-1.0.32.i686.rpm 
&lt;a href=&quot;ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i686/apache-1.3.27-1.0.32.i686.rpm&quot;&gt;ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i686/apache-1.3. 
27-1.0.32.i686.rpm&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 1.3.20 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation apache_1.3.27.tar.gz 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz&quot;&gt; 
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-1.3.20-5.2mdk.i586.rpmSingle Network Firewall 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-common-1.3.20-5.2mdk.i586.rpmSingle Network Firewall 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-devel-1.3.20-5.2mdk.i586.rpmSingle Network Firewall 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-manual-1.3.20-5.2mdk.i586.rpmSingle Network Firewall 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-mod_perl-1.3.20_1.24-5.2mdk.i586.rpmSingle Network Firewall 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-mod_perl-devel-1.3.20_1.24-5.2mdk.i586.rpmSingle Network Firewall 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-suexec-1.3.20-5.2mdk.i586.rpmSingle Network Firewall 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft HTML-Embperl-1.3b6-5.2mdk.i586.rpmSingle Network Firewall 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 1.3.22 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation apache_1.3.27.tar.gz 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz&quot;&gt; 
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
Conectiva apache-1.3.26-1U70_7cl.i386.rpm 
&lt;a href=&quot;ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-1.3.26-1U70_7cl.i386.rpm&quot;&gt;ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-1.3.26-1U70_7cl.i3 
86.rpm&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
Conectiva apache-1.3.26-1U8_4cl.i386.rpm 
&lt;a href=&quot;ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-1.3.26-1U8_4cl.i386.rpm&quot;&gt;ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-1.3.26-1U8_4cl.i386. 
rpm&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
Conectiva apache-devel-1.3.26-1U70_7cl.i386.rpm 
&lt;a href=&quot;ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-devel-1.3.26-1U70_7cl.i386.rpm&quot;&gt;ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-devel-1.3.26-1U70_ 
7cl.i386.rpm&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
Conectiva apache-devel-1.3.26-1U8_4cl.i386.rpm 
&lt;a href=&quot;ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-devel-1.3.26-1U8_4cl.i386.rpm&quot;&gt;ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-devel-1.3.26-1U8_4cl 
.i386.rpm&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
Conectiva apache-doc-1.3.26-1U70_7cl.i386.rpm 
&lt;a href=&quot;ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-doc-1.3.26-1U70_7cl.i386.rpm&quot;&gt;ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-doc-1.3.26-1U70_7c 
l.i386.rpm&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
Conectiva apache-doc-1.3.26-1U8_4cl.i386.rpm 
&lt;a href=&quot;ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-doc-1.3.26-1U8_4cl.i386.rpm&quot;&gt;ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-doc-1.3.26-1U8_4cl.i 
386.rpm&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-1.3.22-10.2mdk.i586.rpmLinux-Mandrake 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-1.3.22-10.2mdk.i586.rpmMandrake Linux 8.0 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-1.3.22-10.2mdk.i586.rpmMandrake Linux 8.1 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-1.3.22-10.2mdk.ia64.rpmMandrake Linux 8.1/ia64 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-1.3.22-10.2mdk.ppc.rpmMandrake Linux 8.0/ppc 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-common-1.3.22-10.2mdk.i586.rpmLinux-Mandrake 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-common-1.3.22-10.2mdk.i586.rpmMandrake Linux 8.0 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-common-1.3.22-10.2mdk.i586.rpmMandrake Linux 8.1 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-common-1.3.22-10.2mdk.ia64.rpmMandrake Linux 8.1/ia64 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-common-1.3.22-10.2mdk.ppc.rpmMandrake Linux 8.0/ppc 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apache-devel-1.3.22-10.2mdk.i586.rpmLinux-Mandrake 7.2 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
MandrakeSoft apa</Solutions>      <cnnvd>CNNVD-200210-250</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有在AB基准工具是用来对付恶意服务器的时候。审查验证您的Web服务器配置。如果AB针对恶意服务器运行，可利用基准工具ab中的缓冲区溢出。</Description>      <name>apache httpd：AB实用程序中的缓冲区溢出（CVE-2002-0843）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101074" id="101074" modified="2013-08-22" published="2002-10-11" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">6065</id>         
             <id name="CERT-VN">910713</id>         
             <id name="CVE">CVE-2002-1156</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">10499</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.42</low>                     
                               <high inclusive="0">2.0.43</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载2.0.43版本： 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt; 
HP 
-- 
HP已经为此发布了一个安全公告(HPSBUX0210-224)以及相应补丁: 
HPSBUX0210-224：SSRT2393 rev.2 HP-UX Apache Vulnerabilities 
链接：&lt;a href=&quot; 
http://www-1.ibm.com/services/continuity/recover1.nsf/mss/MSS-OAR-E01-2004.0928.1&quot; target=&quot;_blank&quot;&gt; 
http://www-1.ibm.com/services/continuity/recover1.nsf/mss/MSS-OAR-E01-2004.0928.1&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200210-252</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_dav的和CGI已启用，CGI脚本可用。审查验证您的Web服务器配置。在Apache中只有2.0.42，对其中两个WebDAV和CGI启用了一个位置，一个POST请求到CGI脚本将揭示CGI源到远程用户。</Description>      <name>Apache HTTPD:使用WebDAV透露CGI脚本源 (CVE-2002-1156)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101075" id="101075" modified="2013-08-22" published="2002-05-06" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">5256</id>         
             <id name="CERT-VN">165803</id>         
             <id name="CVE">CVE-2002-1592</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">9623</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.36</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>在某些情况下，警告消息被返回给除记录在错误日志外的终端用户中。这可能揭示的路径，例如CGI脚本，一个小的安全风险。</Description>      <name>apache httpd：可以给用户显示警告信息（CVE-2002-1592）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101076" id="101076" modified="2013-08-22" published="2002-09-25" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">5816</id>         
             <id name="CERT-VN">406121</id>         
             <id name="CVE">CVE-2002-1593</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">10208</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.42</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>The vendor has addressed this issue in version v2.0.42: 
Apache Software Foundation Apache 2.0 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation Apache httpd 2.0.42 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 2.0.28 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation Apache httpd 2.0.42 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 2.0.32 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation Apache httpd 2.0.42 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 2.0.35 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation Apache httpd 2.0.42 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 2.0.36 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation Apache httpd 2.0.42 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 2.0.37 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation Apache httpd 2.0.42 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 2.0.38 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation Apache httpd 2.0.42 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 2.0.39 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation Apache httpd 2.0.42 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 2.0.40 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation Apache httpd 2.0.42 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Apache Software Foundation Apache 2.0.41 
&lt;ul&gt;&lt;li&gt; 
Apache Software Foundation Apache httpd 2.0.42 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt;</Solutions>      <cnnvd>CNNVD-200209-068</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的攻击，仅当其运行下列模块当中的一个mod_ssl时：审查验证您的Web服务器配置。在Apache 2.0版本的mod_ssl模块中发现一个漏洞。以某种特殊状态强制ssl连接中断的远程攻击者，可能导致Apache子进程陷入死循环，从而消耗CPU资源。</Description>      <name>apache httpd：mod_dav崩溃（CVE-2002-1593）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101228" id="101228" modified="2013-08-22" published="2003-02-07" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">6659</id>         
             <id name="CERT-VN">825177</id>         
             <id name="CERT-VN">979793</id>         
             <id name="CVE">CVE-2003-0016</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">11124</id>         
             <id name="XF">11125</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.44</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经在新版的软件中修复了这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200302-014</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>在Windows平台上的Apache没有正确地过滤MS-DOS设备名可能导致拒绝服务攻击或远程执行代码。</Description>      <name>Apache HTTPD：MS-DOS设备名过滤（CVE-2003-0016）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101077" id="101077" modified="2020-01-30" published="2003-02-07" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2003-0017</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.44</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布新版的软件中修复了这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200302-007</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>在Windows平台上的Apache可能会被迫通过追加非法字符，如&amp;#39;＆LT;&amp;#39;请求URL服务于意外的文件</Description>      <name>apache httpd：Apache可以服务意外文件（CVE-2003-0017）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101078" id="101078" modified="2013-08-22" published="2003-03-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2004-05-03</id>         
             <id name="BID">9930</id>         
             <id name="CVE">CVE-2003-0020</id>         
             <id name="MANDRAKE">MDKSA-2003:050</id>         
             <id name="MANDRAKE">MDKSA-2004:046</id>         
             <id name="OVAL">OVAL100109</id>         
             <id name="OVAL">OVAL150</id>         
             <id name="OVAL">OVAL4114</id>         
             <id name="REDHAT">RHSA-2003:082</id>         
             <id name="REDHAT">RHSA-2003:083</id>         
             <id name="REDHAT">RHSA-2003:104</id>         
             <id name="REDHAT">RHSA-2003:139</id>         
             <id name="REDHAT">RHSA-2003:243</id>         
             <id name="REDHAT">RHSA-2003:244</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">11412</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.31</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.49</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Upgrade Apache httpd 2.0.49 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200303-057</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞影响。如果仅Apache错误记录被使用含有转义序列漏洞终端仿真器查看。审查验证您的Web服务器配置。apache不会从错误记录过滤终端转义序列，这可能使得攻击者更容易，将这些序列插入含有为转义序列相关的漏洞终端模拟器。</Description>      <name>apache httpd：错误记录转义过滤（CVE-2003-0020）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101079" id="101079" modified="2018-04-17" published="2003-04-02" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2003-0083</id>         
             <id name="OVAL">OVAL151</id>         
             <id name="REDHAT">RHSA-2003:139</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.26</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.46</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://www.apache.org&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200304-045</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>仅当使用包含转义序列漏洞的终端仿真程序查看Apache访问日志时，受影响的资产才容易受到此漏洞的攻击。 检查Web服务器配置以进行验证。 Apache没有从其访问日志中过滤终端转义序列，这可以使攻击者更容易将这些序列插入到包含与转义序列相关的漏洞的终端模拟器中。</Description>      <name>Apache HTTPD:过滤转义序列 (CVE-2003-0083)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101080" id="101080" modified="2015-02-13" published="2003-04-11" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CERT-VN">206537</id>         
             <id name="CVE">CVE-2003-0132</id>         
             <id name="OVAL">OVAL156</id>         
             <id name="REDHAT">RHSA-2003:139</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.45</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Upgrade Apache httpd 2.0.45 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200304-076</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>Apache 2.0至2.0.45版本存在一个重要的拒绝服务漏洞。远程攻击者可通过大块换行字符导致拒绝服务（内存消耗），这导致Apache为每个换行分配80个字节。</Description>      <name>Apache HTTPD:换行内存泄露的DoS (CVE-2003-0132)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101081" id="101081" modified="2012-07-17" published="2003-04-11" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2003-0134</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.46</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Patch os2_filestat_security_fix.patch 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/patches/apply_to_2.0.45/os2_filestat_security_fix.patch&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/patches/apply_to_2.0.45/os2_filestat_security_fix.patch&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200304-090</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>设备名导致OS2至Apache2.0.45版本存在拒绝服务漏洞。</Description>      <name>Apache HTTPD:OS2设备名拒绝服务(CVE-2003-0134)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101082" id="101082" modified="2015-02-13" published="2003-06-09" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">7725</id>         
             <id name="CERT-VN">479268</id>         
             <id name="CONECTIVA">CLA-2003:661</id>         
             <id name="CVE">CVE-2003-0189</id>         
             <id name="REDHAT">RHSA-2003:186</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">12091</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.40</low>                     
                               <high inclusive="0">2.0.46</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载Apache 2.0.46版本： 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200306-018</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有在线程服务器使用。审查验证您的Web服务器配置。Apache 2.0.40至2.0.45版本中的构建系统问题在使用线程服务器时允许远程攻击者造成拒绝访问已验证的内容。</Description>      <name>apache httpd：基本身份验证的DoS（CVE-2003-0189）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101083" id="101083" modified="2013-06-06" published="2003-08-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2003-0192</id>         
             <id name="MANDRAKE">MDKSA-2003:075</id>         
             <id name="OVAL">OVAL169</id>         
             <id name="REDHAT">RHSA-2003:240</id>         
             <id name="REDHAT">RHSA-2003:243</id>         
             <id name="REDHAT">RHSA-2003:244</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.47</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Trustix 
------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Trustix Patch apache-2.0.47-2tr.i586.rpm 
&lt;a href=&quot;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-2.0.47-2tr.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-2.0.47-2tr.i586.rpm&lt;/a&gt; 
Trustix Patch apache-devel-2.0.47-2tr.i586.rpm 
&lt;a href=&quot;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-devel-2.0.47-2tr.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-devel-2.0.47-2tr.i586.rpm&lt;/a&gt; 
Trustix Patch apache-manual-2.0.47-2tr.i586.rpm 
&lt;a href=&quot;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-manual-2.0.47-2tr.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-manual-2.0.47-2tr.i586.rpm&lt;/a&gt; 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Upgrade Apache httpd 2.0.47 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200308-068</cnnvd>      <cvsscode>6.4</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_ssl和可选的重新协商（SSLOptions+ OptRenegotiate）与验证的客户端证书一起使用。审查验证您的Web服务器配置。在Apache httpd包含mod_ssl的可选重新谈判代码中的bug可能导致忽略密码套件的限制。如果可选的重新协商（SSLOptions+ OptRenegotiate）与验证的客户端证书一起使用，并更改重新谈判中的密码套件，可能触发此问题。</Description>      <name>apache httpd：mod_ssl重新谈判问题（CVE-2003-0192）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101084" id="101084" modified="2013-08-22" published="2003-06-09" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">7723</id>         
             <id name="CERT-VN">757612</id>         
             <id name="CONECTIVA">CLA-2003:661</id>         
             <id name="CVE">CVE-2003-0245</id>         
             <id name="MANDRAKE">MDKSA-2003:063</id>         
             <id name="REDHAT">RHSA-2003:186</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">12090</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.37</low>                     
                               <high inclusive="0">2.0.46</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载Apache 2.0.46版本： 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200306-006</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，如果攻击者可发送有长字符串的XML对象。审查验证您的Web服务器配置。在 Apache Portable Runtime (APR)库apr_psprintf函数中的漏洞（APR）库允许远程攻击者造成拒绝服务（崩溃），并可能通过长字符串执行任意代码，如使用XML对象mod_dav证明，以及其他可能的向量。</Description>      <name>apache httpd：APR远程崩溃（CVE-2003-0245）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101085" id="101085" modified="2013-06-06" published="2003-08-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2003-0253</id>         
             <id name="MANDRAKE">MDKSA-2003:075</id>         
             <id name="OVAL">OVAL173</id>         
             <id name="REDHAT">RHSA-2003:240</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.47</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载2.0.47： 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt; 
HP 
-- 
HP已经为此发布了一个安全公告(HPSBUX0309-278)以及相应补丁: 
HPSBUX0309-278：SSRT3623 Security Vulnerabilities in Apache HTTP Server&lt;/Descripti 
链接： 
补丁下载： 
&lt;a href=&quot; 
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE&quot; target=&quot;_blank&quot;&gt; 
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE&lt;/a&gt; 
MandrakeSoft 
------------ 
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:075)以及相应补丁: 
MDKSA-2003:075：Updated apache2 packages fix multiple vulnerabilities 
链接：&lt;a href=&quot; 
http://www.linux-mandrake.com/en/security/2003/2003-075.php&quot; target=&quot;_blank&quot;&gt; 
http://www.linux-mandrake.com/en/security/2003/2003-075.php&lt;/a&gt; 
补丁下载： 
Updated Packages: 
Mandrake Linux 9.1: 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache-conf-2.0.44-11.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache-conf-2.0.44-11.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-2.0.47-1.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-2.0.47-1.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-common-2.0.47-1.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-common-2.0.47-1.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-devel-2.0.47-1.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-devel-2.0.47-1.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-manual-2.0.47-1.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-manual-2.0.47-1.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-mod_dav-2.0.47-1.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-mod_dav-2.0.47-1.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-mod_ldap-2.0.47-1.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-mod_ldap-2.0.47-1.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-mod_ssl-2.0.47-1.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-mod_ssl-2.0.47-1.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-modules-2.0.47-1.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-modules-2.0.47-1.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-source-2.0.47-1.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/apache2-source-2.0.47-1.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/libapr0-2.0.47-1.1mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/libapr0-2.0.47-1.1mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/apache-conf-2.0.44-11.1mdk.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/apache-conf-2.0.44-11.1mdk.src.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/apache2-2.0.47-1.1mdk.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/apache2-2.0.47-1.1mdk.src.rpm&lt;/a&gt; 
Mandrake Linux 9.1/PPC: 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache-conf-2.0.44-11.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache-conf-2.0.44-11.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-2.0.47-1.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-2.0.47-1.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-common-2.0.47-1.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-common-2.0.47-1.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-devel-2.0.47-1.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-devel-2.0.47-1.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-manual-2.0.47-1.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-manual-2.0.47-1.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-modules-2.0.47-1.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-modules-2.0.47-1.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-source-2.0.47-1.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/apache2-source-2.0.47-1.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/libapr0-2.0.47-1.1mdk.ppc.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/libapr0-2.0.47-1.1mdk.ppc.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/apache-conf-2.0.44-11.1mdk.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/apache-conf-2.0.44-11.1mdk.src.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/apache2-2.0.47-1.1mdk.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/apache2-2.0.47-1.1mdk.src.rpm&lt;/a&gt; 
上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载： 
&lt;a href=&quot; 
http://www.mandrakesecure.net/en/ftp.php&quot; target=&quot;_blank&quot;&gt; 
http://www.mandrakesecure.net/en/ftp.php&lt;/a&gt; 
RedHat 
------ 
RedHat已经为此发布了一个安全公告(RHSA-2003:240-01)以及相应补丁: 
RHSA-2003:240-01：Updated httpd packages fix Apache security vulnerabilities 
链接：&lt;a href=&quot;https://www.redhat.com/support/errata/RHSA-2003-240.html&quot; target=&quot;_blank&quot;&gt;https://www.redhat.com/support/errata/RHSA-2003-240.html&lt;/a&gt; 
补丁下载： 
Red Hat Linux 8.0: 
SRPMS: 
&lt;a href=&quot;ftp://updates.redhat.com/8.0/en/os/SRPMS/httpd-2.0.40-11.7.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/8.0/en/os/SRPMS/httpd-2.0.40-11.7.src.rpm&lt;/a&gt; 
i386: 
&lt;a href=&quot;ftp://updates.redhat.com/8.0/en/os/i386/httpd-2.0.40-11.7.i386.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/8.0/en/os/i386/httpd-2.0.40-11.7.i386.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://updates.redhat.com/8.0/en/os/i386/httpd</Solutions>      <cnnvd>CNNVD-200308-073</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>此受影响的资产仅在使用预生派时受此漏洞的影响。审查验证您的Web服务器配置。在有多个侦听套接字的服务器上，很少访问的端口上的accept()返回某些错误消息，由于预生派中的Bug就可能导致临时的拒绝服务。</Description>      <name>Apache HTTPD:有多个听指令的远程磁盘操作系统(CVE-2003-0253)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101086" id="101086" modified="2013-06-06" published="2003-08-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>FTP</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2003-0254</id>         
             <id name="MANDRAKE">MDKSA-2003:075</id>         
             <id name="OVAL">OVAL183</id>         
             <id name="REDHAT">RHSA-2003:240</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.47</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Trustix 
------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Trustix Patch apache-2.0.47-2tr.i586.rpm 
&lt;a href=&quot;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-2.0.47-2tr.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-2.0.47-2tr.i586.rpm&lt;/a&gt; 
Trustix Patch apache-devel-2.0.47-2tr.i586.rpm 
&lt;a href=&quot;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-devel-2.0.47-2tr.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-devel-2.0.47-2tr.i586.rpm&lt;/a&gt; 
Trustix Patch apache-manual-2.0.47-2tr.i586.rpm 
&lt;a href=&quot;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-manual-2.0.47-2tr.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://ftp.trustix.net/pub/Trustix/updates/2.0/RPMS/apache-manual-2.0.47-2tr.i586.rpm&lt;/a&gt; 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Upgrade Apache httpd 2.0.47 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200308-091</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产容易受此漏洞的影响，仅当Apache配置为FTP服务器且攻击者向有IPv6地址的FTP服务器发出代理请求。审查验证您的Web服务器配置。当代理ftp的客户端请求连接有IPv6地址的FTP服务器且代理不能创建一个IPv6套接字时，无限循环导致远程拒绝服务。</Description>      <name>Apache HTTPD:通过IPv6 FTP代理的远程拒绝服务（CVE-2003-0254）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101087" id="101087" modified="2012-07-17" published="2003-08-27" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CERT-VN">694428</id>         
             <id name="CVE">CVE-2003-0460</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.28</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
* 在CustomLog或ErrorLog中禁用rotatelog工具。 
厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Upgrade Apache httpd 1.3.28 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200308-179</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>如果接收如0x1A的特殊控制字符，在Win32和OS/2中的rotatelogs支持程序将退出登录和退出。</Description>      <name>apache httpd：rotatelogs拒绝服务（CVE-2003-0460）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101088" id="101088" modified="2015-02-13" published="2003-11-03" version="2.0">      
        
        
        <cvss>(AV:L/AC:L/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2004-01-26</id>         
             <id name="BID">8911</id>         
             <id name="BID">9504</id>         
             <id name="CERT-VN">434566</id>         
             <id name="CERT-VN">549142</id>         
             <id name="CVE">CVE-2003-0542</id>         
             <id name="MANDRAKE">MDKSA-2003:103</id>         
             <id name="OVAL">OVAL3799</id>         
             <id name="OVAL">OVAL863</id>         
             <id name="OVAL">OVAL864</id>         
             <id name="OVAL">OVAL9458</id>         
             <id name="REDHAT">RHSA-2003:320</id>         
             <id name="REDHAT">RHSA-2003:360</id>         
             <id name="REDHAT">RHSA-2003:405</id>         
             <id name="REDHAT">RHSA-2004:015</id>         
             <id name="REDHAT">RHSA-2005:816</id>         
             <id name="SGI">20031203-01-U</id>         
             <id name="SGI">20040202-01-U</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">13400</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.29</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.48</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200311-021</cnnvd>      <cvsscode>7.2</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_alias、mod_rewrite且攻击者可以创建具有超过900的正则表达式捕获一个特制的.htaccess或httpd.conf文件。审查验证您的Web服务器配置。通过使用正则表达式超过9捕捉缓冲区溢出可能发生在mod_alias中的mod_rewrite或。要利用此攻击者需要能够创造一个特制的配置文件（或的.htaccess httpd.conf中）</Description>      <name>Apache HTTPD: 本地配置的正则表达式溢出 (CVE-2003-0542)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101089" id="101089" modified="2013-08-22" published="2003-11-03" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2004-01-26</id>         
             <id name="BID">8926</id>         
             <id name="BID">9504</id>         
             <id name="CIAC">O-015</id>         
             <id name="CONECTIVA">CLA-2003:775</id>         
             <id name="CVE">CVE-2003-0789</id>         
             <id name="MANDRAKE">MDKSA-2003:103</id>         
             <id name="REDHAT">RHSA-2003:320</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">13552</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.48</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Upgrade httpd-2.0.48.tar.gz 
&lt;a href=&quot; 
http://apache.sunsite.ualberta.ca/httpd/httpd-2.0.48.tar.gz&quot; target=&quot;_blank&quot;&gt; 
http://apache.sunsite.ualberta.ca/httpd/httpd-2.0.48.tar.gz&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200311-017</cnnvd>      <cvsscode>10.0</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产会受到该漏洞影响，如果仅线程MPM被使用。审查验证您的Web服务器配置。在CGI重定向路径的mod_cgid处理中不当的bug可能会导致CGI输出在使用线程MPM时进入错误的客户端。</Description>      <name>apache httpd：CGI输出信息泄露（CVE-2003-0789）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101090" id="101090" modified="2013-08-22" published="2004-03-03" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">9571</id>         
             <id name="CVE">CVE-2003-0987</id>         
             <id name="MANDRAKE">MDKSA-2004:046</id>         
             <id name="OVAL">OVAL100108</id>         
             <id name="OVAL">OVAL4416</id>         
             <id name="REDHAT">RHSA-2004:600</id>         
             <id name="REDHAT">RHSA-2005:816</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">15041</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.31</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
* 如果不需要mod_digest模块，就关闭此模块，或者使用mod_auth_digest代替。 
厂商补丁： 
Apache Software Foundation 
-------------------------- 
Apache 1.3.30的参考补丁： 
Index: include/http_core.h 
=================================================================== 
RCS file: /home/cvs/apache-1.3/src/include/http_core.h,v 
retrieving revision 1.71 
diff -u -r1.71 http_core.h 
--- include/http_core.h 7 Jul 2003 00:34:09 -0000 1.71 
+++ include/http_core.h 18 Dec 2003 17:30:29 -0000 
@@ -162,6 +162,7 @@ 
 API_EXPORT(const char *) ap_auth_type (request_rec *); 
 API_EXPORT(const char *) ap_auth_name (request_rec *); 
+API_EXPORT(const char *) ap_auth_nonce (request_rec *); 
 API_EXPORT(int) ap_satisfies (request_rec *r); 
 API_EXPORT(const array_header *) ap_requires (request_rec *); 
@@ -244,6 +245,7 @@ 
 int satisfy; 
 char *ap_auth_type; 
 char *ap_auth_name; 
+ char *ap_auth_nonce; /* digest auth */ 
 array_header *ap_requires; 
 /* Custom response config. These can contain text or a URL to redirect to. 
Index: main/http_core.c 
=================================================================== 
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v 
retrieving revision 1.327 
diff -u -r1.327 http_core.c 
--- main/http_core.c 17 Nov 2003 17:14:53 -0000 1.327 
+++ main/http_core.c 18 Dec 2003 17:30:30 -0000 
@@ -236,6 +236,9 @@ 
 if (new-&gt;ap_auth_name) { 
 conf-&gt;ap_auth_name = new-&gt;ap_auth_name; 
 } 
+ if (new-&gt;ap_auth_nonce) { 
+ conf-&gt;ap_auth_nonce= new-&gt;ap_auth_nonce; 
+ } 
 if (new-&gt;ap_requires) { 
 conf-&gt;ap_requires = new-&gt;ap_requires; 
 } 
@@ -577,6 +580,29 @@ 
 return conf-&gt;ap_auth_name; 
 } 
+API_EXPORT(const char *) ap_auth_nonce(request_rec *r) 
+{ 
+ core_dir_config *conf; 
+ conf = (core_dir_config *)ap_get_module_config(r-&gt;per_dir_config, 
+ &amp;core_module); 
+ if (conf-&gt;ap_auth_nonce) 
+ return conf-&gt;ap_auth_nonce; 
+ 
+ /* Ideally we'd want to mix in some per-directory style 
+ * information; as we are likely to want to detect replay 
+ * across those boundaries and some randomness. But that 
+ * is harder due to the adhoc nature of .htaccess memory 
+ * structures, restarts and forks. 
+ * 
+ * But then again - you should use AuthNonce in your config 
+ * file if you care. So the adhoc value should do. 
+ */ 
+ return ap_psprintf(r-&gt;pool,&quot;%lu%lu%lu%lu%lu%s&quot;, 
+ *(unsigned long *)&amp;((r-&gt;connection-&gt;local_addr).sin_addr ), 
+ ap_user_name, ap_listeners, ap_server_argv0, ap_pid_fname 
+ ); 
+} 
+ 
 API_EXPORT(const char *) ap_default_type(request_rec *r) 
 { 
 core_dir_config *conf; 
@@ -2797,6 +2823,28 @@ 
 return NULL; 
 } 
+/* 
+ * Load an authorisation nonce into our location configuration, and 
+ * force it to be in the 0-9/A-Z realm. 
+ */ 
+static const char *set_authnonce (cmd_parms *cmd, void *mconfig, char *word1) 
+{ 
+ core_dir_config *aconfig = (core_dir_config *)mconfig; 
+ int i; 
+ 
+ aconfig-&gt;ap_auth_nonce = ap_escape_quotes(cmd-&gt;pool, word1); 
+ 
+ if (strlen(aconfig-&gt;ap_auth_nonce) &gt; 510) 
+ return &quot;AuthNonce lenght limited to 510 chars for browser 
compatibility&quot;; 
+ 
+ for(i=0;i&lt;strlen(aconfig-&gt;ap_auth_nonce );i++) 
+ if (!ap_isalnum(aconfig-&gt;ap_auth_nonce [i])) 
+ return &quot;AuthNonce limited to 0-9 and A-Z range for browser 
compatibilty&quot;; 
+ 
+ return NULL; 
+} 
+ 
+ 
 #ifdef _OSD_POSIX /* BS2000 Logon Passwd file */ 
 static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char *name) 
 { 
@@ -3411,6 +3459,9 @@ 
 &quot;An HTTP authorization type (e.g., \&quot;Basic\&quot;)&quot; }, 
 { &quot;AuthName&quot;, set_authname, NULL, OR_AUTHCFG, TAKE1, 
 &quot;The authentication realm (e.g. \&quot;Members Only\&quot;)&quot; }, 
+{ &quot;AuthNonce&quot;, set_authnonce, NULL, OR_AUTHCFG, TAKE1, 
+ &quot;An authentication token which should be different for each logical realm. &quot;\ 
+ &quot;A random value or the servers IP may be a good choise.\n&quot; }, 
 { &quot;Require&quot;, require, NULL, OR_AUTHCFG, RAW_ARGS, 
 &quot;Selects which authenticated users or groups may access a protected space&quot; }, 
 { &quot;Satisfy&quot;, satisfy, NULL, OR_AUTHCFG, TAKE1, 
Index: main/http_protocol.c 
=================================================================== 
RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v 
retrieving revision 1.330 
diff -u -r1.330 http_protocol.c 
--- main/http_protocol.c 3 Feb 2003 17:13:22 -0000 1.330 
+++ main/http_protocol.c 18 Dec 2003 17:30:32 -0000 
@@ -76,6 +76,7 @@ 
 #include &quot;util_date.h&quot; /* For parseHTTPdate and BAD_DATE */ 
 #include &lt;stdarg.h&gt; 
 #include &quot;http_conf_globals.h&quot; 
+#include &quot;util_md5.h&quot; /* For digestAuth */ 
 #define SET_BYTES_SENT(r) \ 
 do { if (r-&gt;sent_bodyct) \ 
@@ -1391,11 +1392,24 @@ 
 API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r) 
 { 
+ /* We need to create a nonce which: 
+ * a) changes all the time (see r-&gt;request_time) 
+ * below and 
+ * b) of which we can verify that it is our own 
+ * fairly easily when it comes to veryfing 
+ * the digest coming back in the response. 
+ * c) and which as a whole should not 
+ * be unlikely to be in use anywhere else. 
+ */ 
+ char * nonce_prefix = ap_md5(r-&gt;pool, 
+ ap_psprintf(r-&gt;pool, &quot;%s%lu&quot;, 
+ ap_auth_nonce(r), r-&gt;request_time)); 
+ 
 ap_table_setn(r-&gt;err_headers_out, 
 r-&gt;proxyreq == STD_PROXY ? &quot;Proxy-Authenticate&quot; 
 &amp;n</Solutions>      <cnnvd>CNNVD-200403-045</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_digest和一个攻击者可以嗅探使用摘要保护客户端和服务器之间的网络流量。审查验证您的Web服务器配置。 mod_digest不能正常使用Auth随机数秘密验证客户端响应的随机数。这可能允许能够嗅探网络流量的恶意用户进行堆使用摘要保护的网站进行重放攻击。需要注意的是mod_digest实现MD5摘要式身份验证规范的旧版本，可知这不与现代浏览器一起运行。此问题不影响mod_auth_digest。</Description>      <name>apache httpd：mod_digest随机数检查（CVE-2003-0987）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101091" id="101091" modified="2013-08-22" published="2004-03-29" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">9829</id>         
             <id name="CVE">CVE-2003-0993</id>         
             <id name="MANDRAKE">MDKSA-2004:046</id>         
             <id name="OVAL">OVAL100111</id>         
             <id name="OVAL">OVAL4670</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">15422</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.31</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
Apache CVS版本已经修正此漏洞： 
&lt;a href=&quot; 
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_access.c?r1=1.46&amp;r2=1.47&quot; target=&quot;_blank&quot;&gt; 
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_access.c?r1=1.46&amp;r2=1.47&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200403-135</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产会受到该漏洞影响，如果仅允许/拒绝规则使用64位大端平台上没有网络掩码的IP地址。审查验证您的Web服务器配置。解析允许/拒绝规则，使用64位大端平台上没有网络掩码的IP地址导致规则不匹配。</Description>      <name>apache httpd：允许/拒绝对大端64位平台进行解析（CVE-2003-0993）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101092" id="101092" modified="2016-05-27" published="2004-03-29" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2004-05-03</id>         
             <id name="BID">9826</id>         
             <id name="CONECTIVA">CLSA-2004:839</id>         
             <id name="CVE">CVE-2004-0113</id>         
             <id name="MANDRAKE">MDKSA-2004:043</id>         
             <id name="OVAL">OVAL876</id>         
             <id name="REDHAT">RHSA-2004:084</id>         
             <id name="REDHAT">RHSA-2004:182</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">15419</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.49</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
Apache CVS版本已经修正此漏洞： 
&lt;a href=&quot; 
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.117&amp;r2=1.118&quot; target=&quot;_blank&quot;&gt; 
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.117&amp;r2=1.118&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200403-137</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>只有当它运行下列模块之一，受影响的资产很容易受到此漏洞影响： mod_ssl。审查验证您的Web服务器配置。mod_ssl中的内存泄漏允许远程拒绝对启用了SSL的服务器服务攻击通过发送HTTP请求到SSL端口。</Description>      <name>Apache HTTPD: mod_ssl 内存泄漏 (CVE-2004-0113)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101093" id="101093" modified="2015-02-13" published="2004-05-04" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2004-05-03</id>         
             <id name="BID">9921</id>         
             <id name="CERT-VN">132110</id>         
             <id name="CVE">CVE-2004-0174</id>         
             <id name="MANDRAKE">MDKSA-2004:046</id>         
             <id name="OVAL">OVAL100110</id>         
             <id name="OVAL">OVAL1982</id>         
             <id name="REDHAT">RHSA-2004:405</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">15540</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.31</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.49</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Upgrade Apache httpd 2.0.49 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200405-010</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>在监听套接字短缺问题时，当上很少访问的监听套接字一个短暂的连接会使孩子接受互斥体和阻挡新的连接，直到另一个连接到达很少访问的监听套接字。已知此问题会影响某些版本的AIX，Solaris和Tru64上的;已知的是，不影响的FreeBSD或Linux。</Description>      <name>apache httpd：监听套接字短缺（CVE-2004-0174）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101094" id="101094" modified="2013-08-22" published="2004-07-07" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">10355</id>         
             <id name="CVE">CVE-2004-0488</id>         
             <id name="DEBIAN">DSA-532</id>         
             <id name="MANDRAKE">MDKSA-2004:054</id>         
             <id name="MANDRAKE">MDKSA-2004:055</id>         
             <id name="OVAL">OVAL11458</id>         
             <id name="REDHAT">RHSA-2004:245</id>         
             <id name="REDHAT">RHSA-2004:342</id>         
             <id name="REDHAT">RHSA-2004:405</id>         
             <id name="REDHAT">RHSA-2005:816</id>         
             <id name="SGI">20040605-01-U</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">16214</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.50</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： 
&lt;a href=&quot; 
http://www.modssl.org/&quot; target=&quot;_blank&quot;&gt; 
http://www.modssl.org/&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200407-016</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>只有当它运行下列模块之一，受影响的资产很容易受到此漏洞影响：mod_ssl。审查验证您的Web服务器配置。可通过使用受信任的客户端证书的攻击者利用mod_ssl FakeBasicAuth代码中存在的缓冲区溢出漏洞。</Description>      <name>Apache HTTPD: FakeBasicAuth溢出 (CVE-2004-0488)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101095" id="101095" modified="2015-02-13" published="2004-08-06" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CERT-VN">541310</id>         
             <id name="CVE">CVE-2004-0492</id>         
             <id name="DEBIAN">DSA-525</id>         
             <id name="MANDRAKE">MDKSA-2004:065</id>         
             <id name="OVAL">OVAL100112</id>         
             <id name="OVAL">OVAL4863</id>         
             <id name="REDHAT">RHSA-2004:245</id>         
             <id name="SGI">20040605-01-U</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">16387</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.26</low>                     
                               <high inclusive="0">1.3.32</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
* Georgi Guninski提供如下第三方补丁： 
------------------------------------- 
diff -u apache_1.3.31/src/modules/proxy/proxy_util.c apache_1.3.31my/src/modules/proxy/proxy_util.c 
--- apache_1.3.31/src/modules/proxy/proxy_util.c Tue Feb 17 23:52:22 2004 
+++ apache_1.3.31my/src/modules/proxy/proxy_util.c Tue Jun 8 11:24:15 2004 
@@ -545,8 +545,8 @@ 
 n = ap_bread(f, buf, buf_size); 
 } 
 else { 
- n = ap_bread(f, buf, MIN((int)buf_size, 
- (int)(len - total_bytes_rcvd))); 
+ n = ap_bread(f, buf, MIN((size_t)buf_size, 
+ (size_t)(len - total_bytes_rcvd))); 
 } 
 } 
------------------------------------- 
或者CNNVD建议您不要打开mod_proxy模块。 
厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Index: src/CHANGES 
=================================================================== 
RCS file: /home/cvs/apache-1.3/src/CHANGES,v 
retrieving revision 1.1942 
diff -u -p -u -r1.1942 CHANGES 
--- src/CHANGES 2 Jun 2004 22:49:03 -0000 1.1942 
+++ src/CHANGES 9 Jun 2004 15:58:44 -0000 
@@ -1,5 +1,9 @@ 
 Changes with Apache 1.3.32 
 
+ *) SECURITY: CAN-2004-0492 (cve.mitre.org) 
+ Reject responses from a remote server if sent an invalid (negative) 
+ Content-Length. [Mark Cox] 
+ 
 *) Fix a bunch of cases where the return code of the regex compiler 
 was not checked properly. This affects mod_usertrack and 
 core. PR 28218. [Andr?Malo] 
Index: src/modules/proxy/proxy_http.c 
=================================================================== 
RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v 
retrieving revision 1.106 
diff -u -p -u -r1.106 proxy_http.c 
--- src/modules/proxy/proxy_http.c 29 Mar 2004 17:47:15 -0000 1.106 
+++ src/modules/proxy/proxy_http.c 8 Jun 2004 14:23:05 -0000 
@@ -485,6 +485,13 @@ int ap_proxy_http_handler(request_rec *r 
 content_length = ap_table_get(resp_hdrs, &quot;Content-Length&quot;); 
 if (content_length != NULL) { 
 c-&gt;len = ap_strtol(content_length, NULL, 10); 
+ 
+ if (c-&gt;len &lt; 0) { 
+ ap_kill_timeout(r); 
+ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r-&gt;pool, 
+ &quot;Invalid Content-Length from remote server&quot;, 
+ NULL)); 
+ } 
 } 
 
 }</Solutions>      <cnnvd>CNNVD-200408-092</cnnvd>      <cvsscode>10.0</cvsscode>      <severity>Critical</severity>      <Description>只有当它运行下列模块之一，受影响的资产很容易受到此漏洞影响：mod_proxy和攻击者可使Apache服务器作为代理配置连接到恶意站点。审查验证您的Web服务器配置。在Apache代理模块、mod_proxy中发现缓冲区溢出，这可通过接收一个无效的Content-Length标头被触发。为了利用此问题，攻击者需要获取访问被配置为代理连接到一个恶意站点的Apache安装。这将导致处理请求的Apache子进程崩溃。此问题可能导致在一些BSD平台上执行远程任意代码。</Description>      <name>Apache HTTPD: mod_proxy的缓冲区溢出(CVE-2004-0492)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101096" id="101096" modified="2013-08-22" published="2004-08-06" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">10619</id>         
             <id name="CVE">CVE-2004-0493</id>         
             <id name="MANDRAKE">MDKSA-2004:064</id>         
             <id name="OVAL">OVAL10605</id>         
             <id name="REDHAT">RHSA-2004:342</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">16524</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.50</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
* Georgi Guninski提供如下第三方补丁： 
---------------------------------- 
Index: server/protocol.c 
=============================================== 
RCS file: /home/cvspublic/httpd-2.0/server/protocol.c,v 
retrieving revision 1.148 
diff -u -r1.148 protocol.c 
--- server/protocol.c 22 Apr 2004 22:38:03 -0000 1.148 
+++ server/protocol.c 13 Jun 2004 19:47:36 -0000 
@@ -716,6 +716,23 @@ 
 * continuations that span many many lines. 
 */ 
 apr_size_t fold_len = last_len + len + 1; /* trailing null */ 
+ 
+ if ((fold_len - 1) &gt; r-&gt;server-&gt;limit_req_fieldsize) { 
+ r-&gt;status = HTTP_BAD_REQUEST; 
+ /* report what we have accumulated so far before the 
+ * overflow (last_field) as the field with the problem 
+ */ 
+ apr_table_setn(r-&gt;notes, &quot;error-notes&quot;, 
+ apr_pstrcat(r-&gt;pool, 
+ &quot;Size of a request header field &quot; 
+ &quot;after folding &quot; 
+ &quot;exceeds server limit. 
\n&quot; 
+ &quot;&lt;pre&gt;\n&quot;, 
+ ap_escape_html(r-&gt;pool, last_field), 
+ &quot;&lt;/pre&gt;\n&quot;, NULL)); 
+ return; 
+ } 
+ 
 if (fold_len &gt; alloc_len) { 
 char *fold_buf; 
 alloc_len += alloc_len; 
---------------------------------- 
厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://jakarta.apache.org/tomcat/index.html&quot; target=&quot;_blank&quot;&gt; 
http://jakarta.apache.org/tomcat/index.html&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200408-043</cnnvd>      <cvsscode>6.4</cvsscode>      <severity>Severe</severity>      <Description>远程触发的HTTP标头解析中的内存泄漏远程由于内存消耗过多可能引发拒绝服务攻击。</Description>      <name>Apache HTTPD: 标头分析内存泄漏 (CVE-2004-0493)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101097" id="101097" modified="2015-02-13" published="2004-10-20" version="2.0">      
        
        
        <cvss>(AV:L/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CERT-VN">481998</id>         
             <id name="CVE">CVE-2004-0747</id>         
             <id name="MANDRAKE">MDKSA-2004:096</id>         
             <id name="OVAL">OVAL11561</id>         
             <id name="REDHAT">RHSA-2004:463</id>         
             <id name="SUSE">SUSE-SA:2004:032</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">17384</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.51</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache Software Foundation 
-------------------------- 
Apache 2.0.51已经修正此问题： 
&lt;a href=&quot; 
http://httpd.apache.org/&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/&lt;/a&gt; 
针对Apache 2.0.x可使用如下补丁： 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200410-040</cnnvd>      <cvsscode>4.6</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有在本地用户可以强制解析特制.htaccess文件。审查验证您的Web服务器配置。解析配置文件时，在环境变量扩展中发现缓冲区溢出。此问题可能允许本地用户获取访问httpd子节点的特权，如果服务器被迫解析本地用户所写的特制的.htaccess文件。</Description>      <name>apache httpd：环境变量扩展漏洞（CVE-2004-0747）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101098" id="101098" modified="2013-08-22" published="2004-10-20" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2004-0748</id>         
             <id name="MANDRAKE">MDKSA-2004:096</id>         
             <id name="OVAL">OVAL11126</id>         
             <id name="REDHAT">RHSA-2004:349</id>         
             <id name="SUSE">SUSE-SA:2004:030</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">17200</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.51</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
* 如下补丁实现在Apache CVS中： 
--- httpd-2.0/modules/ssl/ssl_engine_io.c 2004/07/13 18:11:22 1.124 
+++ httpd-2.0/modules/ssl/ssl_engine_io.c 2004/08/11 13:19:24 1.125 
@@ -589,6 +589,10 @@ 
while (1) { 
if (!inctx-&gt;filter_ctx-&gt;pssl) { 
+ /* Ensure a non-zero error code is returned */ 
+ if (inctx-&gt;rc == APR_SUCCESS) { 
+ inctx-&gt;rc = APR_EGENERAL; 
+ } 
break; 
} 
厂商补丁： 
RedHat 
------ 
RedHat已经为此发布了一个安全公告(RHSA-2004:349-01)以及相应补丁: 
RHSA-2004:349-01：Updated httpd packages fix mod_ssl security flaw 
链接：&lt;a href=&quot; 
http://www.auscert.org.au/render.html?it=4356&quot; target=&quot;_blank&quot;&gt; 
http://www.auscert.org.au/render.html?it=4356&lt;/a&gt; 
补丁下载： 
Red Hat Enterprise Linux AS version 3: 
SRPMS: 
&lt;a href=&quot;ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-38.ent.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-38.ent.src.rpm&lt;/a&gt; 
1988340a6e8be0c63b10c388b1243569 httpd-2.0.46-38.ent.src.rpm 
i386: 
a5b8f9a72302e14c0f410f7f83a39d32 httpd-2.0.46-38.ent.i386.rpm 
d8b74b3477300b5a4a156c59f5e0d4a5 httpd-devel-2.0.46-38.ent.i386.rpm 
8f734e5757c8c897cf71a6109af7d632 mod_ssl-2.0.46-38.ent.i386.rpm 
ia64: 
d5ac022099d9b76006e823a3f9c07c69 httpd-2.0.46-38.ent.ia64.rpm 
3a66d83595e19843fcf552fd07bcfe29 httpd-devel-2.0.46-38.ent.ia64.rpm 
3c4d1bfb5b407da142c515d32782ec02 mod_ssl-2.0.46-38.ent.ia64.rpm 
ppc: 
bc92043b213069bcf78aad0dffad74b4 httpd-2.0.46-38.ent.ppc.rpm 
b9156531a43492b3a5504375104fa473 httpd-devel-2.0.46-38.ent.ppc.rpm 
62593d85534ce48a38efa04fa7fa0b99 mod_ssl-2.0.46-38.ent.ppc.rpm 
s390: 
b8e7476c417c7eba2b46704fa446216c httpd-2.0.46-38.ent.s390.rpm 
30f45622c9de74914983c0a31f638c16 httpd-devel-2.0.46-38.ent.s390.rpm 
4d3abcba4b77 
可使用下列命令安装补丁： 
rpm -Fvh [文件名] 
Apache 
------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Upgrade httpd-2.0.51.tar.gz 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/httpd-2.0.51.tar.gz&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/httpd-2.0.51.tar.gz&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200410-045</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的攻击，仅当其运行下列模块当中的一个mod_ssl时：审查验证您的Web服务器配置。在Apache 2.0版本的mod_ssl模块中发现一个漏洞。以某种特殊状态强制ssl连接中断的远程攻击者，可能导致Apache子进程陷入死循环，从而消耗CPU资源。</Description>      <name>apache httpd：SSL连接无限循环（CVE-2004-0748）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101099" id="101099" modified="2013-08-22" published="2004-10-20" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2004-0751</id>         
             <id name="MANDRAKE">MDKSA-2004:096</id>         
             <id name="OVAL">OVAL11864</id>         
             <id name="REDHAT">RHSA-2004:463</id>         
             <id name="SUSE">SUSE-SA:2004:030</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">17273</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.44</low>                     
                               <high inclusive="0">2.0.51</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache 
------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Upgrade httpd-2.0.51.tar.gz 
&lt;a href=&quot; 
http://www.apache.org/dist/httpd/httpd-2.0.51.tar.gz&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/httpd-2.0.51.tar.gz&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200410-079</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_ssl与服务器被配置为允许代理到远程SSL服务器。审查验证您的Web服务器配置。在Apache 2.0.44-2.0.50版本mod_ssl模块中发现一个问题，如果服务器被配置为允许代理到SSL的远程服务器，它可以被触发。恶意的远程SSL服务器可能会迫使httpd子节点发送一个特制的响应头崩溃。不认为此问题允许执行任意代码，只会导致拒绝服务，其中一个线程处理模型在使用中。</Description>      <name>apache httpd：恶意SSL代理可能会导致死机（CVE-2004-0751）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101100" id="101100" modified="2015-02-13" published="2004-10-20" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2004-0786</id>         
             <id name="MANDRAKE">MDKSA-2004:096</id>         
             <id name="OVAL">OVAL11380</id>         
             <id name="REDHAT">RHSA-2004:463</id>         
             <id name="SUSE">SUSE-SA:2004:032</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">17382</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.51</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
MandrakeSoft 
------------ 
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2004:096)以及相应补丁: 
MDKSA-2004:096：Updated apache2 packages fix multiple vulnerabilities 
链接：&lt;a href=&quot; 
http://www.linux-mandrake.com/en/security/2004/2004-096.php&quot; target=&quot;_blank&quot;&gt; 
http://www.linux-mandrake.com/en/security/2004/2004-096.php&lt;/a&gt; 
补丁下载： 
Updated Packages: 
Mandrakelinux 10.0: 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-common-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-common-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-devel-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-devel-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-manual-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-manual-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_cache-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_cache-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_dav-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_dav-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_deflate-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_deflate-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_ldap-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_ldap-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_proxy-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_proxy-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_ssl-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-mod_ssl-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-modules-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-modules-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-source-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/apache2-source-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libapr0-2.0.48-6.6.100mdk.i586.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libapr0-2.0.48-6.6.100mdk.i586.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/apache2-2.0.48-6.6.100mdk.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/apache2-2.0.48-6.6.100mdk.src.rpm&lt;/a&gt; 
Mandrakelinux 10.0/AMD64: 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-common-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-common-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-devel-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-devel-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-manual-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-manual-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.6.100mdk.amd64.rpm&lt;/a&gt; 
&lt;a href=&quot;ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/apache2-mod_ssl-2.0.48-6.6.100mdk.amd64.rpm&quot; target=&quot;_blank&quot;&gt;ft</Solutions>      <cnnvd>CNNVD-200410-075</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>使用由Apache软件基金会安全组执行和Red Hat在APR-util的库IPv6的URI语法分析程序，对输入验证问题Codenomicon的HTTP测试工具进行测试。如果远程攻击者发送包括一个特制的URI请求，httpd的子进程可导致崩溃。其中一些BSD系统据信这种漏洞可导致远程执行代码。</Description>      <name>Apache HTTPD: IPv6的URI解析堆溢出 (CVE-2004-0786)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101101" id="101101" modified="2019-05-09" published="2004-09-16" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2004-0809</id>         
             <id name="DEBIAN">DSA-558</id>         
             <id name="MANDRAKE">MDKSA-2004:096</id>         
             <id name="OVAL">OVAL9588</id>         
             <id name="REDHAT">RHSA-2004:463</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">17366</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.51</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
RedHat 
------ 
RedHat已经为此发布了一个安全公告(RHSA-2004:463-01)以及相应补丁: 
RHSA-2004:463-01：Updated httpd packages fix security issues 
链接：&lt;a href=&quot; 
http://www-1.ibm.com/services/continuity/recover1.nsf/mss/MSS-OAR-E01-2004.1390.1&quot; target=&quot;_blank&quot;&gt; 
http://www-1.ibm.com/services/continuity/recover1.nsf/mss/MSS-OAR-E01-2004.1390.1&lt;/a&gt; 
补丁下载： 
Red Hat Enterprise Linux AS version 3: 
SRPMS: 
&lt;a href=&quot;ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm&lt;/a&gt; 
118b25881f9cc755586a3430495c84be httpd-2.0.46-40.ent.src.rpm 
i386: 
d0997b36caf1390e26ab722ff69ae574 httpd-2.0.46-40.ent.i386.rpm 
47d37e2130e1e70d3c6183228a4e26da httpd-devel-2.0.46-40.ent.i386.rpm 
31444c51fd279bb9eaeb7dd1a1e3682e mod_ssl-2.0.46-40.ent.i386.rpm 
ia64: 
003b65f1afe4338b0ca0a8f943e04cdc httpd-2.0.46-40.ent.ia64.rpm 
5173c129ff5c7e6f6bda97e062d5d24e httpd-devel-2.0.46-40.ent.ia64.rpm 
8f0189f714f484683c9cdcbda9246db1 mod_ssl-2.0.46-40.ent.ia64.rpm 
ppc: 
ba15fb395941153af8a1948e815a7766 httpd-2.0.46-40.ent.ppc.rpm 
2c0fea7d2609184e9c83f217467d6604 httpd-devel-2.0.46-40.ent.ppc.rpm 
47af970958b311d847c371f613598860 mod_ssl-2.0.46-40.ent.ppc.rpm 
s390: 
665d880863e1b6d42b781c4bdf669dbc httpd-2.0.46-40.ent.s390.rpm 
fb62b8c10de648d5bcc47e02283e08e2 httpd-devel-2.0.46-40.ent.s390.rpm 
b76e2e9b285be2a504d2bbf0891d8d61 mod_ssl-2.0.46-40.ent.s390.rpm 
s390x: 
7b4e52ec167fcdc9a28ee182665cafb6 httpd-2.0.46-40.ent.s390x.rpm 
5f22b40c3cc27953d3395c2ba7a025dd httpd-devel-2.0.46-40.ent.s390x.rpm 
499cd6bba360fba292653ec177804487 mod_ssl-2.0.46-40.ent.s390x.rpm 
x86_64: 
571a7b24d4db094924f85f1941864acb httpd-2.0.46-40.ent.x86_64.rpm 
8ea0c717fcfc72fbf1c0c9b63feaddd8 httpd-devel-2.0.46-40.ent.x86_64.rpm 
18beb0b00ff24f5e4065cbb3f96e041d mod_ssl-2.0.46-40.ent.x86_64.rpm 
Red Hat Desktop version 3: 
SRPMS: 
&lt;a href=&quot;ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm&lt;/a&gt; 
118b25881f9cc755586a3430495c84be httpd-2.0.46-40.ent.src.rpm 
i386: 
d0997b36caf1390e26ab722ff69ae574 httpd-2.0.46-40.ent.i386.rpm 
47d37e2130e1e70d3c6183228a4e26da httpd-devel-2.0.46-40.ent.i386.rpm 
31444c51fd279bb9eaeb7dd1a1e3682e mod_ssl-2.0.46-40.ent.i386.rpm 
x86_64: 
571a7b24d4db094924f85f1941864acb httpd-2.0.46-40.ent.x86_64.rpm 
8ea0c717fcfc72fbf1c0c9b63feaddd8 httpd-devel-2.0.46-40.ent.x86_64.rpm 
18beb0b00ff24f5e4065cbb3f96e041d mod_ssl-2.0.46-40.ent.x86_64.rpm 
Red Hat Enterprise Linux ES version 3: 
SRPMS: 
&lt;a href=&quot;ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm&lt;/a&gt; 
118b25881f9cc755586a3430495c84be httpd-2.0.46-40.ent.src.rpm 
i386: 
d0997b36caf1390e26ab722ff69ae574 httpd-2.0.46-40.ent.i386.rpm 
47d37e2130e1e70d3c6183228a4e26da httpd-devel-2.0.46-40.ent.i386.rpm 
31444c51fd279bb9eaeb7dd1a1e3682e mod_ssl-2.0.46-40.ent.i386.rpm 
ia64: 
003b65f1afe4338b0ca0a8f943e04cdc httpd-2.0.46-40.ent.ia64.rpm 
5173c129ff5c7e6f6bda97e062d5d24e httpd-devel-2.0.46-40.ent.ia64.rpm 
8f0189f714f484683c9cdcbda9246db1 mod_ssl-2.0.46-40.ent.ia64.rpm 
x86_64: 
571a7b24d4db094924f85f1941864acb httpd-2.0.46-40.ent.x86_64.rpm 
8ea0c717fcfc72fbf1c0c9b63feaddd8 httpd-devel-2.0.46-40.ent.x86_64.rpm 
18beb0b00ff24f5e4065cbb3f96e041d mod_ssl-2.0.46-40.ent.x86_64.rpm 
Red Hat Enterprise Linux WS version 3: 
SRPMS: 
&lt;a href=&quot;ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm&quot; target=&quot;_blank&quot;&gt;ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm&lt;/a&gt; 
118b25881f9cc755586a3430495c84be httpd-2.0.46-40.ent.src.rpm 
i386: 
d0997b36caf1390e26ab722ff69ae574 httpd-2.0.46-40.ent.i386.rpm 
47d37e2130e1e70d3c6183228a4e26da httpd-devel-2.0.46-40.ent.i386.rpm 
31444c51fd279bb9eaeb7dd1a1e3682e mod_ssl-2.0.46-40.ent.i386.rpm 
ia64: 
003b65f1afe4338b0ca0a8f943e04cdc httpd-2.0.46-40.ent.ia64.rpm 
5173c129ff5c7e6f6bda97e062d5d24e httpd-devel-2.0.46-40.ent.ia64.rpm 
8f0189f714f484683c9cdcbda9246db1 mod_ssl-2.0.46-40.ent.ia64.rpm 
x86_64: 
571a7b24d4db094924f85f1941864acb httpd-2.0.46-40.ent.x86_64.rpm 
8ea0c717fcfc72fbf1c0c9b63feaddd8 httpd-devel-2.0.46-40.ent.x86_64.rpm 
18beb0b00ff24f5e4065cbb3f96e041d mod_ssl-2.0.46-40.ent.x86_64.rpm 
Apache Software Foundation 
-------------------------- 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Apache Software Foundation Apache 2.0.50: 
 Apache Software Foundation Upgrade httpd-2.0.51.tar.gz 
 &lt;a href=&quot; 
http://www.apache.org/dist/httpd/httpd-2.0.51.tar.gz&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/dist/httpd/httpd-2.0.51.tar.gz&lt;/a&gt; 
Gentoo 
------ 
Gentoo已经为此发布了一个安全公告(GLSA-200409-21)以及相应补丁: 
GLSA-200409-21：Apache 2, mod_dav: Multiple vulnerabilities 
链接：&lt;a href=&quot; 
http://security.gentoo.org/glsa/glsa-200409-21.xml&quot; target=&quot;_blank&quot;&gt; 
http://security.gentoo.org/glsa/glsa-200409-21.xml&lt;/a&gt; 
 emerge sync 
 emerge -pv &quot;&gt;=net-www/apache-2.0.51&quot; 
 emerge &quot;&gt;=net-www/apache-2.0.51&quot; 
 emerge -pv &quot;&gt;=net-www/mod_dav-1.0.3-r2&quot; 
 emerge &quot;&gt;=net-www/mod_dav-1.0.3-r2&quot;</Solutions>      <cnnvd>CNNVD-200409-043</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：授权使用此位置上锁定方法的攻击者，在此位置上配置WebDAV授权访问。 审查验证您的Web服务器配置。在mod_dav模块中发现的问题被触发。它被授权使用LOCK方法可能会迫使一个httpd的子进程恶意的远程客户端通过发送锁定请求特定序列崩溃。此问题不允许执行任意代码。只会导致拒绝服务，其中一个线程处理模型在使用中。</Description>      <name>apache httpd：APR远程崩溃（CVE-2003-0245）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101102" id="101102" modified="2013-08-22" published="2004-12-31" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">11239</id>         
             <id name="CVE">CVE-2004-0811</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">17473</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.51</low>                     
                               <high inclusive="0">2.0.52</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
 --- httpd-2.0/server/core.c 2004/08/31 08:16:56 1.225.2.27 
+++ httpd-2.0/server/core.c 2004/09/21 13:21:16 1.225.2.28 
@@ -351,9 +351,13 @@ 
 /* Otherwise we simply use the base-&gt;sec_file array 
 */ 
 
+ /* use a separate -&gt;satisfy[] array either way */ 
+ conf-&gt;satisfy = apr_palloc(a, sizeof(*conf-&gt;satisfy) * METHODS); 
 for (i = 0; i &lt; METHODS; ++i) { 
 if (new-&gt;satisfy[i] != SATISFY_NOSPEC) { 
 conf-&gt;satisfy[i] = new-&gt;satisfy[i]; 
+ } else { 
+ conf-&gt;satisfy[i] = base-&gt;satisfy[i]; 
 } 
 } 
厂商补丁： 
Apache Group 
------------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
&lt;a href=&quot; 
http://httpd.apache.org/download.cgi&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/download.cgi&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200412-526</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产很容易受到此漏洞影响，仅当使用Satisfy指令控制授权的时候。审查验证您的Web服务器配置。一个在Apache 2.0.51（只）的漏洞打破Satisfy指令的合并，这可能导致会被授予访问资源尽管存在配置身份的验证。</Description>      <name>apache httpd：基本身份验证绕过（CVE-2004-0811）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101103" id="101103" modified="2015-02-13" published="2004-11-03" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2005-08-15</id>         
             <id name="APPLE">APPLE-SA-2005-08-17</id>         
             <id name="BID">11360</id>         
             <id name="CVE">CVE-2004-0885</id>         
             <id name="OVAL">OVAL10384</id>         
             <id name="REDHAT">RHSA-2004:562</id>         
             <id name="REDHAT">RHSA-2004:600</id>         
             <id name="REDHAT">RHSA-2005:816</id>         
             <id name="REDHAT">RHSA-2008:0261</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">17671</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.53</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商补丁： 
Apache 
------ 
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载升级到Apache mod_ssl 2.0.53-dev： 
&lt;a href=&quot; 
http://httpd.apache.org/&quot; target=&quot;_blank&quot;&gt; 
http://httpd.apache.org/&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200411-033</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_ssl的和mod_ssl的当在指令或位置环境中配置为使用SSL密码套件审查验证您的Web服务器配置。当在指令或位置环境中配置为使用SSL密码套件时，在mod_ssl模块中发现一个问题。如果特定的位置环境已配置为需要一组特定的密码套件，那么客户端将能够访问虚拟主机配置允许的使用任何加密套件的位置。</Description>      <name>apache httpd：SSL密码套件绕过CVE-2004-0885）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101104" id="101104" modified="2015-02-13" published="2005-02-09" version="2.0">      
        
        
        <cvss>(AV:L/AC:M/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">11471</id>         
             <id name="CVE">CVE-2004-0940</id>         
             <id name="DEBIAN">DSA-594</id>         
             <id name="MANDRAKE">MDKSA-2004:134</id>         
             <id name="REDHAT">RHSA-2004:600</id>         
             <id name="REDHAT">RHSA-2005:816</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">17785</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.33</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商还没有提供补丁或者升级程序，建议使用此软件的用户随时关注厂商的主页以获取最新版本： 
http://httpd.apache.org/</Solutions>      <cnnvd>CNNVD-200502-029</cnnvd>      <cvsscode>6.9</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_include和本地用户被授权创建服务器端包含（SSI）文件。审查验证您的Web服务器配置。mod_include中的缓冲区溢出可能允许被授权的本地用户创建服务器端包含（SSI）文件，以获取httpd子节点的权限。</Description>      <name>apache httpd：mod_include溢出（CVE-2004-0940）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101105" id="101105" modified="2015-02-13" published="2005-02-09" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2005-08-15</id>         
             <id name="APPLE">APPLE-SA-2005-08-17</id>         
             <id name="CVE">CVE-2004-0942</id>         
             <id name="MANDRAKE">MDKSA-2004:135</id>         
             <id name="OVAL">OVAL10962</id>         
             <id name="REDHAT">RHSA-2004:562</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">17930</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.53</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://httpd.apache.org/</Solutions>      <cnnvd>CNNVD-200502-041</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞影响仅如果攻击者能够发送大量数据到受影响的资产。审查验证您的Web服务器配置。发现一个问题，在此问题中没有强制限制某些恶意请求的字段长度。这可能允许能够发送大量数据至服务器的远程攻击者使Apache子节点消耗一定比例数量的内存，导致拒绝服务。</Description>      <name>apache httpd：内存消耗拒绝服务（CVE-2004-0942）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101106" id="101106" modified="2016-05-27" published="2004-03-20" version="2.0">      
        
        
        <cvss>(AV:L/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">9933</id>         
             <id name="CVE">CVE-2004-1834</id>         
             <id name="OVAL">OVAL11133</id>         
             <id name="REDHAT">RHSA-2004:562</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">15547</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.53</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>临时解决方法： 
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁： 
* Andreas Steinmetz &lt;&lt;a href=&quot;mailto:ast@domdv.de&quot;&gt;ast@domdv.de&lt;/a&gt;&gt;提供的第三方补丁如下： 
diff -rNu httpd-2.0.49.orig/modules/experimental/cache_util.c httpd-2.0.49/modules/experimental/cache_util.c 
--- httpd-2.0.49.orig/modules/experimental/cache_util.c 2004-02-09 21:53:16.000000000 
+0100 
+++ httpd-2.0.49/modules/experimental/cache_util.c 2004-03-20 15:55:51.000000000 +0100 
@@ -516,3 +516,25 @@ 
 apr_table_unset(headers_out, &quot;Upgrade&quot;); 
 return headers_out; 
 } 
+ 
+/* Create a new table consisting of those elements from a request_rec's 
+ * headers_in that are allowed to be stored in a cache. 
+ */ 
+CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_in(request_rec *r) 
+{ 
+ /* Make a copy of the request headers, and remove from 
+ * the copy any hop-by-hop headers, as defined in Section 
+ * 13.5.1 of RFC 2616 
+ */ 
+ apr_table_t *headers_in; 
+ headers_in = apr_table_copy(r-&gt;pool, r-&gt;headers_in); 
+ apr_table_unset(headers_in, &quot;Connection&quot;); 
+ apr_table_unset(headers_in, &quot;Keep-Alive&quot;); 
+ apr_table_unset(headers_in, &quot;Proxy-Authenticate&quot;); 
+ apr_table_unset(headers_in, &quot;Proxy-Authorization&quot;); 
+ apr_table_unset(headers_in, &quot;TE&quot;); 
+ apr_table_unset(headers_in, &quot;Trailers&quot;); 
+ apr_table_unset(headers_in, &quot;Transfer-Encoding&quot;); 
+ apr_table_unset(headers_in, &quot;Upgrade&quot;); 
+ return headers_in; 
+} 
diff -rNu httpd-2.0.49.orig/modules/experimental/mod_cache.h httpd-2.0.49/modules/experimental/mod_cache.h 
--- httpd-2.0.49.orig/modules/experimental/mod_cache.h 2004-02-09 21:53:16.000000000 
+0100 
+++ httpd-2.0.49/modules/experimental/mod_cache.h 2004-03-20 15:55:51.000000000 +0100 
@@ -238,6 +238,11 @@ 
 */ 
 CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_out(apr_pool_t *pool, apr_table_t 
*t); 
 
+/* Create a new table consisting of those elements from a request_rec's 
+ * headers_in that are allowed to be stored in a cache 
+ */ 
+CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_in(request_rec *r); 
+ 
 /** 
 * cache_storage.c 
 */ 
diff -rNu httpd-2.0.49.orig/modules/experimental/mod_disk_cache.c httpd-2.0.49/modules/experimental/mod_disk_cache.c 
--- httpd-2.0.49.orig/modules/experimental/mod_disk_cache.c 2004-02-09 21:53:16.000000000 
+0100 
+++ httpd-2.0.49/modules/experimental/mod_disk_cache.c 2004-03-20 15:55:51.000000000 
+0100 
@@ -600,8 +600,9 @@ 
 /* @@@ Some day, not today. */ 
 if (r-&gt;headers_in) { 
 int i; 
- apr_table_entry_t *elts = (apr_table_entry_t *) apr_table_elts(r-&gt;headers_in)- 
&gt;elts; 
- for (i = 0; i &lt; apr_table_elts(r-&gt;headers_in)-&gt;nelts; ++i) { 
+ apr_table_t* headers_in = ap_cache_cacheable_hdrs_in(r); 
+ apr_table_entry_t *elts = (apr_table_entry_t *) apr_table_elts(headers_in)- 
&gt;elts; 
+ for (i = 0; i &lt; apr_table_elts(headers_in)-&gt;nelts; ++i) { 
 if (elts[i].key != NULL) { 
 buf = apr_pstrcat(r-&gt;pool, elts[i].key, &quot;: &quot;, elts[i].val, CRLF, 
NULL); 
 amt = strlen(buf); 
厂商补丁： 
Apache Software Foundation 
-------------------------- 
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： 
&lt;a href=&quot; 
http://www.apache.org/&quot; target=&quot;_blank&quot;&gt; 
http://www.apache.org/&lt;/a&gt;</Solutions>      <cnnvd>CNNVD-200403-091</cnnvd>      <cvsscode>2.1</cvsscode>      <severity>Moderate</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_disk_cache。审查验证您的Web服务器配置。实验mod_disk_cache模块存储客户端身份验证凭据缓存对象，如磁盘代理身份验证凭据和基本身份验证密码。</Description>      <name>Apache HTTPD: mod_disk_cache存储敏感标头 (CVE-2004-1834)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101107" id="101107" modified="2015-02-13" published="2005-08-05" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">14366</id>         
             <id name="CVE">CVE-2005-1268</id>         
             <id name="DEBIAN">DSA-805</id>         
             <id name="MANDRAKE">MDKSA-2005:129</id>         
             <id name="OVAL">OVAL1346</id>         
             <id name="OVAL">OVAL1714</id>         
             <id name="OVAL">OVAL1747</id>         
             <id name="OVAL">OVAL9589</id>         
             <id name="REDHAT">RHSA-2005:582</id>         
             <id name="SUSE">SUSE-SA:2005:046</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.55</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Sun Solaris 10 
Sun T120543-02 
http://sunsolve.sun.com/pub-cgi/tpatchDownload.pl?dl.d,T120543-02.zip 
HP HP-UX B.11.11 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
Sun Solaris 10.0_x86 
Sun T120544-02 
http://sunsolve.sun.com/pub-cgi/tpatchDownload.pl?dl.d,T120544-02.zip 
HP HP-UX B.11.23 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
HP HP-UX B.11.11 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
HP HP-UX B.11.00 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
HP HP-UX 11.0 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
HP HP-UX 11.11 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
HP HP-UX 11.23 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
SmoothWall Express 2.0 
SmoothWall 2.0-fixes8.tar.gz 
http://downloads.smoothwall.org/updates/2.0/2.0-fixes8.tar.gz 
Apache Software Foundation Apache 2.0.46 
Apache Software Foundation httpd-2.0.55.tar.gz 
http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz 
</Solutions>      <cnnvd>CNNVD-200508-067</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_ssl和Apache服务器配置为使用恶意证书吊销列表。审查验证您的Web服务器配置。在mod_ssl的CRL验证回调中发现一个off-by-one堆溢出。为了利用此问题，Apache服务器需被配置为使用恶意证书吊销列表（CRL）</Description>      <name>apache httpd：恶意CRLoff-by-one（CVE-2005-1268）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101108" id="101108" modified="2015-02-13" published="2005-07-05" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2005-11-29</id>         
             <id name="BID">14106</id>         
             <id name="BID">15647</id>         
             <id name="CVE">CVE-2005-2088</id>         
             <id name="DEBIAN">DSA-803</id>         
             <id name="DEBIAN">DSA-805</id>         
             <id name="OVAL">OVAL11452</id>         
             <id name="OVAL">OVAL1237</id>         
             <id name="OVAL">OVAL1526</id>         
             <id name="OVAL">OVAL1629</id>         
             <id name="OVAL">OVAL840</id>         
             <id name="REDHAT">RHSA-2005:582</id>         
             <id name="SUSE">SUSE-SA:2005:046</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.55</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://httpd.apache.org/</Solutions>      <cnnvd>CNNVD-200507-041</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞影响，如果仅Apache作为HTTP代理。审查验证您的Web服务器配置。当使用Apache服务器作为HTTP代理时产生一个漏洞。远程攻击者可发送具有＆QUOT一个HTTP请求;传输编码：分块＆QUOT;头和一个Content-Length头，造成Apache错误地处理和转发请求主体从而使接收的服务器作为一个单独的HTTP请求来处理。这可能绕过Web应用防火墙保护或导致跨站点脚本（XSS）攻击。</Description>      <name>apache httpd：HTTP请求冒用（CVE-2005-2088）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101109" id="101109" modified="2015-02-13" published="2005-08-23" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2005-11-29</id>         
             <id name="BID">14620</id>         
             <id name="BID">15647</id>         
             <id name="CVE">CVE-2005-2491</id>         
             <id name="DEBIAN">DSA-800</id>         
             <id name="DEBIAN">DSA-817</id>         
             <id name="DEBIAN">DSA-819</id>         
             <id name="DEBIAN">DSA-821</id>         
             <id name="OVAL">OVAL11516</id>         
             <id name="OVAL">OVAL1496</id>         
             <id name="OVAL">OVAL1659</id>         
             <id name="OVAL">OVAL735</id>         
             <id name="REDHAT">RHSA-2005:358</id>         
             <id name="REDHAT">RHSA-2005:761</id>         
             <id name="REDHAT">RHSA-2006:0197</id>         
             <id name="SGI">20060401-01-U</id>         
             <id name="SUSE">SUSE-SA:2005:048</id>         
             <id name="SUSE">SUSE-SA:2005:049</id>         
             <id name="SUSE">SUSE-SA:2005:051</id>         
             <id name="SUSE">SUSE-SA:2005:052</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.55</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://www.debian.org/security/2005/dsa-800 
http://www2.itrc.hp.com/service/cki/docDisplay.do?hpweb_printable=true&amp;docId=c00555254 
ftp://patches.sgi.com/support/free/security/advisories/20050902-01-U.asc</Solutions>      <cnnvd>CNNVD-200508-232</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产会受到该漏洞影响如果有权限创建.htaccess文件的本地用户可以创建一个恶意特制的正则表达式。审查验证您的Web服务器配置。在PCRE中发现一个整数溢出漏洞，Perl兼容正则表达式库包含在httpd内。有权限创建.htaccess文件的本地用户可以创建一个恶意特制的正则表达式，从而获取httpd子节点的访问权限。</Description>      <name>Apache HTTPD: PCRE溢出 (CVE-2005-2491)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101110" id="101110" modified="2020-01-30" published="2005-09-06" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">14721</id>         
             <id name="CERT-VN">744929</id>         
             <id name="CVE">CVE-2005-2700</id>         
             <id name="DEBIAN">DSA-805</id>         
             <id name="DEBIAN">DSA-807</id>         
             <id name="OVAL">OVAL10416</id>         
             <id name="REDHAT">RHSA-2005:608</id>         
             <id name="REDHAT">RHSA-2005:773</id>         
             <id name="REDHAT">RHSA-2005:816</id>         
             <id name="SUSE">SUSE-SA:2005:051</id>         
             <id name="SUSE">SUSE-SA:2005:052</id>         
             <id name="SUSE">SuSE-SA:2006:051</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.55</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： 
http://www.apache.org</Solutions>      <cnnvd>CNNVD-200509-038</cnnvd>      <cvsscode>10.0</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_ssl和虚拟主机一直使用&amp;#39;SSLVerifyClient可选“和指令”要求SSLVerifyClient“设置为特定位置配置。审查验证您的Web服务器配置。 SSLVerifyClient＆QUOT;在＆QUOT的mod_ssl的处理存在漏洞;指令。会出现此漏洞，如果使用＆QUOT虚拟主机已配置; SSLVerifyClient可选＆QUOT;并进一步指令＆QUOT; SSLVerifyClient需要＆QUOT;被设定为一个特定的位置。对于这种配置方式的服务器，攻击者可能能够访问应以其他方式受保护的资源，通过连接时，没有提供的客户端证书。</Description>      <name>apache httpd：SSLVerifyClient绕过（CVE-2005-2700）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101111" id="101111" modified="2015-02-13" published="2005-08-30" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">14660</id>         
             <id name="CVE">CVE-2005-2728</id>         
             <id name="DEBIAN">DSA-805</id>         
             <id name="OVAL">OVAL10017</id>         
             <id name="OVAL">OVAL1246</id>         
             <id name="OVAL">OVAL1727</id>         
             <id name="OVAL">OVAL760</id>         
             <id name="REDHAT">RHSA-2005:608</id>         
             <id name="SGI">20060101-01-U</id>         
             <id name="SUSE">SUSE-SA:2005:051</id>         
             <id name="SUSE">SUSE-SA:2005:052</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="XF">22006</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.55</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Sun Solaris 10 
Sun T120543-02 
http://sunsolve.sun.com/pub-cgi/tpatchDownload.pl?dl.d,T120543-02.zip 
HP HP-UX B.11.11 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
Sun Solaris 10.0_x86 
Sun T120544-02 
http://sunsolve.sun.com/pub-cgi/tpatchDownload.pl?dl.d,T120544-02.zip 
HP HP-UX B.11.23 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
HP HP-UX B.11.11 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
Conectiva Linux 10.0 
Conectiva apache-2.0.49-61251U10_5cl.i386.rpm 
Conectiva 10: 
ftp://atualizacoes.conectiva.com.br/10/RPMS/apache-2.0.49-61251U10_5cl .i386.rpm 
Conectiva apache-devel-2.0.49-61251U10_5cl.i386.rpm 
Conectiva 10: 09/27/2005 
ftp://atualizacoes.conectiva.com.br/10/RPMS/apache-devel-2.0.49-61251U 10_5cl.i386.rpm 
Conectiva apache-doc-2.0.49-61251U10_5cl.i386.rpm 
Conectiva 10: 
ftp://atualizacoes.conectiva.com.br/10/RPMS/apache-doc-2.0.49-61251U10 _5cl.i386.rpm 
Conectiva apache-htpasswd-2.0.49-61251U10_5cl.i386.rpm 
Conectiva 10: 
ftp://atualizacoes.conectiva.com.br/10/RPMS/apache-htpasswd-2.0.49-612 51U10_5cl.i386.rpm 
Conectiva libapr-devel-2.0.49-61251U10_5cl.i386.rpm 
Conectiva 10: 
ftp://atualizacoes.conectiva.com.br/10/RPMS/libapr-devel-2.0.49-61251U 10_5cl.i386.rpm 
Conectiva libapr-devel-static-2.0.49-61251U10_5cl.i386.rpm 
Conectiva 10: 
ftp://atualizacoes.conectiva.com.br/10/RPMS/libapr-devel-static-2.0.49 -61251U10_5cl.i386.rpm 
Conectiva libapr0-2.0.49-61251U10_5cl.i386.rpm 
Conectiva 10: 
ftp://atualizacoes.conectiva.com.br/10/RPMS/libapr0-2.0.49-61251U10_5c l.i386.rpm 
Conectiva mod_auth_ldap-2.0.49-61251U10_5cl.i386.rpm 
Conectiva 10: 
ftp://atualizacoes.conectiva.com.br/10/RPMS/mod_auth_ldap-2.0.49-61251 U10_5cl.i386.rpm 
Conectiva mod_dav-2.0.49-61251U10_5cl.i386.rpm 
Conectiva 10: 
ftp://atualizacoes.conectiva.com.br/10/RPMS/mod_dav-2.0.49-61251U10_5c l.i386.rpm 
HP HP-UX 11.0 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
HP HP-UX 11.11 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
HP HP-UX 11.23 
HP Apache-Based Web Server 2.0.55.00 
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE 
Apache Software Foundation Apache 2.0 
Apache Software Foundation http_protocol.c 
http://issues.apache.org/bugzilla/attachment.cgi?id=16102 
Apache Software Foundation httpd-2.0.55.tar.gz 
http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz 
Apache Software Foundation Apache 2.0.28 Beta 
Apache Software Foundation http_protocol.c 
http://issues.apache.org/bugzilla/attachment.cgi?id=16102 
Apache Software Foundation httpd-2.0.55.tar.gz 
http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz 
Apache Software Foundation Apache 2.0.32 
Apache Software Foundation http_protocol.c 
http://issues.apache.org/bugzilla/attachment.cgi?id=16102 
Apache Software Foundation httpd-2.0.55.tar.gz 
http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz 
Apache Software Foundation Apache 2.0.35 
Apache Software Foundation http_protocol.c 
http://issues.apache.org/bugzilla/attachment.cgi?id=16102 
Apache Software Foundation httpd-2.0.55.tar.gz 
http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz 
Apache Software Foundation Apache 2.0.36 
Apache Software Foundation http_protocol.c 
http://issues.apache.org/bugzilla/attachment.cgi?id=16102 
Apache Software Foundation httpd-2.0.55.tar.gz 
http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz 
</Solutions>      <cnnvd>CNNVD-200508-298</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞影响，如果仅服务器有一个动态资源，如产生大量的数据，攻击者可以发送特制的特制的请求CGI脚本或PHP脚本。审查验证您的Web服务器配置。在字节范围过滤器中的漏洞会导致一些回应被缓存到内存中。如果服务器有一个动态的资源，如CGI脚本或PHP脚本生成大量数据，攻击者可以发送特制的请求，以消耗资源，可能导致拒绝服务。</Description>      <name>apache httpd：字节范围过滤器DoS（CVE-2005-2728）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101112" id="101112" modified="2015-02-13" published="2005-10-25" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">15762</id>         
             <id name="CVE">CVE-2005-2970</id>         
             <id name="OVAL">OVAL10043</id>         
             <id name="REDHAT">RHSA-2006:0159</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.36</low>                     
                               <high inclusive="0">2.0.55</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/download.cgi</Solutions>      <cnnvd>CNNVD-200510-212</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞的影响，仅当使用worker MPM线程模型时。审查验证您的Web服务器配置。在Worker MPM中的内存泄漏会允许远程攻击者通过中止连接导致拒绝服务（内存消耗），从而防止交易池中的内存被重新用于其他连接。随着争用条件利用变难，此问题的严重程度从中等将为低级。</Description>      <name>apache httpd：Worker MPM的内存泄漏（CVE-2005-2970）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101113" id="101113" modified="2015-02-13" published="2005-12-13" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-03-18</id>         
             <id name="APPLE">APPLE-SA-2008-05-28</id>         
             <id name="BID">15834</id>         
             <id name="CERT">TA08-150A</id>         
             <id name="CVE">CVE-2005-3352</id>         
             <id name="DEBIAN">DSA-1167</id>         
             <id name="OVAL">OVAL10480</id>         
             <id name="REDHAT">RHSA-2006:0158</id>         
             <id name="REDHAT">RHSA-2006:0159</id>         
             <id name="REDHAT">RHSA-2006:0692</id>         
             <id name="SGI">20060101-01-U</id>         
             <id name="SUSE">SUSE-SA:2006:043</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.35</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.58</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.2</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://sunsolve.sun.com/search/ 
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/ 
http://security.ubuntu.com/ubuntu/pool/main/a/apache/ 
http://wsidecar.apple.com/cgi-bin/ 
http://wwwnew.mandriva.com/en/downloads/ 
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/</Solutions>      <cnnvd>CNNVD-200512-244</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_imap和Referer的指令用于与影像地图。审查验证您的Web服务器配置。当使用有影像地图的Referer指令时，在mod_imap中发现一个漏洞。如果受害人被迫使用某些Web浏览器访问恶意网址，在某些站点配置远程攻击者可执行跨站点脚本攻击。</Description>      <name>apache httpd：mod_imap Referer跨站点脚本（CVE-2005-3352）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101114" id="101114" modified="2016-11-23" published="2005-12-31" version="2.0">      
        
        
        <cvss>(AV:N/AC:H/Au:N/C:N/I:N/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-05-28</id>         
             <id name="BID">16152</id>         
             <id name="CERT">TA08-150A</id>         
             <id name="CVE">CVE-2005-3357</id>         
             <id name="OVAL">OVAL11467</id>         
             <id name="REDHAT">RHSA-2006:0159</id>         
             <id name="SGI">20060101-01-U</id>         
             <id name="SUSE">SuSE-SA:2006:051</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.58</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.2</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://lwn.net/Alerts/166549/?format=printable 
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd... 
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd... 
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/...</Solutions>      <cnnvd>CNNVD-200512-806</cnnvd>      <cvsscode>5.4</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_ssl。才会出现这种情况。审查验证您的Web服务器配置。 mod_ssl中的一个空指针引用漏洞被发现，其中影响SSL虚拟主机配置了访问控制和自定义400错误的文件服务器配置。远程攻击者可发送特制的请求触发此问题，这将导致崩溃。如果使用worker MPM，此崩溃只会拒绝服务。</Description>      <name>apache httpd：mod_ssl访问控制DoS（CVE-2005-3357）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101115" id="101115" modified="2016-05-27" published="2006-07-28" version="2.0">      
        
        <severity>8</severity>      
        <cvss>(AV:N/AC:H/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-03-18</id>         
             <id name="APPLE">APPLE-SA-2008-05-28</id>         
             <id name="BID">19204</id>         
             <id name="CERT">TA08-150A</id>         
             <id name="CERT-VN">395412</id>         
             <id name="CVE">CVE-2006-3747</id>         
             <id name="DEBIAN">DSA-1131</id>         
             <id name="DEBIAN">DSA-1132</id>         
             <id name="SUSE">SUSE-SA:2006:043</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">28063</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.28</low>                     
                               <high inclusive="0">1.3.37</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.46</low>                     
                               <high inclusive="0">2.0.59</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.3</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://www.debian.org/security/2005/dsa-1132 
http://www.debian.org/security/2005/dsa-1131 
http://security.gentoo.org/glsa/glsa-200608-01.xml 
</Solutions>      <cnnvd>CNNVD-200607-497</cnnvd>      <name>Apache HTTPD: mod_rewrite off-by-one 溢位錯誤 (CVE-2006-3747)</name>      <Description>一个溢位弱点存在于复写模组 mod_rewrite 中，仅有运行 mod_rewrite 模组方受此弱点影响。检查您的 Web 伺服器设定以确认该弱点。根据编译 Apache httpd 的方式，可能会造成此弱点，同时结合Web伺服器设定文件中的某些复写规则可远端触发此弱点。该弱点可能造成阻断服务(DoS)（破坏Web伺服器程序），或可能允许执行任意代码。</Description>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101229" id="101229" modified="2015-02-13" published="2006-07-27" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">19661</id>         
             <id name="CVE">CVE-2006-3918</id>         
             <id name="DEBIAN">DSA-1167</id>         
             <id name="OVAL">OVAL10352</id>         
             <id name="OVAL">OVAL12238</id>         
             <id name="REDHAT">RHSA-2006:0618</id>         
             <id name="REDHAT">RHSA-2006:0619</id>         
             <id name="REDHAT">RHSA-2006:0692</id>         
             <id name="SGI">20060801-01-P</id>         
             <id name="SUSE">SUSE-SA:2006:051</id>         
             <id name="SUSE">SUSE-SA:2008:021</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.3</low>                     
                               <high inclusive="0">1.3.35</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
OpenBSD OpenBSD 3.9 
OpenBSD 012_httpd2.patch 
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/012_httpd2.patch 
</Solutions>      <cnnvd>CNNVD-200607-476</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响 ，如果攻击者能影响Expect报头。 审查验证您的Web服务器配置。无效的Expect报头处理存在漏洞。如果攻击者影响一个受害者发送到目标网站的Expect报头,他们能进行跨站点脚本攻击。已知的是，一些版本的Flash可设置触发此漏洞的设置任意Expect报头。</Description>      <name>Apache HTTPD: Expect标头跨站点脚本(CVE-2006-3918)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101230" id="101230" modified="2016-05-27" published="2007-06-27" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">24645</id>         
             <id name="CVE">CVE-2006-5752</id>         
             <id name="OVAL">OVAL10154</id>         
             <id name="REDHAT">RHSA-2007:0532</id>         
             <id name="REDHAT">RHSA-2007:0533</id>         
             <id name="REDHAT">RHSA-2007:0534</id>         
             <id name="REDHAT">RHSA-2007:0556</id>         
             <id name="REDHAT">RHSA-2007:0557</id>         
             <id name="REDHAT">RHSA-2008:0261</id>         
             <id name="SUSE">SUSE-SA:2007:061</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">35097</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.2</low>                     
                               <high inclusive="0">1.3.39</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.61</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.6</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：可公开访问mod_status模块和服务器状态页并启用ExtendedStatus。审查验证您的Web服务器配置。在mod_status模块模块中发现一个漏洞。在网站中，可公开访问mod_status模块和服务器状态页并启用ExtendedStatus。这可能会导致跨站点脚本攻击。请注意，服务器状态页默认不启用，这是不使这个公开的最佳实践。</Description>      <name>apache httpd：mod_status跨站点脚本（CVE-2006-5752）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101116" id="101116" modified="2016-05-27" published="2007-06-04" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">24553</id>         
             <id name="CVE">CVE-2007-1862</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.4</low>                     
                               <high inclusive="0">2.2.6</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_cache。审查验证您的Web服务器配置。在mod_mem_cache中的Apache2.2.4 recall_headers函数没有正确复制各级标题数据，它可以让Apache返回一个包含以前使用的数据，这可能是通过使用远程攻击者可能获取敏感信息的HTTP标头。</Description>      <name>apache httpd：mod_cache信息泄露（CVE-2007-1862）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101117" id="101117" modified="2016-05-27" published="2007-06-27" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-05-28</id>         
             <id name="BID">24649</id>         
             <id name="CERT">TA08-150A</id>         
             <id name="CVE">CVE-2007-1863</id>         
             <id name="OVAL">OVAL9824</id>         
             <id name="REDHAT">RHSA-2007:0533</id>         
             <id name="REDHAT">RHSA-2007:0534</id>         
             <id name="REDHAT">RHSA-2007:0556</id>         
             <id name="REDHAT">RHSA-2007:0557</id>         
             <id name="SUSE">SUSE-SA:2007:061</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.37</low>                     
                               <high inclusive="0">2.0.61</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.6</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_cache。审查验证您的Web服务器配置。在mod_cache模块中发现一个错误。开启缓存启用站点，远程攻击者可发送特制的请求，将导致Apache的子进程处理该请求崩溃。这可能如果使用线程多处理模块导致拒绝服务。</Description>      <name>apache httpd：mod_cache代理DoS攻击（CVE-2007-1863）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101118" id="101118" modified="2016-05-27" published="2007-06-20" version="2.0">      
        
        
        <cvss>(AV:L/AC:M/Au:N/C:N/I:N/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">24215</id>         
             <id name="CVE">CVE-2007-3304</id>         
             <id name="OVAL">OVAL11589</id>         
             <id name="REDHAT">RHSA-2007:0532</id>         
             <id name="REDHAT">RHSA-2007:0556</id>         
             <id name="REDHAT">RHSA-2007:0557</id>         
             <id name="REDHAT">RHSA-2007:0662</id>         
             <id name="REDHAT">RHSA-2008:0261</id>         
             <id name="SGI">20070701-01-P</id>         
             <id name="SUSE">SUSE-SA:2007:061</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">35095</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.39</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.61</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.6</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>4.7</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有在本地攻击者可以运行在HTTP服务器上的脚本。审查验证您的Web服务器配置。 Apache HTTP服务器在发送信号之前没有验证进程是一个Apache子进程。能在HTTP服务器上运行脚本的本地攻击者可操纵记分牌，并终止任意进程，从而引起拒绝服务。</Description>      <name>apache httpd：信号对于任意进程（CVE-2007-3304）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101119" id="101119" modified="2016-05-24" published="2007-08-23" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-03-18</id>         
             <id name="APPLE">APPLE-SA-2008-05-28</id>         
             <id name="BID">25489</id>         
             <id name="CERT">TA08-150A</id>         
             <id name="CVE">CVE-2007-3847</id>         
             <id name="OVAL">OVAL10525</id>         
             <id name="REDHAT">RHSA-2007:0746</id>         
             <id name="REDHAT">RHSA-2007:0747</id>         
             <id name="REDHAT">RHSA-2007:0911</id>         
             <id name="REDHAT">RHSA-2008:0005</id>         
             <id name="SUSE">SUSE-SA:2007:061</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.61</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.6</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy。审查验证您的Web服务器配置。一个漏洞被发现在Apache HTTP服务器的mod_proxy模块中。在站点配置了反向代理，远程攻击者可发送特制的请求，将导致Apache的子进程处理该请求崩溃。如果用户可被说服访问使用代理的恶意网站，在站点配置正向代理网站，攻击者可能会导致类似的崩溃。如果使用线程多处理模块这可能会导致拒绝服务。</Description>      <name>apache httpd：mod_proxy崩溃（CVE-2007-3847）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101120" id="101120" modified="2018-04-17" published="2007-12-13" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-03-18</id>         
             <id name="APPLE">APPLE-SA-2008-05-28</id>         
             <id name="BID">26838</id>         
             <id name="CERT">TA08-150A</id>         
             <id name="CVE">CVE-2007-5000</id>         
             <id name="OVAL">OVAL9539</id>         
             <id name="REDHAT">RHSA-2008:0004</id>         
             <id name="REDHAT">RHSA-2008:0005</id>         
             <id name="REDHAT">RHSA-2008:0006</id>         
             <id name="REDHAT">RHSA-2008:0007</id>         
             <id name="REDHAT">RHSA-2008:0008</id>         
             <id name="REDHAT">RHSA-2008:0009</id>         
             <id name="REDHAT">RHSA-2008:0261</id>         
             <id name="SUSE">SUSE-SA:2008:021</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">39001</id>         
             <id name="XF">39002</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.3.41</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.63</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.8</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的影响：mod_imagemap AND imagemap文件是公开可用的。 检查Web服务器配置以进行验证。 在mod_imagemap模块中发现了一个缺陷。 在启用mod_imagemap且imagemap文件公开可用的站点上，可能会发生跨站点脚本攻击。</Description>      <name>Apache HTTPD: mod_imagemap XSS (CVE-2007-5000)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101231" id="101231" modified="2016-05-24" published="2008-01-08" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-03-18</id>         
             <id name="APPLE">APPLE-SA-2008-05-28</id>         
             <id name="BID">27237</id>         
             <id name="CERT">TA08-150A</id>         
             <id name="CVE">CVE-2007-6388</id>         
             <id name="OVAL">OVAL10272</id>         
             <id name="REDHAT">RHSA-2008:0004</id>         
             <id name="REDHAT">RHSA-2008:0005</id>         
             <id name="REDHAT">RHSA-2008:0006</id>         
             <id name="REDHAT">RHSA-2008:0007</id>         
             <id name="REDHAT">RHSA-2008:0008</id>         
             <id name="REDHAT">RHSA-2008:0009</id>         
             <id name="REDHAT">RHSA-2008:0261</id>         
             <id name="SUSE">SUSE-SA:2008:021</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">39472</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.2</low>                     
                               <high inclusive="0">1.3.41</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.63</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.8</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Fujitsu INTERSTAGE Application Server Enterprise Edition 6.0 
Fujitsu INTS-APSREEG6.0_PUF_T0103S-07A.tar.Z 
for Solaris 
http://www.fujitsu.com/downloads/SEC/INTS-APSREEG6.0_PUF_T0103S-07A.ta r.Z 
Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0 
Fujitsu INTS-APSREE7.0_PUF_T013RS-06.tar.Z 
for Solaris 
http://www.fujitsu.com/downloads/SEC/INTS-APSREE7.0_PUF_T013RS-06.tar. Z 
Fujitsu TP09823.exe 
for Windows 
http://www.fujitsu.com/downloads/SEC/TP09823.exe 
Fujitsu INTERSTAGE Application Server Enterprise Edition 5.0 
Fujitsu 912327-11.tar.Z 
for Solaris 
http://www.fujitsu.com/downloads/SEC/912327-11.tar.Z 
Fujitsu TP09823.exe 
for Windows 
http://www.fujitsu.com/downloads/SEC/TP09823.exe 
Apple Mac OS X Server 10.5 
Apple Security Update 2008-003 Server (PPC) 
http://www.apple.com/support/downloads/securityupdate2008003serverppc. html 
Apple Security Update 2008-003 Server (Universal) 
http://www.apple.com/support/downloads/securityupdate2008003serveruniv ersal.html 
Apple Mac OS X 10.4.11 
Apple SecUpd2008-002PPC.dmg 
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&amp;cat= 57&amp;platform=osx&amp;method=sa/SecUpd2008-002PPC.dmg 
Apple SecUpd2008-002Univ.dmg 
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&amp;cat= 57&amp;platform=osx&amp;method=sa/SecUpd2008-002Univ.dmg 
Apple Security Update 2008-003 (Intel) 
http://www.apple.com/support/downloads/securityupdate2008003intel.html 
Apple Security Update 2008-003 (PPC) 
http://www.apple.com/support/downloads/securityupdate2008003ppc.html 
Apple Mac OS X Server 10.5.2 
Apple SecUpdSrvr2008-002.dmg 
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&amp;cat= 57&amp;platform=osx&amp;method=sa/SecUpdSrvr2008-002.dmg 
Apple Security Update 2008-003 Server (PPC) 
http://www.apple.com/support/downloads/securityupdate2008003serverppc. html 
Apple Security Update 2008-003 Server (Universal) 
http://www.apple.com/support/downloads/securityupdate2008003serveruniv ersal.html 
Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0.1 
Fujitsu INTS-APSREE7.0.1_PUF_T023AS-05.tar.Z 
for Solaris 
http://www.fujitsu.com/downloads/SEC/INTS-APSREE7.0.1_PUF_T023AS-05.ta r.Z 
Fujitsu TP09823.exe 
for Windows 
http://www.fujitsu.com/downloads/SEC/TP09823.exe 
Apple Mac OS X Server 10.5.2 
&lt;ul&gt;&lt;li&gt; 
Apple SecUpdSrvr2008-002.dmg 
&lt;a href=&quot; 
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&amp;cat=57&amp;platform=osx&amp;method=sa/SecUpdSrvr2008-002.dmg&quot;&gt; 
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&amp;cat= 
57&amp;platform=osx&amp;method=sa/SecUpdSrvr2008-002.dmg&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
Apple Security Update 2008-003 Server (PPC) 
&lt;a href=&quot; 
http://www.apple.com/support/downloads/securityupdate2008003serverppc.html&quot;&gt; 
http://www.apple.com/support/downloads/securityupdate2008003serverppc. 
html&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
Apple Security Update 2008-003 Server (Universal) 
&lt;a href=&quot; 
http://www.apple.com/support/downloads/securityupdate2008003serveruniversal.html&quot;&gt; 
http://www.apple.com/support/downloads/securityupdate2008003serveruniv 
ersal.html&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0.1 
&lt;ul&gt;&lt;li&gt; 
Fujitsu INTS-APSREE7.0.1_PUF_T023AS-05.tar.Zfor Solaris 
&lt;a href=&quot; 
http://www.fujitsu.com/downloads/SEC/INTS-APSREE7.0.1_PUF_T023AS-05.tar.Z&quot;&gt; 
http://www.fujitsu.com/downloads/SEC/INTS-APSREE7.0.1_PUF_T023AS-05.ta 
r.Z&lt;/a&gt;&lt;/li&gt; 
&lt;li&gt; 
Fujitsu TP09823.exefor Windows 
&lt;a href=&quot; 
http://www.fujitsu.com/downloads/SEC/TP09823.exe&quot;&gt; 
http://www.fujitsu.com/downloads/SEC/TP09823.exe&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt;</Solutions>      <cnnvd>CNNVD-200801-095</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_status模块和mod_status提供的网页公开访问。审查验证您的Web服务器配置。在mod_status模块模块中发现一个漏洞。在网站中，mod_status模块被启用且可公开访问状态页面，可能产生跨站点脚本攻击。请注意，服务器状态页默认不启用，这是不使这个公开的最佳实践。</Description>      <name>Apache HTTPD: mod_status XSS (CVE-2007-6388)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101121" id="101121" modified="2016-05-24" published="2008-01-11" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>CSRF</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-10-09</id>         
             <id name="BID">27236</id>         
             <id name="BID">31681</id>         
             <id name="CVE">CVE-2007-6420</id>         
             <id name="OVAL">OVAL8371</id>         
             <id name="REDHAT">RHSA-2008:0966</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.9</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的攻击，仅当其运行下列模块当中的一个mod_proxy_balancer时：审查验证您的Web服务器配置。mod_proxy_balancer提供一个管理界面,可以容易跨站点请求伪造(CSRF)攻击。</Description>      <name>Apache HTTPD: mod_proxy_balancer CSRF (CVE-2007-6420)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101122" id="101122" modified="2016-05-24" published="2008-01-08" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:S/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-03-18</id>         
             <id name="BID">27236</id>         
             <id name="CVE">CVE-2007-6421</id>         
             <id name="OVAL">OVAL10664</id>         
             <id name="OVAL">OVAL8651</id>         
             <id name="REDHAT">RHSA-2008:0008</id>         
             <id name="REDHAT">RHSA-2008:0009</id>         
             <id name="SUSE">SUSE-SA:2008:021</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">39474</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.8</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_balancer。审查验证您的Web服务器配置。在mod_proxy_balancer模块中发现一个漏洞。在网站中启用mod_proxy_balancer，可能对授权用户进行跨站点脚本攻击。</Description>      <name>Apache HTTPD: mod_proxy_balancer XSS (CVE-2007-6421)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101123" id="101123" modified="2016-05-24" published="2008-01-08" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:S/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">27236</id>         
             <id name="CVE">CVE-2007-6422</id>         
             <id name="OVAL">OVAL10181</id>         
             <id name="OVAL">OVAL8690</id>         
             <id name="REDHAT">RHSA-2008:0008</id>         
             <id name="REDHAT">RHSA-2008:0009</id>         
             <id name="SUSE">SUSE-SA:2008:021</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">39476</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.8</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_balancer。审查验证您的Web服务器配置。一个漏洞被发现mod_proxy_balancer的模块中。在站点中启用mod_proxy_balancer，授权用户可以发送一个特制的请求，将导致Apache的子进程处理该请求崩溃。如果使用线程多处理模块，这可能导致拒绝服务。</Description>      <name>apache httpd：mod_proxy_balancer DoS攻击（CVE-2007-6422）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101124" id="101124" modified="2015-02-13" published="2008-01-11" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-03-18</id>         
             <id name="BID">27234</id>         
             <id name="CVE">CVE-2008-0005</id>         
             <id name="OVAL">OVAL10812</id>         
             <id name="REDHAT">RHSA-2008:0004</id>         
             <id name="REDHAT">RHSA-2008:0005</id>         
             <id name="REDHAT">RHSA-2008:0006</id>         
             <id name="REDHAT">RHSA-2008:0007</id>         
             <id name="REDHAT">RHSA-2008:0008</id>         
             <id name="REDHAT">RHSA-2008:0009</id>         
             <id name="SUSE">SUSE-SA:2008:021</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">39615</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.63</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.8</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Apple Mac OS X 10.5.2 
Apple SecUpd2008-002.dmg 
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&amp;cat= 57&amp;platform=osx&amp;method=sa/SecUpd2008-002.dmg 
Apple Mac OS X Server 10.5.2 
Apple SecUpdSrvr2008-002.dmg 
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&amp;cat= 57&amp;platform=osx&amp;method=sa/SecUpdSrvr2008-002.dmg 
</Solutions>      <cnnvd>CNNVD-200801-176</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_ftp。审查验证您的Web服务器配置。一种解决方法添加到mod_proxy_ftp模块中。在此站点启用mod_proxy_ftp并转发代理配置，跨站点脚本攻击可能针对Web浏览器，不正确地得出以下RFC 2616规定的响应字符集。</Description>      <name>Apache HTTPD: mod_proxy_ftp UTF-7 XSS (CVE-2008-0005)</name>   </Vulnerability>   <Vulnerability added="2012-09-27" gvid="ID101125" id="101125" modified="2016-05-24" published="2008-01-24" version="2.0">      
        
        
        <cvss>(AV:N/AC:H/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>HTTP Response Splitting</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2009-05-12</id>         
             <id name="BID">27409</id>         
             <id name="CERT">TA09-133A</id>         
             <id name="CVE">CVE-2008-0456</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061101</id>         
             <id name="IAVM">2015-A-0149</id>         
             <id name="REDHAT">RHSA-2013:0130</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">39893</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E 
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E</Solutions>      <cnnvd>CNNVD-200801-388</cnnvd>      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_negotiation模块。审查验证您的Web服务器配置。CRLF注入允许HTTP响应拆分攻击使用mod_negotiation模块，并允许不可信上传到具有多视图启用位置的网站。</Description>      <name>Apache HTTPD: 支持不可信的上传文件时，mod_negotiation中存在CRLF注入(CVE-2008-0456)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101126" id="101126" modified="2015-02-13" published="2008-06-13" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2008-10-09</id>         
             <id name="BID">29653</id>         
             <id name="BID">31681</id>         
             <id name="CVE">CVE-2008-2364</id>         
             <id name="OVAL">OVAL11713</id>         
             <id name="OVAL">OVAL6084</id>         
             <id name="OVAL">OVAL9577</id>         
             <id name="REDHAT">RHSA-2008:0966</id>         
             <id name="REDHAT">RHSA-2008:0967</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">42987</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.9</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd></cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>只有当它运行下列模块之一，受影响的资产很容易受到此漏洞影响：mod_proxy_http.审查验证您的Web服务器配置。使用mod_proxy_http时的源服务器，在处理临时过度反应时发现一个漏洞。远程攻击者可导致拒绝服务或高内存的使用。</Description>      <name>Apache HTTPD: mod_proxy_http DoS (CVE-2008-2364)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101127" id="101127" modified="2015-02-13" published="2008-08-06" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>FTP</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2009-05-12</id>         
             <id name="BID">30560</id>         
             <id name="CERT">TA09-133A</id>         
             <id name="CERT-VN">663763</id>         
             <id name="CVE">CVE-2008-2939</id>         
             <id name="OVAL">OVAL11316</id>         
             <id name="OVAL">OVAL7716</id>         
             <id name="REDHAT">RHSA-2008:0966</id>         
             <id name="REDHAT">RHSA-2008:0967</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">44223</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.10</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链 
http://svn.apache.org/viewvc?revision=682868&amp;view=revision</Solutions>      <cnnvd>CNNVD-200808-056</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_proxy_ftp。审查验证您的Web服务器配置。用mod_proxy_ftp处理FTP URL路径的通配符时发现一个漏洞。如果mod_proxy_ftp被启用，以支持FTP-over-HTTP，包含通配符字符的请求可能会导致跨站点脚本（XSS）攻击。</Description>      <name>apache httpd：mod_proxy_ftp通配符XSS（CVE-2008-2939）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101128" id="101128" modified="2015-02-13" published="2009-06-07" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2009-11-09-1</id>         
             <id name="BID">35221</id>         
             <id name="CVE">CVE-2009-0023</id>         
             <id name="DEBIAN">DSA-1812</id>         
             <id name="OVAL">OVAL10968</id>         
             <id name="OVAL">OVAL12321</id>         
             <id name="REDHAT">RHSA-2009:1107</id>         
             <id name="REDHAT">RHSA-2009:1108</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">50964</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://svn.apache.org/viewvc?view=rev&amp;revision=779880 
http://www.debian.org/security/2009/dsa-1812 
</Solutions>      <cnnvd>CNNVD-200906-098</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，仅当攻击者提供特制的搜索关键字来处理搜索模式编译形式的函数的时候。审查验证您的Web服务器配置。在以APR-util库绑定的副本创建搜索模式的编译表单方式中发现基于承销的漏洞。攻击者可以制定一个特制的搜索关键字，当由模式编制引擎处理时，覆盖任意堆内存的位置。</Description>      <name>apache httpd：APR-UTIL堆承销（CVE-2009-0023）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101129" id="101129" modified="2016-05-27" published="2009-04-23" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Information Gathering</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2009-11-09-1</id>         
             <id name="BID">34663</id>         
             <id name="CVE">CVE-2009-1191</id>         
             <id name="OVAL">OVAL8261</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">50059</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.11</low>                     
                               <high inclusive="0">2.2.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff</Solutions>      <cnnvd>CNNVD-200904-456</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_proxy_ajp。审查验证您的Web服务器配置。仅在2.2.11版本mod_proxy_ajp中发现一个信息披露漏洞。在某些情况下，如果用户发送了特制的HTTP请求，服务器可以返回针对另一用户的响应。</Description>      <name>apache httpd：mod_proxy_ajp信息披露（CVE-2009-1191）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101130" id="101130" modified="2016-05-27" published="2009-05-28" version="2.0">      
        
        
        <cvss>(AV:L/AC:L/Au:N/C:N/I:N/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2009-11-09-1</id>         
             <id name="BID">35115</id>         
             <id name="CVE">CVE-2009-1195</id>         
             <id name="DEBIAN">DSA-1816</id>         
             <id name="OVAL">OVAL11094</id>         
             <id name="OVAL">OVAL12377</id>         
             <id name="OVAL">OVAL8704</id>         
             <id name="REDHAT">RHSA-2009:1075</id>         
             <id name="REDHAT">RHSA-2009:1156</id>         
             <id name="SUSE">SUSE-SA:2009:050</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">50808</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://svn.apache.org/viewvc?view=rev&amp;revision=652885 
https://www.redhat.com/support/errata/RHSA-2009-1075.html</Solutions>      <cnnvd>CNNVD-200905-314</cnnvd>      <cvsscode>4.9</cvsscode>      <severity>Severe</severity>      <Description>只有AllowOverride指令与某些特定的选项以前使用时，受影响的资产很容易受到此漏洞的影响。审查验证您的Web服务器配置。在处理&amp;quot;Options&amp;quot;和&amp;quot;AllowOverride&amp;quot;指令时发现一个漏洞。在使用quot;AllowOverride&amp;quot; 指令和某些&amp;quot;Options=&amp;quot;参数的配置中，不限制本地用户如预期执行Server-Side-Include脚本的命令。</Description>      <name>apache httpd：AllowOverride选项处理绕过（CVE-2009-1195）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101131" id="101131" modified="2016-05-27" published="2009-07-05" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2009-11-09-1</id>         
             <id name="BID">35565</id>         
             <id name="CVE">CVE-2009-1890</id>         
             <id name="DEBIAN">DSA-1834</id>         
             <id name="OVAL">OVAL12330</id>         
             <id name="OVAL">OVAL8616</id>         
             <id name="OVAL">OVAL9403</id>         
             <id name="REDHAT">RHSA-2009:1148</id>         
             <id name="REDHAT">RHSA-2009:1156</id>         
             <id name="SUSE">SUSE-SA:2009:050</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Ubuntu Ubuntu Linux 8.10 powerpc 
Ubuntu apache2-doc_2.2.9-7ubuntu3.2_all.deb 
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2. 9-7ubuntu3.2_all.deb 
Ubuntu apache2-mpm-event_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7u buntu3.2_powerpc.deb 
Ubuntu apache2-src_2.2.9-7ubuntu3.2_all.deb 
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2. 9-7ubuntu3.2_all.deb 
Ubuntu apache2-suexec-custom_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2. 9-7ubuntu3.2_powerpc.deb 
Ubuntu apache2-utils_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubunt u3.2_powerpc.deb 
Ubuntu apache2.2-common_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ub untu3.2_powerpc.deb 
Ubuntu apache2_2.2.9-7ubuntu3.2_all.deb 
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7u buntu3.2_all.deb 
Slackware Linux 12.2 
Slackware httpd-2.2.12-i486-1_slack12.2.tgz 
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/ httpd-2.2.12-i486-1_slack12.2.tgz 
Debian Linux 5.0 alpha 
Debian apache2-dbg_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2 .9-10+lenny4_alpha.deb 
Debian apache2-doc_2.2.9-10+lenny4_all.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2 .9-10+lenny4_all.deb 
Debian apache2-mpm-event_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-eve nt_2.2.9-10+lenny4_alpha.deb 
Debian apache2-mpm-itk_2.2.6-02-1+lenny2_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2 -mpm-itk_2.2.6-02-1+lenny2_alpha.deb 
Debian apache2-utils_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2 .2.9-10+lenny4_alpha.deb 
Debian apache2.2-common_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-commo n_2.2.9-10+lenny4_alpha.deb 
Debian apache2_2.2.9-10+lenny4_all.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-1 0+lenny4_all.deb 
MandrakeSoft Linux Mandrake 2008.0 
Mandriva apache-base-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-devel-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-htcacheclean-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-mod_authn_dbd-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-mod_cache-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-mod_dav-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-mod_dbd-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-mod_deflate-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-mod_disk_cache-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-mod_file_cache-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-mpm-itk-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-mpm-prefork-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-mpm-worker-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apache-source-2.2.6-8.3mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Ubuntu Ubuntu Linux 9.04 sparc 
Ubuntu apache2-doc_2.2.11-2ubuntu2.2_all.deb 
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2. 11-2ubuntu2.2_all.deb 
Ubuntu apache2-mpm-worker_2.2.11-2ubuntu2.2_sparc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11- 2ubuntu2.2_sparc.deb 
Ubuntu apache2-prefork-dev_2.2.11-2ubuntu2.2_sparc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11 -2ubuntu2.2_sparc.deb 
Ubuntu a</Solutions>      <cnnvd>CNNVD-200907-057</cnnvd>      <cvsscode>7.1</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy。审查验证您的Web服务器配置。当被用来作为一个反向代理时，发现mod_proxy模块中存在一个拒绝服务漏洞。远程攻击者可利用此漏洞来强制代理进程消耗大量CPU时间。</Description>      <name>apache httpd：mod_proxy反向代理DoS（CVE-2009-1890）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101132" id="101132" modified="2016-05-27" published="2009-07-10" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2009-11-09-1</id>         
             <id name="CVE">CVE-2009-1891</id>         
             <id name="DEBIAN">DSA-1834</id>         
             <id name="OVAL">OVAL12361</id>         
             <id name="OVAL">OVAL8632</id>         
             <id name="OVAL">OVAL9248</id>         
             <id name="REDHAT">RHSA-2009:1148</id>         
             <id name="REDHAT">RHSA-2009:1156</id>         
             <id name="SUSE">SUSE-SA:2009:050</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Ubuntu Ubuntu Linux 8.10 powerpc 
Ubuntu apache2-doc_2.2.9-7ubuntu3.2_all.deb 
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2. 9-7ubuntu3.2_all.deb 
Ubuntu apache2-mpm-event_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7u buntu3.2_powerpc.deb 
Ubuntu apache2-mpm-prefork_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9- 7ubuntu3.2_powerpc.deb 
Ubuntu apache2-mpm-worker_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7 ubuntu3.2_powerpc.deb 
Ubuntu apache2-prefork-dev_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9- 7ubuntu3.2_powerpc.deb 
Ubuntu apache2-src_2.2.9-7ubuntu3.2_all.deb 
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2. 9-7ubuntu3.2_all.deb 
Ubuntu apache2-suexec-custom_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2. 9-7ubuntu3.2_powerpc.deb 
Ubuntu apache2-suexec_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubun tu3.2_powerpc.deb 
Ubuntu apache2-threaded-dev_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9 -7ubuntu3.2_powerpc.deb 
Ubuntu apache2-utils_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubunt u3.2_powerpc.deb 
Ubuntu apache2.2-common_2.2.9-7ubuntu3.2_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ub untu3.2_powerpc.deb 
Ubuntu apache2_2.2.9-7ubuntu3.2_all.deb 
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7u buntu3.2_all.deb 
Slackware Linux 12.2 
Slackware httpd-2.2.12-i486-1_slack12.2.tgz 
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/ httpd-2.2.12-i486-1_slack12.2.tgz 
Debian Linux 5.0 alpha 
Debian apache2-dbg_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2 .9-10+lenny4_alpha.deb 
Debian apache2-doc_2.2.9-10+lenny4_all.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2 .9-10+lenny4_all.deb 
Debian apache2-mpm-event_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-eve nt_2.2.9-10+lenny4_alpha.deb 
Debian apache2-mpm-itk_2.2.6-02-1+lenny2_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2 -mpm-itk_2.2.6-02-1+lenny2_alpha.deb 
Debian apache2-mpm-prefork_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-pre fork_2.2.9-10+lenny4_alpha.deb 
Debian apache2-mpm-worker_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-wor ker_2.2.9-10+lenny4_alpha.deb 
Debian apache2-prefork-dev_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork -dev_2.2.9-10+lenny4_alpha.deb 
Debian apache2-src_2.2.9-10+lenny4_all.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2 .9-10+lenny4_all.deb 
Debian apache2-suexec-custom_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec- custom_2.2.9-10+lenny4_alpha.deb 
Debian apache2-suexec_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_ 2.2.9-10+lenny4_alpha.deb 
Debian apache2-threaded-dev_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-threade d-dev_2.2.9-10+lenny4_alpha.deb 
Debian apache2-utils_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2 .2.9-10+lenny4_alpha.deb 
Debian apache2.2-common_2.2.9-10+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-commo n_2.2.9-10+lenny4_alpha.deb 
Debian apache2_2.2.9-10+lenny4_all.deb 
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-1 0+lenny4_al</Solutions>      <cnnvd>CNNVD-200907-157</cnnvd>      <cvsscode>7.1</cvsscode>      <severity>Severe</severity>      <Description>仅当以下模板：mod_deflate运行时，此受影响的资产很容易受到此漏洞影响。审查验证您的Web服务器配置。在mod_deflate模块中发现拒绝服务漏洞。这个模块继续压缩大的文件，直到压缩完成，即使所请求的内容的网络连接已经关闭压缩完成之前。这将导致mod_deflate模块消耗大量的CPU，如果mod_deflate的启用了大型文件。</Description>      <name>Apache HTTPD: mod_deflate DoS (CVE-2009-1891)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101133" id="101133" modified="2015-02-13" published="2009-06-07" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2009-11-09-1</id>         
             <id name="BID">35253</id>         
             <id name="CVE">CVE-2009-1955</id>         
             <id name="DEBIAN">DSA-1812</id>         
             <id name="OVAL">OVAL10270</id>         
             <id name="OVAL">OVAL12473</id>         
             <id name="REDHAT">RHSA-2009:1107</id>         
             <id name="REDHAT">RHSA-2009:1108</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://en.securitylab.ru/bitrix/redirect.php?event3=381000&amp;goto=http%3A%2F%2Fsvn.apache.org%2Fviewvc%3Fview%3Drev%26revision%3D781403 
http://www.debian.org/security/2009/dsa-1812 
</Solutions>      <cnnvd>CNNVD-200906-102</cnnvd>      <cvsscode>7.8</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产很容易受到此漏洞影响，仅当攻击者说服Apache消耗特制的XML文档时。审查验证您的Web服务器配置。在APR-util库可扩展标记语言（XML）解析器的绑定副本中发现一个拒绝服务漏洞。远程攻击者可以创建特制的XML文档，此文件在由XML解码引擎处理时导致内存消耗过大。</Description>      <name>apache httpd：APR-util XML DoS攻击（CVE-2009-1955）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101134" id="101134" modified="2015-02-13" published="2009-06-07" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2009-11-09-1</id>         
             <id name="BID">35251</id>         
             <id name="CVE">CVE-2009-1956</id>         
             <id name="OVAL">OVAL11567</id>         
             <id name="OVAL">OVAL12237</id>         
             <id name="REDHAT">RHSA-2009:1107</id>         
             <id name="REDHAT">RHSA-2009:1108</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://apache.mirrors.esat.net/apr/apr-1.3.5-win32-src.zip 
http://apache.mirrors.esat.net/apr/apr-1.3.5.tar.gz</Solutions>      <cnnvd>CNNVD-200906-103</cnnvd>      <cvsscode>6.4</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞影响，如果仅攻击者提供一个特制的字符串处理在大端平台的参数变量列表功能。审查验证您的Web服务器配置。被发现以APR-util库副本处理参数变量列表的方式发现一个off-by-one溢出漏洞。攻击者可以提供特制的字符串作为格式化输出转换例程的输入，这可能在大端平台上泄露敏感信息或拒绝服务。</Description>      <name>apache httpd：APR-util off-by-one溢出（CVE-1909-1956）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101135" id="101135" modified="2016-05-27" published="2009-08-06" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2009-11-09-1</id>         
             <id name="BID">35949</id>         
             <id name="CVE">CVE-2009-2412</id>         
             <id name="OVAL">OVAL8394</id>         
             <id name="OVAL">OVAL9958</id>         
             <id name="SUSE">SUSE-SA:2009:050</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.13</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
Ubuntu Ubuntu Linux 8.10 powerpc 
Ubuntu libapr1-dbg_1.2.12-4ubuntu0.1_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dbg_1.2.12-4ubuntu0.1_ powerpc.deb 
Ubuntu libapr1-dev_1.2.12-4ubuntu0.1_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dev_1.2.12-4ubuntu0.1_ powerpc.deb 
Ubuntu libapr1_1.2.12-4ubuntu0.1_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apr/libapr1_1.2.12-4ubuntu0.1_powe rpc.deb 
Ubuntu libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.3_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+df sg-7ubuntu0.3_powerpc.deb 
Ubuntu libaprutil1-dev_1.2.12+dfsg-7ubuntu0.3_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+df sg-7ubuntu0.3_powerpc.deb 
Ubuntu libaprutil1_1.2.12+dfsg-7ubuntu0.3_powerpc.deb 
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7 ubuntu0.3_powerpc.deb 
Debian Linux 5.0 alpha 
Debian libapr1-dbg_1.2.12-5+lenny1_alpha.deb 
http://security.debian.org/pool/updates/main/a/apr/libapr1-dbg_1.2.12- 5+lenny1_alpha.deb 
Debian libapr1-dev_1.2.12-5+lenny1_alpha.deb 
http://security.debian.org/pool/updates/main/a/apr/libapr1-dev_1.2.12- 5+lenny1_alpha.deb 
Debian libapr1_1.2.12-5+lenny1_alpha.deb 
http://security.debian.org/pool/updates/main/a/apr/libapr1_1.2.12-5+le nny1_alpha.deb 
Debian libaprutil1-dbg_1.2.12+dfsg-8+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-db g_1.2.12+dfsg-8+lenny4_alpha.deb 
Debian libaprutil1-dev_1.2.12+dfsg-8+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-de v_1.2.12+dfsg-8+lenny4_alpha.deb 
Debian libaprutil1_1.2.12+dfsg-8+lenny4_alpha.deb 
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1. 2.12+dfsg-8+lenny4_alpha.deb 
MandrakeSoft Linux Mandrake 2008.0 
Mandriva apr-util-dbd-mysql-1.2.10-1.1mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apr-util-dbd-pgsql-1.2.10-1.1mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva apr-util-dbd-sqlite3-1.2.10-1.1mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva libapr-devel-1.2.11-1.1mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva libapr-util-devel-1.2.10-1.1mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva libapr-util1-1.2.10-1.1mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
Mandriva libapr1-1.2.11-1.1mdv2008.0.i586.rpm 
http://www.mandriva.com/en/download/ 
</Solutions>      <cnnvd>CNNVD-200908-530</cnnvd>      <cvsscode>10.0</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产仅仅当非阿帕奇应用程序被传递未处理的用户提供的大小至apr_palloc（）函数时，容易受到此漏洞的影响。审查验证您的Web服务器配置。在apr_palloc（）4月份的捆绑副本中的一个漏洞可能会导致程序中的堆溢出。Apache HTTP服务器本身不传递unsanitized用户提供的大小至此函数中，所以它只能通过一些其他的应用程序来触发，此应用程序使用apr_palloc（）。</Description>      <name>Apache HTTPD: APR apr_palloc堆溢出(CVE-2009-2412)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101136" id="101136" modified="2013-08-22" published="2009-10-13" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">36596</id>         
             <id name="CVE">CVE-2009-2699</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">53666</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.14</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
https://issues.apache.org/bugzilla/show_bug.cgi?id=47645</Solutions>      <cnnvd>CNNVD-200910-194</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>发现错误处理影响Solaris pollset支持（事件端口后端）是由APR中的bug引起的。远程攻击者可能会引发Solaris服务器上的问题，使用预派生或事件MPM，从而导致拒绝服务。</Description>      <name>Apache HTTPD: Solaris pollset DoS (CVE-2009-2699)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101137" id="101137" modified="2015-02-13" published="2009-09-08" version="2.0">      
        
        
        <cvss>(AV:N/AC:H/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>FTP</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2009-3094</id>         
             <id name="DEBIAN">DSA-1934</id>         
             <id name="OVAL">OVAL10981</id>         
             <id name="OVAL">OVAL8087</id>         
             <id name="SUSE">SUSE-SA:2009:050</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.14</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd>CNNVD-200909-107</cnnvd>      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_ftp。审查验证您的Web服务器配置。在mod_proxy_ftp模块中发现一个空指针引用漏洞。被代理的恶意FTP服务器可利用此漏洞通过错误回复EPSV或PASV命令，导致httpd的子进程崩溃，从而导致有限的拒绝服务攻击。</Description>      <name>Apache HTTPD: mod_proxy_ftp DoS (CVE-2009-3094)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101138" id="101138" modified="2015-02-13" published="2009-09-08" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>FTP</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2010-03-29-1</id>         
             <id name="CVE">CVE-2009-3095</id>         
             <id name="DEBIAN">DSA-1934</id>         
             <id name="OVAL">OVAL8662</id>         
             <id name="OVAL">OVAL9363</id>         
             <id name="SUSE">SUSE-SA:2009:050</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.14</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions></Solutions>      <cnnvd>CNNVD-200909-108</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_ftp。审查验证您的Web服务器配置。在mod_proxy_ftp模块中发现一个漏洞。在反向代理配置，远程攻击者可利用此漏洞通过创建一个特制的HTTP Authorization头，允许攻击者发送任意指令到FTP服务器来绕过预期的访问限制。</Description>      <name>Apache HTTPD: mod_proxy_ftp FTP命令注入(CVE-2009-3095)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101139" id="101139" modified="2016-05-24" published="2009-12-04" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">37203</id>         
             <id name="CVE">CVE-2009-3560</id>         
             <id name="DEBIAN">DSA-1953</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0031252</id>         
             <id name="IAVM">2012-A-0020</id>         
             <id name="OVAL">OVAL10613</id>         
             <id name="OVAL">OVAL12942</id>         
             <id name="OVAL">OVAL6883</id>         
             <id name="REDHAT">RHSA-2011:0896</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.17</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Ubuntu Ubuntu Linux 8.10 powerpc 
Ubuntu expat_2.0.1-4ubuntu0.8.10.1_powerpc.deb 
http://ports.ubuntu.com/pool/universe/e/expat/expat_2.0.1-4ubuntu0.8.1 0.1_powerpc.deb 
Ubuntu idle-python2.4_2.4.5-5ubuntu1.2_all.deb 
http://security.ubuntu.com/ubuntu/pool/universe/p/python2.4/idle-pytho n2.4_2.4.5-5ubuntu1.2_all.deb 
Ubuntu idle-python2.5_2.5.2-11.1ubuntu1.1_all.deb 
http://security.ubuntu.com/ubuntu/pool/universe/p/python2.5/idle-pytho n2.5_2.5.2-11.1ubuntu1.1_all.deb 
Ubuntu lib64expat1-dev_2.0.1-4ubuntu0.8.10.1_powerpc.deb 
http://ports.ubuntu.com/pool/main/e/expat/lib64expat1-dev_2.0.1-4ubunt u0.8.10.1_powerpc.deb 
Ubuntu lib64expat1_2.0.1-4ubuntu0.8.10.1_powerpc.deb 
http://ports.ubuntu.com/pool/main/e/expat/lib64expat1_2.0.1-4ubuntu0.8 .10.1_powerpc.deb 
Ubuntu libexpat1-dev_2.0.1-4ubuntu0.8.10.1_powerpc.deb 
http://ports.ubuntu.com/pool/main/e/expat/libexpat1-dev_2.0.1-4ubuntu0 .8.10.1_powerpc.deb 
</Solutions>      <cnnvd>CNNVD-200912-057</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞影响，如果仅攻击者能够获取访问Apache解析不可信的XML文档。审查验证您的Web服务器配置。在绑定的expat库中发现一个缓冲区过读漏洞。能够让Apache解析不信任的XML文档（例如，通过mod_dav的）的攻击者可能会引起系统崩溃如果使用worker MPM，此崩溃只会拒绝服务。</Description>      <name>apache httpd：外籍DOS（CVE-2009-3560）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101140" id="101140" modified="2016-05-24" published="2009-11-03" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2009-3720</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0031252</id>         
             <id name="IAVM">2012-A-0020</id>         
             <id name="OVAL">OVAL11019</id>         
             <id name="OVAL">OVAL12719</id>         
             <id name="OVAL">OVAL7112</id>         
             <id name="REDHAT">RHSA-2010:0002</id>         
             <id name="REDHAT">RHSA-2011:0896</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.17</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>厂商目前已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://expat.sourceforge.net/ 
</Solutions>      <cnnvd>CNNVD-200911-024</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产会受到该漏洞影响，如果仅攻击者能够获取访问Apache解析不可信的XML文档。审查验证您的Web服务器配置。在expat库中发现一个缓冲区过读漏洞。能够让Apache解析不信任的XML文档（例如，通过mod_dav）的攻击者可能会引起系统崩溃。如果使用worker MPM，此崩溃只会拒绝服务。</Description>      <name>apache httpd：外籍DOS（CVE-2009-3720）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101141" id="101141" modified="2015-02-13" published="2010-02-02" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">37966</id>         
             <id name="CVE">CVE-2010-0010</id>         
             <id name="OVAL">OVAL7923</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="XF">55941</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.2</low>                     
                               <high inclusive="0">1.3.42</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Apache Software Foundation Apache 1.3.35 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.34 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.34 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.40-dev 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.1 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.11 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.11 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.12 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.12 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.13 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.14 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.14 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.14 Mac 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.15 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.16 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.17 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.17 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.18 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.18 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.19 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.19 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.20 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.20 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.22 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.22 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.tar.gz 
Apache Software Foundation Apache 1.3.23 
Apache Software Foundation apache_1.3.42.tar.gz 
http://httpd.apache.org/dev/dist/apache_1.3.42.</Solutions>      <cnnvd>CNNVD-201002-005</cnnvd>      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy。审查验证您的Web服务器配置。在mod_proxy模块中发现一个数字类型转换错误的漏洞，这会影响一些64位架构系统。被代理的恶意HTTP服务器请求可利用此漏洞通过特制的响应触发httpd子节点里的堆缓冲区溢出。</Description>      <name>apache httpd：在64位系统上的mod_proxy溢出（CVE-2010-0010）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101142" id="101142" modified="2015-02-13" published="2010-03-05" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2010-11-10-1</id>         
             <id name="BID">38491</id>         
             <id name="CVE">CVE-2010-0408</id>         
             <id name="DEBIAN">DSA-2035</id>         
             <id name="OVAL">OVAL8619</id>         
             <id name="OVAL">OVAL9935</id>         
             <id name="REDHAT">RHSA-2010:0168</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.15</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
http://svn.apache.org/viewvc?view=revision&amp;revision=917876</Solutions>      <cnnvd>CNNVD-201003-069</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_ajp。审查验证您的Web服务器配置。如果碰到错误， mod_proxy_ajp将返回错误的状态码，导致后端服务器陷入错误状态，直到重试超时。远程攻击者可发送恶意请求触发此问题，从而导致拒绝服务。</Description>      <name>Apache HTTPD: mod_proxy_ajp DoS (CVE-2010-0408)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101143" id="101143" modified="2015-02-13" published="2010-03-05" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">38494</id>         
             <id name="CERT-VN">280613</id>         
             <id name="CVE">CVE-2010-0425</id>         
             <id name="OVAL">OVAL8439</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">56624</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.37</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.15</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
http://svn.apache.org/viewvc?view=revision&amp;revision=917870</Solutions>      <cnnvd>CNNVD-201003-071</cnnvd>      <cvsscode>10.0</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产很容易受到此漏洞的攻击，仅当其运行下列模块当中的一个时：审查验证您的Web服务器配置。在登录ISAPI dll时在mod_isapi模块中发现一个漏洞。在不明状态下遗留调回和导致段错误。基于windows平台使用的mod_isapi，一个远程攻击者可以发送恶意请求触发此类问题。Win32 PMP只运行一个程序，造成拒绝服务和潜在的执行任意代码。</Description>      <name>apache httpd：mod_isapi模块卸载漏洞（CVE-2010-0425）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101144" id="101144" modified="2020-01-30" published="2010-03-05" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2010-11-10-1</id>         
             <id name="BID">38494</id>         
             <id name="CVE">CVE-2010-0434</id>         
             <id name="DEBIAN">DSA-2035</id>         
             <id name="OVAL">OVAL10358</id>         
             <id name="OVAL">OVAL8695</id>         
             <id name="REDHAT">RHSA-2010:0168</id>         
             <id name="REDHAT">RHSA-2010:0175</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">56625</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.15</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： 
http://svn.apache.org/viewvc?view=revision&amp;revision=917870</Solutions>      <cnnvd>CNNVD-201003-073</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_headers中。审查验证您的Web服务器配置。已修复核心子请求处理代码中的漏洞。提供headers_in array的副本而不是指向父请求的数组的。。这意味着所有的模块，如mod_headers可操纵子请求的输入标题，从两方面毒害父请求，一是通过修改父请求，二是留下的指针，修改分配给子请求范围的内存标头字段，这可能在主请求处理完成前释放，产生段错误或揭示线程服务器上的请求的数据，如worker或WINNT的MPM。</Description>      <name>apache httpd：请求标头的子请求处理（mod_headers）（CVE-2010-0434）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101145" id="101145" modified="2018-04-17" published="2010-07-28" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2011-03-21-1</id>         
             <id name="CVE">CVE-2010-1452</id>         
             <id name="OVAL">OVAL11683</id>         
             <id name="OVAL">OVAL12341</id>         
             <id name="REDHAT">RHSA-2010:0659</id>         
             <id name="REDHAT">RHSA-2011:0896</id>         
             <id name="REDHAT">RHSA-2011:0897</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.16</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/ABOUT_APACHE.html</Solutions>      <cnnvd>CNNVD-201007-279</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的影响：mod_cache，mod_dav。 检查Web服务器配置以进行验证。 在mod_cache（2.2）和mod_dav（2.0和2.2）处理请求时发现了一个缺陷。 恶意远程攻击者可能会发送精心设计的请求并导致httpd子进程崩溃。 如果使用worker MPM，此崩溃只会是拒绝服务。 由于mod_dav仅受最有可能被认证的请求的影响，因此进一步减轻了该问题，并且仅当不常见的&amp;quot;CacheIgnoreURLSessionIdentifiers&amp;quot;时，mod_cache才受到影响。 使用版本2.2.14中引入的指令。</Description>      <name>Apache HTTPD: mod_cache 和 mod_dav 拒绝服务 (CVE-2010-1452)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101146" id="101146" modified="2015-02-13" published="2010-10-04" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">43673</id>         
             <id name="CVE">CVE-2010-1623</id>         
             <id name="OVAL">OVAL12800</id>         
             <id name="REDHAT">RHSA-2010:0950</id>         
             <id name="REDHAT">RHSA-2011:0896</id>         
             <id name="REDHAT">RHSA-2011:0897</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.17</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://svn.apache.org/viewvc?view=revision&amp;revision=1003492 
http://svn.apache.org/viewvc?view=revision&amp;revision=1003495 
http://svn.apache.org/viewvc?view=revision&amp;revision=1003494 
http://svn.apache.org/viewvc?view=revision&amp;revision=1003493 
http://svn.apache.org/viewvc?view=revision&amp;sortby=date&amp;revision=1003626</Solutions>      <cnnvd>CNNVD-201010-001</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响如果Apache处理非SSL请求。审查验证您的Web服务器配置。一个漏洞被发现在捆绑的 APR util 库，用于处理非 SSL 请求的 apr_brigade_split_line() 函数。远程攻击者可发送请求，特制的时间的单个字节，会缓慢地消耗内存，从而可能导致拒绝服务。</Description>      <name>Apache HTTPD: apr_bridage_split_line DoS (CVE-2010-1623)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101147" id="101147" modified="2018-04-17" published="2010-06-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Information Gathering</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2011-03-21-1</id>         
             <id name="BID">40827</id>         
             <id name="CVE">CVE-2010-2068</id>         
             <id name="OVAL">OVAL11491</id>         
             <id name="OVAL">OVAL6931</id>         
             <id name="REDHAT">RHSA-2011:0896</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_23.html</id>         
             <id name="XF">59413</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.3.4</low>                     
                               <high inclusive="1">2.3.5</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.9</low>                     
                               <high inclusive="0">2.2.16</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商还没有提供补丁或者升级程序，建议使用此软件的用户随时关注厂商的主页以获取最新版本： 
http://httpd.apache.org/security/vulnerabilities_22.html 
</Solutions>      <cnnvd>CNNVD-201006-315</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的影响：mod_proxy_http。 检查Web服务器配置以进行验证。 在版本2.2.9至2.2.15,2.3.4-alpha和2.3.5-alpha中的mod_proxy_http中发现了信息泄露漏洞。 在某些超时条件下，服务器可以返回针对其他用户的响应。 只有Windows，Netware和OS2操作系统受到影响。 只有那些触发使用代理工作池的配置才会受到影响。 早期版本没有漏洞，因为尚未引入代理池。 最简单的解决方法是全局配置; SetEnv proxy-nokeepalive 1源代码补丁是; 2.2.15：CVE-2010-2068-r953616.patch 2.3.5：CVE-2010-2068-r953418.patch二进制替换模块位于mod_proxy_http-CVE-2010-2068.zip</Description>      <name>apache httpd：超时检测漏洞（mod_proxy_http）（CVE-2010-2068）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101148" id="101148" modified="2013-12-05" published="2010-08-05" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Information Gathering</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">42102</id>         
             <id name="CVE">CVE-2010-2791</id>         
             <id name="REDHAT">RHSA-2010:0659</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">60883</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.9</low>                     
                               <high inclusive="0">2.2.10</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_22.html</Solutions>      <cnnvd>CNNVD-201008-046</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_http。审查验证您的Web服务器配置。在Unix平台上只有2.2.9版本mod_proxy_http中存在一个信息泄露漏洞。在某些超时条件下，服务器可以返回针对另一用户的响应。只有那些触发使用代理工人池的配置会受到影响。早期版本中没有漏洞，因为尚未出台代理池。最简单的解决方法是全局配置：SETENV代理nokeepalive1</Description>      <name>apache httpd：超时检测漏洞（mod_proxy_http）（CVE-2010-2791）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101149" id="101149" modified="2020-01-30" published="2011-05-16" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2011-10-12-3</id>         
             <id name="CVE">CVE-2011-0419</id>         
             <id name="DEBIAN">DSA-2237</id>         
             <id name="OVAL">OVAL14638</id>         
             <id name="OVAL">OVAL14804</id>         
             <id name="REDHAT">RHSA-2011:0507</id>         
             <id name="REDHAT">RHSA-2011:0896</id>         
             <id name="REDHAT">RHSA-2011:0897</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.65</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.19</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/download.cgi#apache22</Solutions>      <cnnvd>CNNVD-201105-160</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的影响：mod_autoindex。 检查Web服务器配置以进行验证。 在捆绑的APR库的apr_fnmatch()函数中发现了一个缺陷。 如果启用了mod_autoindex，并且由mod_autoindex索引的目录包含名称足够长的文件，则远程攻击者可以发送精心设计的请求，这会导致CPU使用率过高。 这可以用于拒绝服务攻击。 解决方法：将 &amp;#39;IgnoreClient&amp;#39;选项设置为&amp;#39;IndexOptions&amp;#39;指令会禁用对客户端提供的请求查询参数的处理，从而防止此攻击。 解决方案：将APR更新为1.4.5版（与httpd 2.2.19捆绑在一起）或发布0.9.20版（与httpd 2.0.65捆绑在一起）</Description>      <name>Apache HTTPD:apr_fnmatch漏洞导致远程mod_autoindex拒绝 (CVE-2011-0419)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101150" id="101150" modified="2019-03-14" published="2011-08-29" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2011-10-12-3</id>         
             <id name="BID">49303</id>         
             <id name="CERT-VN">405811</id>         
             <id name="CVE">CVE-2011-3192</id>         
             <id name="OVAL">OVAL14762</id>         
             <id name="OVAL">OVAL14824</id>         
             <id name="OVAL">OVAL18827</id>         
             <id name="REDHAT">RHSA-2011:1245</id>         
             <id name="REDHAT">RHSA-2011:1294</id>         
             <id name="REDHAT">RHSA-2011:1300</id>         
             <id name="REDHAT">RHSA-2011:1329</id>         
             <id name="REDHAT">RHSA-2011:1330</id>         
             <id name="REDHAT">RHSA-2011:1369</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">69396</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.0</low>                     
                               <high inclusive="0">1.4</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.0</low>                     
                               <high inclusive="0">2.0.64</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.19</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://issues.apache.org/bugzilla/show_bug.cgi?id=51714</Solutions>      <cnnvd>CNNVD-201108-440</cnnvd>      <cvsscode>7.8</cvsscode>      <severity>Critical</severity>      <Description>以Apache HTTP服务器处理范围HTTP标头的方式发现一个漏洞。远程攻击者可利用此漏洞导致httpd通过有特制的范围标头的HTTP请求使用过量内存和CPU时间。这可用于拒绝服务攻击。咨询：CVE-2011-3192.txt</Description>      <name>apache httpd：范围标头远程拒绝服务（CVE-2011-3192）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101151" id="101151" modified="2018-01-02" published="2011-09-20" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2012-02-01-1</id>         
             <id name="BID">49616</id>         
             <id name="CVE">CVE-2011-3348</id>         
             <id name="OVAL">OVAL14941</id>         
             <id name="OVAL">OVAL18154</id>         
             <id name="REDHAT">RHSA-2011:1391</id>         
             <id name="REDHAT">RHSA-2012:0542</id>         
             <id name="REDHAT">RHSA-2012:0543</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">69804</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.12</low>                     
                               <high inclusive="0">2.2.21</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/download.cgi#apache22 
</Solutions>      <cnnvd>CNNVD-201109-225</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_ajp。审查验证您的Web服务器配置。一个漏洞被发现时mod_proxy_ajp一起与mod_proxy_balancer的使用。给定一个特定的配置，远程攻击者可发送某些格式错误的HTTP请求，将后端服务器进入错误状态，直到重试超时过期。这可能会导致暂时拒绝服务。</Description>      <name>apache httpd：mod_proxy_ajp远程拒绝服务（CVE-2011-3348）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101152" id="101152" modified="2018-04-17" published="2011-10-05" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2012-09-19-2</id>         
             <id name="BID">49957</id>         
             <id name="CVE">CVE-2011-3368</id>         
             <id name="DEBIAN">DSA-2405</id>         
             <id name="REDHAT">RHSA-2011:1391</id>         
             <id name="REDHAT">RHSA-2011:1392</id>         
             <id name="REDHAT">RHSA-2012:0542</id>         
             <id name="REDHAT">RHSA-2012:0543</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_13.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">70336</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>1.3.2</low>                     
                               <high inclusive="1">1.3.42</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.65</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch</Solutions>      <cnnvd>CNNVD-201110-052</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的影响：mod_proxy。 检查Web服务器配置以进行验证。 在反向代理模式下使用mod_proxy时发现了曝光。 在使用具有代理标志或ProxyPassMatch的RewriteRule的某些配置中，远程攻击者可能导致反向代理连接到任意服务器，可能会泄露来自内部Web服务器的敏感信息，而攻击者无法直接访问这些信息。 不会发布1.3的更新。 补丁将发布到https://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/</Description>      <name>Apache HTTPD: mod_proxy的反向代理曝光(CVE-2011-3368)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101153" id="101153" modified="2018-01-02" published="2011-11-08" version="2.0">      
        
        
        <cvss>(AV:L/AC:M/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Privilege Escalation</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2012-09-19-2</id>         
             <id name="BID">50494</id>         
             <id name="CVE">CVE-2011-3607</id>         
             <id name="DEBIAN">DSA-2405</id>         
             <id name="REDHAT">RHSA-2012:0128</id>         
             <id name="REDHAT">RHSA-2012:0542</id>         
             <id name="REDHAT">RHSA-2012:0543</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="XF">71093</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.65</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商还没有提供此漏洞的相关补丁或者升级程序，建议使用此软件的用户随时关注厂商的主页以获取最新版本： 
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ 
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html</Solutions>      <cnnvd>CNNVD-201111-112</cnnvd>      <cvsscode>4.4</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_setenvif。审查验证您的Web服务器配置。当启用mod_setenvif模块时，发现一个整数溢出漏洞，可能会允许本地用户通过.htaccess文件获取访问权限。</Description>      <name>apache httpd：mod_setenvif.htaccess权限升级（CVE-2011-3607）</name>   </Vulnerability>   <Vulnerability added="2019-07-18" gvid="ID101154" id="101154" modified="2019-07-18" published="2011-11-30" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2011-3639</id>         
             <id name="DEBIAN">DSA-2405</id>         
             <id name="REDHAT">RHSA-2012:0128</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.0</low>                     
                               <high inclusive="0">2.0.65</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.18</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/</Solutions>      <cnnvd>CNNVD-201111-509</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if proxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers by using the HTTP/0.9 protocol with a malformed URI containing an initial @ (at sign) character.  Review your web server configuration for validation.</Description>      <name>Apache HTTPD: 当mod-proxy和mod-rewrite一起使用时可能存在模式扩展问题 (CVE-2011-3639)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101155" id="101155" modified="2018-01-02" published="2011-11-29" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2012-09-19-2</id>         
             <id name="CVE">CVE-2011-4317</id>         
             <id name="DEBIAN">DSA-2405</id>         
             <id name="REDHAT">RHSA-2012:0128</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/</Solutions>      <cnnvd>CNNVD-201111-435</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy。审查验证您的Web服务器配置。另外一个暴露问题在反向代理模式下使用mod_proxy时发现的。在使用重写规则与代理标志或ProxyPassMatch某些配置，远程攻击者可能会导致反向代理连接到任意服务器，可能披露内部Web服务器不能直接访问攻击者的敏感信息。</Description>      <name>apache httpd：mod_proxy的反向代理曝光（CVE-2011-4317）</name>   </Vulnerability>   <Vulnerability added="2019-07-18" gvid="ID101156" id="101156" modified="2019-07-18" published="2011-11-08" version="2.0">      
        
        
        <cvss>(AV:L/AC:H/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2011-4415</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.0</low>                     
                               <high inclusive="0">2.0.65</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.21</low>                     
                               <high inclusive="0">2.2.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商还没有提供此漏洞的相关补丁或者升级程序，建议使用此软件的用户随时关注厂商的主页以获取最新版本： 
http://secunia.com/advisories/45793</Solutions>      <cnnvd>CNNVD-201111-182</cnnvd>      <cvsscode>1.2</cvsscode>      <severity>Moderate</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service via a .htaccess file with a crafted SetEnvIf directive.  Review your web server configuration for validation.</Description>      <name>Apache HTTPD: 当mod-proxy和mod-rewrite一起使用时可能存在模式扩展问题 (CVE-2011-4415)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101157" id="101157" modified="2020-01-30" published="2012-01-27" version="2.0">      
        
        
        <cvss>(AV:N/AC:H/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2012-09-19-2</id>         
             <id name="CVE">CVE-2012-0021</id>         
             <id name="REDHAT">RHSA-2012:0542</id>         
             <id name="REDHAT">RHSA-2012:0543</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.17</low>                     
                               <high inclusive="0">2.2.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://svn.apache.org/viewvc?view=revision&amp;revision=1227292</Solutions>      <cnnvd>CNNVD-201201-402</cnnvd>      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_log_config。审查验证您的Web服务器配置。在mod_log_config中发现一个漏洞中。如果“％{} cookiename C&amp;#39;日志格式字符串在使用中，远程攻击者可发送导致崩溃的特定的Cookie。如果使用线程的MPM，此崩溃只会拒绝服务。</Description>      <name>apache httpd：mod_log_config崩溃（CVE-2012-0021）</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101158" id="101158" modified="2018-01-02" published="2012-01-18" version="2.0">      
        
        
        <cvss>(AV:L/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2012-09-19-2</id>         
             <id name="BID">51407</id>         
             <id name="CVE">CVE-2012-0031</id>         
             <id name="DEBIAN">DSA-2405</id>         
             <id name="REDHAT">RHSA-2012:0128</id>         
             <id name="REDHAT">RHSA-2012:0542</id>         
             <id name="REDHAT">RHSA-2012:0543</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.65</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://svn.apache.org/viewvc?view=revision&amp;revision=1230065</Solutions>      <cnnvd>CNNVD-201201-165</cnnvd>      <cvsscode>4.6</cvsscode>      <severity>Severe</severity>      <Description>一个漏洞被发现在记分牌的处理。无特权的子进程可能会导致父进程关机时崩溃，而不是彻底结束。</Description>      <name>Apache HTTPD:记分板父 DoS (CVE-2012-0031)</name>   </Vulnerability>   <Vulnerability added="2012-04-12" gvid="ID101159" id="101159" modified="2019-03-14" published="2012-01-27" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2012-09-19-2</id>         
             <id name="BID">51706</id>         
             <id name="CVE">CVE-2012-0053</id>         
             <id name="DEBIAN">DSA-2405</id>         
             <id name="REDHAT">RHSA-2012:0128</id>         
             <id name="REDHAT">RHSA-2012:0542</id>         
             <id name="REDHAT">RHSA-2012:0543</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.65</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://svn.apache.org/viewvc?view=revision&amp;revision=1235454</Solutions>      <cnnvd>CNNVD-201201-403</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>发现状态码400的默认错误响中存在一个漏洞。攻击者利用此漏洞暴露没有指定自定义ErrorDocument时的&amp;quot;httpOnly&amp;quot;缓存。</Description>      <name>apache httpd：错误反映可以暴露缓存（CVE-2012-0053）</name>   </Vulnerability>   <Vulnerability added="2012-04-30" gvid="ID101160" id="101160" modified="2018-01-02" published="2012-04-18" version="2.0">      
        
        
        <cvss>(AV:L/AC:M/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2013-09-12-1</id>         
             <id name="BID">53046</id>         
             <id name="CVE">CVE-2012-0883</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
             <id name="XF">74901</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.23</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.2</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://www.apache.org/dist/httpd/Announcement2.4.html</Solutions>      <cnnvd>CNNVD-201204-359</cnnvd>      <cvsscode>6.9</cvsscode>      <severity>Severe</severity>      <Description>发现不安全处理LD_LIBRARY_PATH可能导致当前的工作目录将被DSO搜索。如果管理员从一个不受信任的目录中运行apachectl，这可能允许本地用户作为root执行代码。</Description>      <name>Apache HTTPD:不安全的LD_LIBRARY_PATH处理 (CVE-2012-0883)</name>   </Vulnerability>   <Vulnerability added="2012-08-30" gvid="ID101161" id="101161" modified="2016-05-24" published="2012-08-22" version="2.0">      
        
        
        <cvss>(AV:N/AC:H/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2013-09-12-1</id>         
             <id name="BID">55131</id>         
             <id name="CVE">CVE-2012-2687</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061101</id>         
             <id name="IAVM">2015-A-0149</id>         
             <id name="OVAL">OVAL18832</id>         
             <id name="OVAL">OVAL19539</id>         
             <id name="REDHAT">RHSA-2012:1591</id>         
             <id name="REDHAT">RHSA-2012:1592</id>         
             <id name="REDHAT">RHSA-2012:1594</id>         
             <id name="REDHAT">RHSA-2013:0130</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.23</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.3</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201208-378</cnnvd>      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_negotiation模块。审查验证您的Web服务器配置。使用mod_negotiation模块的站点，并允许不可信上传到启用的具有多视图的位置。注意：此问题也被称为CVE-2008-0455。</Description>      <name>apache httpd：支持不可信的上传文件时，mod_negotiation模块中存在XSS漏洞（CVE-2012-2687）</name>   </Vulnerability>   <Vulnerability added="2013-03-03" gvid="ID101162" id="101162" modified="2016-12-09" published="2013-02-26" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>LDAP</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2013-09-12-1</id>         
             <id name="BID">58165</id>         
             <id name="BID">64758</id>         
             <id name="CVE">CVE-2012-3499</id>         
             <id name="DEBIAN">DSA-2637</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061101</id>         
             <id name="IAVM">2015-A-0149</id>         
             <id name="OVAL">OVAL19312</id>         
             <id name="REDHAT">RHSA-2013:0815</id>         
             <id name="REDHAT">RHSA-2013:1207</id>         
             <id name="REDHAT">RHSA-2013:1208</id>         
             <id name="REDHAT">RHSA-2013:1209</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.24</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.4</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201302-520</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_imagemap，mod_info，mod_ldap模块，mod_proxy_ftp，mod_status模块。审查验证您的Web服务器配置。由于mod_info, mod_status,mod_imagemap,mod_ldap和mod_proxy_ftp中未转义的主机名和URI HTML输出引起各种XSS漏洞。</Description>      <name>apache httpd：由于未转义的主机名引起的XSS（CVE-2012-3499）</name>   </Vulnerability>   <Vulnerability added="2012-08-30" gvid="ID101163" id="101163" modified="2013-12-05" published="2012-08-22" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:P/I:N/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Information Gathering</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">55131</id>         
             <id name="CVE">CVE-2012-3502</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.3</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201208-379</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_ajp，mod_proxy_http。审查验证您的Web服务器配置。模块mod_proxy_ajp和mod_proxy_http并不总是关闭连接到后端服务器，必要时，作为错误处理的一部分。由于用户之间的响应混乱可能导致信息泄露。</Description>      <name>apache httpd：价使用mod_proxy_ajp或mod_proxy_http响应混乱（CVE-2012-3502）</name>   </Vulnerability>   <Vulnerability added="2012-11-02" gvid="ID101164" id="101164" modified="2013-12-12" published="2012-11-02" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2012-4557</id>         
             <id name="DEBIAN">DSA-2579</id>         
             <id name="OVAL">OVAL18938</id>         
             <id name="OVAL">OVAL19284</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.12</low>                     
                               <high inclusive="0">2.2.22</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.22</Solutions>      <cnnvd>CNNVD-201211-579</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_ajp。审查验证您的Web服务器配置。当mod_proxy_ajp连接到过长响应的的后端服务器时，发现一个漏洞。给定一个特定的配置，远程攻击者可发送特定的请求，使后端服务器进入错误状态，直到重试超时。这可能会导致暂时拒绝服务。</Description>      <name>apache httpd：mod_proxy_ajp远程拒绝服务（CVE-2012-4557）</name>   </Vulnerability>   <Vulnerability added="2013-03-03" gvid="ID101165" id="101165" modified="2016-12-09" published="2013-02-26" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2013-09-12-1</id>         
             <id name="BID">58165</id>         
             <id name="BID">64758</id>         
             <id name="CVE">CVE-2012-4558</id>         
             <id name="DEBIAN">DSA-2637</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061101</id>         
             <id name="IAVM">2015-A-0149</id>         
             <id name="OVAL">OVAL18977</id>         
             <id name="REDHAT">RHSA-2013:0815</id>         
             <id name="REDHAT">RHSA-2013:1207</id>         
             <id name="REDHAT">RHSA-2013:1208</id>         
             <id name="REDHAT">RHSA-2013:1209</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.24</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.4</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201302-521</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy_balancer。审查验证您的Web服务器配置。跨站脚本漏洞影响mod_proxy_balancer的管理界面。</Description>      <name>apache httpd：mod_proxy_balancer中的XSS（CVE-2012-4558）</name>   </Vulnerability>   <Vulnerability added="2013-07-29" gvid="ID101166" id="101166" modified="2017-01-09" published="2013-06-10" version="2.0">      
        
        
        <cvss>(AV:N/AC:H/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">59826</id>         
             <id name="BID">64758</id>         
             <id name="CVE">CVE-2013-1862</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061101</id>         
             <id name="IAVM">2015-A-0149</id>         
             <id name="OVAL">OVAL18790</id>         
             <id name="OVAL">OVAL19534</id>         
             <id name="REDHAT">RHSA-2013:0815</id>         
             <id name="REDHAT">RHSA-2013:1207</id>         
             <id name="REDHAT">RHSA-2013:1208</id>         
             <id name="REDHAT">RHSA-2013:1209</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_20.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.0.35</low>                     
                               <high inclusive="0">2.0.65</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.25</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://svn.apache.org/viewvc?view=revision&amp;revision=r1469311</Solutions>      <cnnvd>CNNVD-201305-234</cnnvd>      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_rewrite。审查验证您的Web服务器配置。mod_rewrite不过滤终日志终端转义序列，这使攻击者更容易将这些序列插入含有为转义序列相关的漏洞终端模拟器。</Description>      <name>apache httpd：mod_rewrite记录转义过滤（CVE-2013-1862）</name>   </Vulnerability>   <Vulnerability added="2013-07-29" gvid="ID101167" id="101167" modified="2017-01-09" published="2013-07-10" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">61129</id>         
             <id name="CVE">CVE-2013-1896</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061101</id>         
             <id name="IAVM">2015-A-0149</id>         
             <id name="OVAL">OVAL18835</id>         
             <id name="OVAL">OVAL19747</id>         
             <id name="REDHAT">RHSA-2013:1156</id>         
             <id name="REDHAT">RHSA-2013:1207</id>         
             <id name="REDHAT">RHSA-2013:1208</id>         
             <id name="REDHAT">RHSA-2013:1209</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.25</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.6</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://www.apache.org/dist/httpd/Announcement2.2.html</Solutions>      <cnnvd>CNNVD-201307-210</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_dav。审查验证您的Web服务器配置。通过发送由mod_dav_svn处理的URI合并请求（如作为XML的一部分发送请求体），指向未配置为DAV的URI将触发段错误。</Description>      <name>apache httpd：mod_dav崩溃（CVE-2013-1896）</name>   </Vulnerability>   <Vulnerability added="2013-07-29" gvid="ID101168" id="101168" modified="2014-06-23" published="2013-07-23" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2013-2249</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.6</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://www.apache.org/dist/httpd/CHANGES_2.4.6</Solutions>      <cnnvd>CNNVD-201307-488</cnnvd>      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_session_dbd。审查验证您的Web服务器配置。mod_session_dbd中的一个漏洞导致它继续保存为一个会话操作而不考虑脏标志和一个新的会话ID的要求。</Description>      <name>apache httpd：mod_session_dbd会话固定漏洞（CVE-2013-2249）</name>   </Vulnerability>   <Vulnerability added="2014-07-18" gvid="ID101169" id="101169" modified="2014-07-28" published="2014-07-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2013-4352</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.6</low>                     
                               <high inclusive="0">2.4.7</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201407-490</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_cache。审查验证您的Web服务器配置。在mod_cache中发现一个空指针引用。一个恶意的HTTP服务器可能会导致缓存转发代理配置崩溃。 （请注意，2.4.7版本中的漏洞已被修复，但在发布时并没有揭露此安全影响。）</Description>      <name>apache httpd：mod_cache崩溃（CVE-2013-4352）</name>   </Vulnerability>   <Vulnerability added="2014-09-04" gvid="ID101170" id="101170" modified="2016-12-28" published="2014-04-15" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-04-08-2</id>         
             <id name="APPLE">APPLE-SA-2015-09-16-4</id>         
             <id name="BID">66550</id>         
             <id name="CVE">CVE-2013-5704</id>         
             <id name="REDHAT">RHSA-2015:0325</id>         
             <id name="REDHAT">RHSA-2015:1249</id>         
             <id name="REDHAT">RHSA-2015:2659</id>         
             <id name="REDHAT">RHSA-2015:2660</id>         
             <id name="REDHAT">RHSA-2015:2661</id>         
             <id name="REDHAT">RHSA-2016:0061</id>         
             <id name="REDHAT">RHSA-2016:0062</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.29</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/download.cgi</Solutions>      <cnnvd>CNNVD-201404-199</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>HTTP尾部可被用来在请求处理期间替换HTTP标头，可能撤销否则会混淆初期的检查或修改请求标头模块。此修复程序添加了＆QUOT; MergeTrailers＆QUOT;指令来恢复旧的行为</Description>      <name>Apache HTTPD: HTTP尾部处理绕过</name>   </Vulnerability>   <Vulnerability added="2014-03-19" gvid="ID101171" id="101171" modified="2016-05-24" published="2014-03-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2014-10-16-1</id>         
             <id name="APPLE">APPLE-SA-2015-04-08-2</id>         
             <id name="BID">66303</id>         
             <id name="CVE">CVE-2013-6438</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061101</id>         
             <id name="IAVM">2015-A-0149</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.27</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.9</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://www.apache.org/dist/httpd/CHANGES_2.4.9</Solutions>      <cnnvd>CNNVD-201403-332</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞的影响，只有当它运行下列模块之一：mod_dav。审查验证您的Web服务器配置。在mod_dav的XML解析代码删除前导空格时，错误地计算字符串的末位，并将一个NULL字符放入缓冲区外，导致随机崩溃。此XML解析代码只用于支持DeltaV，其中mod_dav_svn 是唯一公开发布的提供者。</Description>      <name>apache httpd：mod_dav崩溃（CVE-2013-6438）</name>   </Vulnerability>   <Vulnerability added="2014-03-19" gvid="ID101172" id="101172" modified="2015-04-15" published="2014-03-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2014-10-16-1</id>         
             <id name="APPLE">APPLE-SA-2015-04-08-2</id>         
             <id name="BID">66303</id>         
             <id name="CVE">CVE-2014-0098</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.27</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.9</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://www.apache.org/dist/httpd/CHANGES_2.4.9</Solutions>      <cnnvd>CNNVD-201403-333</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_log_config。审查验证您的Web服务器配置。在mod_log_config中发现一个漏洞。远程攻击者可发送一个特定的截断的cookie引发崩溃。如果使用线程的MPM，此崩溃只会拒绝服务。</Description>      <name>apache httpd：mod_log_config崩溃（CVE-2014-0098）</name>   </Vulnerability>   <Vulnerability added="2014-07-18" gvid="ID101173" id="101173" modified="2015-10-15" published="2014-07-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-04-08-2</id>         
             <id name="CVE">CVE-2014-0117</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.6</low>                     
                               <high inclusive="0">2.4.10</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201407-491</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_proxy。审查验证您的Web服务器配置。在mod_proxy httpd2.4.6到2.4.9版本中发现一个漏洞。远程攻击者可发送特制的请求配置为反向代理服务器，并导致子进程崩溃。这可能会导致对螺纹MPM拒绝服务。</Description>      <name>Apache HTTPD: mod_proxy的拒绝服务 (CVE-2014-0117)</name>   </Vulnerability>   <Vulnerability added="2014-07-18" gvid="ID101174" id="101174" modified="2016-05-24" published="2014-07-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-04-08-2</id>         
             <id name="BID">68745</id>         
             <id name="CVE">CVE-2014-0118</id>         
             <id name="DEBIAN">DSA-2989</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0057381</id>         
             <id name="DISA_VMSKEY">V0061101</id>         
             <id name="IAVM">2014-A-0172</id>         
             <id name="IAVM">2015-A-0149</id>         
             <id name="REDHAT">RHSA-2014:1019</id>         
             <id name="REDHAT">RHSA-2014:1020</id>         
             <id name="REDHAT">RHSA-2014:1021</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.29</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.10</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201407-492</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>仅当以下模板：mod_deflate运行时，此受影响的资产很容易受到此漏洞影响。审查验证您的Web服务器配置。在mod_deflate模块中发现一个资源消耗漏洞。如果请求主体减压进行配置（使用＆QUOT; DEFLATE＆QUOT;输入滤波器），远程攻击者可能会导致服务器消耗显著存储器和/或CPU资源。使用请求主体压缩为非常规设置</Description>      <name>Apache HTTPD: mod_deflate的拒绝服务(CVE-2014-0118)</name>   </Vulnerability>   <Vulnerability added="2014-07-18" gvid="ID101175" id="101175" modified="2016-05-27" published="2014-07-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:P/I:P/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-04-08-2</id>         
             <id name="BID">68678</id>         
             <id name="CVE">CVE-2014-0226</id>         
             <id name="DEBIAN">DSA-2989</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0057381</id>         
             <id name="DISA_VMSKEY">V0061101</id>         
             <id name="IAVM">2014-A-0172</id>         
             <id name="IAVM">2015-A-0149</id>         
             <id name="REDHAT">RHSA-2014:1019</id>         
             <id name="REDHAT">RHSA-2014:1020</id>         
             <id name="REDHAT">RHSA-2014:1021</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.29</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.10</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201407-493</cnnvd>      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_status模块。审查验证您的Web服务器配置。在mod_status模块中发现一个争用条件。攻击者能够访问公共服务器状态页使用线程化MPM可以发送可能导致堆缓冲区溢出特制的特制的请求的服务器上。需要注意的是它不是一个缺省或推荐的配置为具有公共访问的服务器状态页。</Description>      <name>apache httpd：mod_status模块缓冲区溢出（CVE-2014-0226）</name>   </Vulnerability>   <Vulnerability added="2014-07-18" gvid="ID101176" id="101176" modified="2016-05-24" published="2014-07-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-04-08-2</id>         
             <id name="BID">68742</id>         
             <id name="CVE">CVE-2014-0231</id>         
             <id name="DEBIAN">DSA-2989</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0057381</id>         
             <id name="DISA_VMSKEY">V0061101</id>         
             <id name="IAVM">2014-A-0172</id>         
             <id name="IAVM">2015-A-0149</id>         
             <id name="REDHAT">RHSA-2014:1019</id>         
             <id name="REDHAT">RHSA-2014:1020</id>         
             <id name="REDHAT">RHSA-2014:1021</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.29</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.10</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201407-494</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产很容易受到此漏洞影响，只有当它运行下列模块之一：mod_cgid。才会出现这种情况。审查验证您的Web服务器配置。在mod_cgid发现漏洞。如果使用服务器托管mod_cgid这并不会消耗标准输入CGI脚本，远程攻击者可能导致子进程无限期挂起，从而导致拒绝服务。</Description>      <name>apache httpd：mod_cgid拒绝服务（CVE-2014-0231）</name>   </Vulnerability>   <Vulnerability added="2014-07-18" gvid="ID101177" id="101177" modified="2018-01-08" published="2014-07-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">68747</id>         
             <id name="CVE">CVE-2014-3523</id>         
             <id name="REDHAT">RHSA-2016:2957</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.10</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201407-507</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>使用该平台默认的AcceptFilter时，httpd 2.4.1至2.4.9版本WINNT MPM中存在一个漏洞。远程攻击者可发送特制的请求，此请求泄漏内存并最终导致对服务器拒绝服务。</Description>      <name>apache httpd：WINNT MPM拒绝服务（CVE-2014-3523）</name>   </Vulnerability>   <Vulnerability added="2014-11-13" gvid="ID101178" id="101178" modified="2016-05-24" published="2014-10-10" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-08-13-2</id>         
             <id name="APPLE">APPLE-SA-2015-09-16-4</id>         
             <id name="BID">71656</id>         
             <id name="CVE">CVE-2014-3581</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061337</id>         
             <id name="IAVM">2015-A-0199</id>         
             <id name="REDHAT">RHSA-2015:0325</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
             <id name="XF">97027</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://svn.apache.org/viewvc?view=revision&amp;revision=1624234</Solutions>      <cnnvd>CNNVD-201410-219</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>只有运行以下任一模块：mod_cache时受影响的资产很容易受到该漏洞影响。检查你的web服务器配置验证。mod_cache中发现了一个空指针引用。一个恶意的HTTP服务器可能导致缓存转发代理配置的崩溃。如果使用螺纹MPM，该崩溃只会引起拒绝服务。</Description>      <name>Apache HTTPD: 带有空Content-Type标头的mod_cache崩溃(CVE-2014-3581)</name>   </Vulnerability>   <Vulnerability added="2014-11-13" gvid="ID101179" id="101179" modified="2017-10-03" published="2014-11-13" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-08-13-2</id>         
             <id name="APPLE">APPLE-SA-2015-09-16-4</id>         
             <id name="BID">71657</id>         
             <id name="CVE">CVE-2014-3583</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061337</id>         
             <id name="IAVM">2015-A-0199</id>         
             <id name="REDHAT">RHSA-2015:1855</id>         
             <id name="REDHAT">RHSA-2015:1858</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.10</low>                     
                               <high inclusive="0">2.4.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201412-332</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>只有运行以下任一模块：mod_cache时受影响的资产很容易受到该漏洞影响。检查你的web服务器配置验证。mod_proxy_fcgi中发现了一个界外内存读取。一个恶意的FastCGI服务器可以发送一个精心编制的反应，当读取过去的堆内存或堆栈缓冲区的结束可能导致崩溃。此问题只影响2.4.10版本。</Description>      <name>Apache HTTPD: mod_proxy_fcgi出界内存读取(CVE-2014-3583)</name>   </Vulnerability>   <Vulnerability added="2015-02-02" gvid="ID101180" id="101180" modified="2016-11-30" published="2014-12-29" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-08-13-2</id>         
             <id name="APPLE">APPLE-SA-2015-09-16-4</id>         
             <id name="BID">73040</id>         
             <id name="CVE">CVE-2014-8109</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061337</id>         
             <id name="IAVM">2015-A-0199</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.12</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://issues.apache.org/bugzilla/show_bug.cgi?id=57204</Solutions>      <cnnvd>CNNVD-201412-593</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响资产容易受到这个漏洞影响，如果它运行以下的一个模块:mod_lua。检查你的web服务器配置验证是否有此问题。当LuaAuthzProvider在多个带有不同参数的Require指令中使用时，修复了mod_lau中的Require行的处理。这可能会导致与预期不同的验证规则。</Description>      <name>Apache HTTPD: mod_lua 多个 &quot;Require&quot; 指令处理受损(CVE-2014-8109)</name>   </Vulnerability>   <Vulnerability added="2015-07-20" gvid="ID101181" id="101181" modified="2018-01-08" published="2015-03-07" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-08-13-2</id>         
             <id name="APPLE">APPLE-SA-2015-09-16-4</id>         
             <id name="BID">73041</id>         
             <id name="BID">91787</id>         
             <id name="CVE">CVE-2015-0228</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061135</id>         
             <id name="DISA_VMSKEY">V0061337</id>         
             <id name="IAVM">2015-A-0174</id>         
             <id name="IAVM">2015-A-0199</id>         
             <id name="REDHAT">RHSA-2015:1666</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.7</low>                     
                               <high inclusive="0">2.4.16</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES</Solutions>      <cnnvd>CNNVD-201503-136</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才易受此漏洞的影响：mod_lua。查看您的Web服务器配置以进行验证。发现mod_lua模块中的堆栈递归崩溃。如果恶意客户端发送精心制作的PING请求，则执行r：wsupgrade（）函数的Lua脚本可能会导致进程崩溃。 此问题影响版本2.4.7至2.4.12（含）。</Description>      <name>Apache HTTPD: mod_lua:websockets PING处理程序受损 (CVE-2015-0228)</name>   </Vulnerability>   <Vulnerability added="2015-07-20" gvid="ID101182" id="101182" modified="2018-01-08" published="2015-07-20" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-08-13-2</id>         
             <id name="APPLE">APPLE-SA-2015-09-16-4</id>         
             <id name="BID">75964</id>         
             <id name="CVE">CVE-2015-0253</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061135</id>         
             <id name="DISA_VMSKEY">V0061337</id>         
             <id name="IAVM">2015-A-0174</id>         
             <id name="IAVM">2015-A-0199</id>         
             <id name="REDHAT">RHSA-2015:1666</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.12</low>                     
                               <high inclusive="0">2.4.16</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接：， 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201507-656</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>ErrorDocument处理过程中出现崩溃。如果ErrorDocument 400配置指向一个带有INCLUDES过滤器激活的本地url路径，在处理错误时会引用一个空指针，这将导致子进程崩溃。这个问题只影响了2.4.12版本。</Description>      <name>Apache HTTPD: ErrorDocument 400处理程序崩溃(CVE-2015-0253)</name>   </Vulnerability>   <Vulnerability added="2015-07-20" gvid="ID101183" id="101183" modified="2018-01-08" published="2015-07-20" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-08-13-2</id>         
             <id name="APPLE">APPLE-SA-2015-09-16-4</id>         
             <id name="BID">75963</id>         
             <id name="BID">91787</id>         
             <id name="CVE">CVE-2015-3183</id>         
             <id name="DEBIAN">DSA-3325</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061135</id>         
             <id name="DISA_VMSKEY">V0061337</id>         
             <id name="IAVM">2015-A-0174</id>         
             <id name="IAVM">2015-A-0199</id>         
             <id name="REDHAT">RHSA-2015:1666</id>         
             <id name="REDHAT">RHSA-2015:1667</id>         
             <id name="REDHAT">RHSA-2015:1668</id>         
             <id name="REDHAT">RHSA-2015:2659</id>         
             <id name="REDHAT">RHSA-2015:2660</id>         
             <id name="REDHAT">RHSA-2015:2661</id>         
             <id name="REDHAT">RHSA-2016:0061</id>         
             <id name="REDHAT">RHSA-2016:0062</id>         
             <id name="REDHAT">RHSA-2016:2054</id>         
             <id name="REDHAT">RHSA-2016:2055</id>         
             <id name="REDHAT">RHSA-2016:2056</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.31</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.16</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://www.apache.org/dist/httpd/CHANGES_2.4</Solutions>      <cnnvd>CNNVD-201507-659</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>HTTP请求走私攻击可能是由于错误解析的分块请求。恶意客户机可能会迫使服务器误解请求长度,如果一个中介代理在使用中，允许缓存中毒或凭据劫持。</Description>      <name>Apache HTTPD: 针对块请求解析器的HTTP请求私有攻击(CVE-2015-3183)</name>   </Vulnerability>   <Vulnerability added="2015-07-20" gvid="ID101184" id="101184" modified="2018-01-08" published="2015-07-20" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="APPLE">APPLE-SA-2015-08-13-2</id>         
             <id name="APPLE">APPLE-SA-2015-09-16-2</id>         
             <id name="APPLE">APPLE-SA-2015-09-16-4</id>         
             <id name="BID">75965</id>         
             <id name="CVE">CVE-2015-3185</id>         
             <id name="DEBIAN">DSA-3325</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="DISA_VMSKEY">V0061135</id>         
             <id name="DISA_VMSKEY">V0061337</id>         
             <id name="IAVM">2015-A-0174</id>         
             <id name="IAVM">2015-A-0199</id>         
             <id name="REDHAT">RHSA-2015:1666</id>         
             <id name="REDHAT">RHSA-2015:1667</id>         
             <id name="REDHAT">RHSA-2016:2957</id>         
             <id name="REDHAT">RHSA-2017:2708</id>         
             <id name="REDHAT">RHSA-2017:2709</id>         
             <id name="REDHAT">RHSA-2017:2710</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.0</low>                     
                               <high inclusive="0">2.4.16</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://www.apache.org/dist/httpd/CHANGES_2.4</Solutions>      <cnnvd>CNNVD-201507-660</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>httpd 2.4.x版本的&amp;quot;ap_some_auth_required&amp;quot;函数中的设计错误渲染API。特别是API进行了说明，以回答如果请求需要身份验证，但只有答案，如果有需要就在适用的配置行。由于2.4.x的要求用于授权以及线，即使在没有认证是必需的且完全不受限制可以出现在配置中。这可使使用此API的模板访问在他们原本应该这样做时。 API用户应使用2.4.16版本中的新的ap_some_authn_required API。</Description>      <name>Apache HTTPD: ap_some_auth_required API不可用(CVE-2015-3185)</name>   </Vulnerability>   <Vulnerability added="2016-12-21" gvid="ID101185" id="101185" modified="2018-01-08" published="2016-12-21" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">95078</id>         
             <id name="CVE">CVE-2016-0736</id>         
             <id name="DEBIAN">DSA-3796</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="IAVM">2017-A-0010</id>         
             <id name="REDHAT">RHSA-2017:0906</id>         
             <id name="REDHAT">RHSA-2017:1161</id>         
             <id name="REDHAT">RHSA-2017:1413</id>         
             <id name="REDHAT">RHSA-2017:1414</id>         
             <id name="REDHAT">RHSA-2017:1415</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.25</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-0736</Solutions>      <cnnvd>CNNVD-201612-646</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产只有在运行以下模块之一时才容易受到此漏洞的攻击: mod_auth_digest。复查web服务器配置以进行验证。在 apache http 发布2.4.25 之前, mod_sessioncrypto 使用配置的密码加密其数据/cookie, 可能是 cbc 或 ecb 的操作模式(AES256-CBC默认),因此没有可选或内置的身份验证加密。这使得它很容易填充oracle攻击,尤其是CBC。现在添加了身份验证标记(SipHash mac)以防止此类攻击。</Description>      <name>Apache HTTPD: Apache mod_session_crypto中存在填充的Oracle (CVE-2016-0736)</name>   </Vulnerability>   <Vulnerability added="2016-05-16" gvid="ID101186" id="101186" modified="2018-01-08" published="2016-05-16" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">92331</id>         
             <id name="CVE">CVE-2016-1546</id>         
             <id name="REDHAT">RHSA-2017:1161</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.17</low>                     
                               <high inclusive="0">2.4.20</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201607-033</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅当其运行以下模块：mod_http2时才受此漏洞的影响。检查您的web服务器验证配置。通过管理流上的流程控制窗口，客户端可长时间堵塞服务器线程，从而导致工作线程饥饿。仍可打开连接但并无就连接进行处理的流。此漏洞影响对2.4.17和2.4.18版本的HTTP/2支持。</Description>      <name>Apache HTTPD: mod_http2:  线程饥饿引起的拒绝服务 (CVE-2016-1546)</name>   </Vulnerability>   <Vulnerability added="2016-12-21" gvid="ID101187" id="101187" modified="2018-01-08" published="2016-12-21" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">95076</id>         
             <id name="CVE">CVE-2016-2161</id>         
             <id name="DEBIAN">DSA-3796</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="IAVM">2017-A-0010</id>         
             <id name="REDHAT">RHSA-2017:0906</id>         
             <id name="REDHAT">RHSA-2017:1161</id>         
             <id name="REDHAT">RHSA-2017:1413</id>         
             <id name="REDHAT">RHSA-2017:1414</id>         
             <id name="REDHAT">RHSA-2017:1415</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.25</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-2161</Solutions>      <cnnvd>CNNVD-201612-647</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产只有在运行以下模块之一时才容易受到此漏洞的攻击: mod_auth_digest。复查web服务器配置以进行验证。 mod_auth_digest的恶意输入将导致服务器崩溃，且每个实例即使随后的请求有效仍然会崩溃。</Description>      <name>Apache HTTPD: mod_auth_digest的DoS漏洞 (CVE-2016-2161)</name>   </Vulnerability>   <Vulnerability added="2018-08-15" gvid="ID101188" id="101188" modified="2018-10-22" published="2018-08-15" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">105093</id>         
             <id name="CVE">CVE-2016-4975</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.32</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.25</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975 
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975</Solutions>      <cnnvd>CNNVD-201808-445</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的攻击：mod_userdir。 查看Web服务器配置以进行验证。可能的CRLF注入允许对使用mod_userdir的站点进行HTTP响应拆分攻击。 2.4.25和2.2.32中的更改禁止将CR或LF注入Location或其他出站标头密钥或值，从而缓解了此问题。</Description>      <name>Apache HTTPD：mod_userdir CRLF注入(CVE-2016-4975)</name>   </Vulnerability>   <Vulnerability added="2016-07-20" gvid="ID101189" id="101189" modified="2017-10-30" published="2016-07-06" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:P/A:N)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">91566</id>         
             <id name="CVE">CVE-2016-4979</id>         
             <id name="REDHAT">RHSA-2016:1420</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.18</low>                     
                               <high inclusive="0">2.4.23</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201607-020</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>对于使用支持 HTTP/2的配置，如果配置了，不能强制实现SSL客户端证书验证，这允许客户端在未经授权的情形下通过HTTP/2访问受保护的资源，此问题仅影响2.4.18 和2.4.20版本。</Description>      <name>Apache HTTPD: HTTP/2绕过TLS/SSL X.509客户端证书认证 (CVE-2016-4979)</name>   </Vulnerability>   <Vulnerability added="2016-07-27" gvid="ID101190" id="101190" modified="2018-04-17" published="2016-07-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:H/Au:N/C:P/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">91816</id>         
             <id name="CERT-VN">797896</id>         
             <id name="CVE">CVE-2016-5387</id>         
             <id name="DEBIAN">DSA-3623</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="IAVM">2016-B-0160</id>         
             <id name="IAVM">2017-A-0010</id>         
             <id name="REDHAT">RHSA-2016:1420</id>         
             <id name="REDHAT">RHSA-2016:1421</id>         
             <id name="REDHAT">RHSA-2016:1422</id>         
             <id name="REDHAT">RHSA-2016:1624</id>         
             <id name="REDHAT">RHSA-2016:1625</id>         
             <id name="REDHAT">RHSA-2016:1635</id>         
             <id name="REDHAT">RHSA-2016:1636</id>         
             <id name="REDHAT">RHSA-2016:1648</id>         
             <id name="REDHAT">RHSA-2016:1649</id>         
             <id name="REDHAT">RHSA-2016:1650</id>         
             <id name="REDHAT">RHSA-2016:1851</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.32</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.25</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.apache.org/security/asf-httpoxy-response.txt</Solutions>      <cnnvd>CNNVD-201607-540</cnnvd>      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <Description>HTTP_PROXY是CGI进程中定义良好的环境变量，它与许多未能避免与此CGI命名空间冲突的库冲突。 为httpd CGI环境提供缓解以避免填充&amp;quot;HTTP_PROXY&amp;quot;。 变量来自&amp;quot;Proxy:&amp;quot;标题，从未由IANA注册。 此变通方法和补丁记录在asf-httpoxy-response.txt的ASF Advisory中，并包含在2.4.25和2.2.32版本中。 注意：这没有分配httpd严重性，因为它是其他软件中的一个缺陷，它会重载已建立良好的CGI环境变量，并且不会反映HTTP服务器软件中的错误。</Description>      <name>Apache HTTPD: HTTP_PROXY环境变量&quot;httpoxy&quot;迁移(CVE-2016-5387)</name>   </Vulnerability>   <Vulnerability added="2016-12-05" gvid="ID101191" id="101191" modified="2018-01-08" published="2016-12-05" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">94650</id>         
             <id name="CVE">CVE-2016-8740</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="IAVM">2017-A-0010</id>         
             <id name="REDHAT">RHSA-2017:1161</id>         
             <id name="REDHAT">RHSA-2017:1413</id>         
             <id name="REDHAT">RHSA-2017:1414</id>         
             <id name="REDHAT">RHSA-2017:1415</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.17</low>                     
                               <high inclusive="0">2.4.25</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3</Solutions>      <cnnvd>CNNVD-201612-069</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>The HTTP/2协议实现(mod_http2)有一个对LimitRequestFields指令的不完整处理。这允许攻击者注入无限制请求头到服务器,导致最终的内存耗尽。</Description>      <name>Apache HTTPD: HTTP/2 CONTINUATION拒绝服务 (CVE-2016-8740)</name>   </Vulnerability>   <Vulnerability added="2016-12-21" gvid="ID101192" id="101192" modified="2020-01-30" published="2016-12-21" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:P/A:N)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">95077</id>         
             <id name="CVE">CVE-2016-8743</id>         
             <id name="DEBIAN">DSA-3796</id>         
             <id name="DISA_SEVERITY">Category I</id>         
             <id name="IAVM">2017-A-0010</id>         
             <id name="REDHAT">RHSA-2017:0906</id>         
             <id name="REDHAT">RHSA-2017:1161</id>         
             <id name="REDHAT">RHSA-2017:1413</id>         
             <id name="REDHAT">RHSA-2017:1414</id>         
             <id name="REDHAT">RHSA-2017:1415</id>         
             <id name="REDHAT">RHSA-2017:1721</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.32</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.25</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-8743</Solutions>      <cnnvd>CNNVD-201612-648</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>在2.4.25（2.2.32）发布之前，Apache HTTP服务器接受了来自用户代理的异常空白模式的宽泛模式，包括解析请求行和请求标题行的裸CR，FF，VTAB，以及HTAB解析请求行。请求行中存在的任何裸CR都被视为空白，并保留在请求字段成员“the_request”中，而请求头字段名中的裸CR将被视为空白，并且请求头字段值中的裸CR是保留了输入头数组。在请求行中以及在任何请求标题行的“:”分隔符之前隐含了额外的空白字符。</Description>      <name>Apache HTTPD: Apache HTTP请求解析空白格缺陷(CVE-2016-8743)</name>   </Vulnerability>   <Vulnerability added="2018-03-26" gvid="ID101193" id="101193" modified="2020-01-30" published="2018-03-26" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>LDAP</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">103512</id>         
             <id name="CVE">CVE-2017-15710</id>         
             <id name="DEBIAN">DSA-4164</id>         
             <id name="REDHAT">RHSA-2018:3558</id>         
             <id name="REDHAT">RHSA-2019:0366</id>         
             <id name="REDHAT">RHSA-2019:0367</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.33</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201710-1016</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的攻击：mod_authnz_ldap。查看Web服务器配置以进行验证。mod_authnz_ldap，如果配置了AuthLDAPCharsetConfig，则在验证用户的凭据时使用Accept-Language标头值来查找正确的字符集编码。 如果charset转换表中不存在标头值，则使用回退机制将其截断为两个字符的值以允许快速重试（例如，&amp;#39;en-US&amp;#39;被截断为&amp;#39;en&amp;#39;）。 标头值少于两个字符会强制将一个NUL字节超出限制写入不属于该字符串的内存位置。 在最坏的情况下，这个进程很可能会崩溃，可能会被用作拒绝服务攻击。 在更可能的情况下，此内存已保留供将来使用，该问题根本没有任何影响。</Description>      <name>Apache HTTPD：当使用太小的Accept-Language值时，mod_authnz_ldap中的越界写入(CVE-2017-15710)</name>   </Vulnerability>   <Vulnerability added="2018-03-26" gvid="ID101194" id="101194" modified="2020-01-30" published="2018-03-26" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:P/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">103525</id>         
             <id name="CVE">CVE-2017-15715</id>         
             <id name="DEBIAN">DSA-4164</id>         
             <id name="REDHAT">RHSA-2018:3558</id>         
             <id name="REDHAT">RHSA-2019:0366</id>         
             <id name="REDHAT">RHSA-2019:0367</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.33</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201710-1011</cnnvd>      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <Description>&amp;lt;FilesMatch&amp;gt;中指定的表达式可以将 &amp;#39;$&amp;#39; 与恶意文件名中的换行符匹配，而不是仅匹配文件名的末尾。 这可以在一些文件的上传被外部阻止的环境中被利用，但只能通过匹配文件名的尾部来实现。</Description>      <name>Apache HTTPD：&amp;lt;FilesMatch&amp;gt;绕过文件名中的尾部换行符(CVE-2017-15715)</name>   </Vulnerability>   <Vulnerability added="2017-06-20" gvid="ID101195" id="101195" modified="2018-01-08" published="2017-06-20" version="2.0">      
        
        <severity>8</severity>      
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">99135</id>         
             <id name="CVE">CVE-2017-3167</id>         
             <id name="DEBIAN">DSA-3896</id>         
             <id name="REDHAT">RHSA-2017:2478</id>         
             <id name="REDHAT">RHSA-2017:2479</id>         
             <id name="REDHAT">RHSA-2017:2483</id>         
             <id name="REDHAT">RHSA-2017:3193</id>         
             <id name="REDHAT">RHSA-2017:3194</id>         
             <id name="REDHAT">RHSA-2017:3195</id>         
             <id name="REDHAT">RHSA-2017:3475</id>         
             <id name="REDHAT">RHSA-2017:3476</id>         
             <id name="REDHAT">RHSA-2017:3477</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.34</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.26</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4@%3Cdev.httpd.apache.org%3E</Solutions>      <cnnvd>CNNVD-201706-789</cnnvd>      <name>Apache HTTPD: ap_get_basic_auth_pw() 身份驗證繞越 (CVE-2017-3167)</name>      <Description>验证阶段外的第三方模组使用ap_get_basic_auth_pw()可能会导致身份验证要求被绕越。第三方模组编写者应该使用2.2.34和2.4.26中提供的ap_get_basic_auth_components()，而不是ap_get_basic_auth_pw()。 在认证阶段呼叫传统ap_get_basic_auth_pw()的模组必须在呼叫之后立即对用户进行身份验证，否则请立即停止请求并返回错误回应，以避免错误地认证当前请求。</Description>   </Vulnerability>   <Vulnerability added="2017-06-20" gvid="ID101196" id="101196" modified="2018-01-08" published="2017-06-20" version="2.0">      
        
        <severity>8</severity>      
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">99134</id>         
             <id name="CVE">CVE-2017-3169</id>         
             <id name="DEBIAN">DSA-3896</id>         
             <id name="REDHAT">RHSA-2017:2478</id>         
             <id name="REDHAT">RHSA-2017:2479</id>         
             <id name="REDHAT">RHSA-2017:2483</id>         
             <id name="REDHAT">RHSA-2017:3193</id>         
             <id name="REDHAT">RHSA-2017:3194</id>         
             <id name="REDHAT">RHSA-2017:3195</id>         
             <id name="REDHAT">RHSA-2017:3475</id>         
             <id name="REDHAT">RHSA-2017:3476</id>         
             <id name="REDHAT">RHSA-2017:3477</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.34</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.26</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://lists.apache.org/thread.html/84bf7fcc5cad35d355f11839cbdd13cbc5ffc1d34675090bff0f96ae@%3Cdev.httpd.apache.org%3E</Solutions>      <cnnvd>CNNVD-201706-788</cnnvd>      <name>Apache HTTPD: mod_ssl Null Pointer Dereference (CVE-2017-3169)</name>      <Description>只有在运行以下模组之一的资产才易受此漏洞影响：mod_ssl。  检查您的网页伺服器配置以进行验证。  当HTTP请求期间第三方模组呼叫ap_hook_process_connection()到HTTPS端口时，mod_ssl可能会取消复引用NULL指标。</Description>   </Vulnerability>   <Vulnerability added="2017-06-20" gvid="ID101197" id="101197" modified="2018-01-08" published="2017-06-20" version="2.0">      
        
        <severity>5</severity>      
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">99132</id>         
             <id name="CVE">CVE-2017-7659</id>         
             <id name="DEBIAN">DSA-3896</id>         
             <id name="REDHAT">RHSA-2017:2483</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.25</low>                     
                               <high inclusive="0">2.4.26</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://lists.apache.org/thread.html/1d0b746bbaa3a64890fcdab59ee9050aaa633b7143e7d412374e5a9a@%3Cannounce.httpd.apache.org%3E</Solutions>      <cnnvd>CNNVD-201706-890</cnnvd>      <name>Apache HTTPD: mod_http2 Null Pointer Dereference (CVE-2017-7659)</name>      <Description>只有在运行以下模组之一的资产才易受此漏洞影响：：mod_http2。  检查您的网页伺服器配置以进行验证。  恶意构建的HTTP/2请求可能会导致mod_http2复引用NULL指标并导致伺服器程序崩溃。</Description>   </Vulnerability>   <Vulnerability added="2017-06-20" gvid="ID101198" id="101198" modified="2018-01-08" published="2017-06-20" version="2.0">      
        
        <severity>8</severity>      
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">99137</id>         
             <id name="CVE">CVE-2017-7668</id>         
             <id name="DEBIAN">DSA-3896</id>         
             <id name="REDHAT">RHSA-2017:2479</id>         
             <id name="REDHAT">RHSA-2017:2483</id>         
             <id name="REDHAT">RHSA-2017:3193</id>         
             <id name="REDHAT">RHSA-2017:3194</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.32</low>                     
                               <high inclusive="0">2.2.34</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.25</low>                     
                               <high inclusive="0">2.4.26</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://lists.apache.org/thread.html/55a068b6a5eec0b3198ae7d96a7cb412352d0ffa7716612c5af3745b@%3Cdev.httpd.apache.org%3E</Solutions>      <cnnvd>CNNVD-201706-787</cnnvd>      <name>Apache HTTPD: ap_find_token() Buffer Overread (CVE-2017-7668)</name>      <Description>2.2.32和2.4.24中添加的HTTP严格解析更改在标记列表解析中引入了一个bug，它允许ap_find_token()在其输入字串的末尾搜索。 通过恶意制造一系列请求标头，攻击者可能会导致分段错误，或强制ap_find_token()返回不正确的值。</Description>   </Vulnerability>   <Vulnerability added="2017-06-20" gvid="ID101199" id="101199" modified="2018-01-08" published="2017-06-20" version="2.0">      
        
        <severity>8</severity>      
        <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">99170</id>         
             <id name="CVE">CVE-2017-7679</id>         
             <id name="DEBIAN">DSA-3896</id>         
             <id name="REDHAT">RHSA-2017:2478</id>         
             <id name="REDHAT">RHSA-2017:2479</id>         
             <id name="REDHAT">RHSA-2017:2483</id>         
             <id name="REDHAT">RHSA-2017:3193</id>         
             <id name="REDHAT">RHSA-2017:3194</id>         
             <id name="REDHAT">RHSA-2017:3195</id>         
             <id name="REDHAT">RHSA-2017:3475</id>         
             <id name="REDHAT">RHSA-2017:3476</id>         
             <id name="REDHAT">RHSA-2017:3477</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.34</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.26</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://lists.apache.org/thread.html/f4515e580dfb6eeca589a5cdebd4c4c709ce632b12924f343c3b7751@%3Cdev.httpd.apache.org%3E</Solutions>      <cnnvd>CNNVD-201704-572</cnnvd>      <name>Apache HTTPD: mod_mime Buffer Overread (CVE-2017-7679)</name>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_mime.  检查您的网页伺服器配置以进行验证。  发送恶意Content-Type回应标头时，mod_mime可以读取缓冲区末尾的一个位元。</Description>   </Vulnerability>   <Vulnerability added="2017-07-14" gvid="ID101200" id="101200" modified="2020-01-30" published="2017-07-13" version="2.0">      
        
        <severity>6</severity>      
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">99569</id>         
             <id name="CVE">CVE-2017-9788</id>         
             <id name="DEBIAN">DSA-3913</id>         
             <id name="REDHAT">RHSA-2017:2478</id>         
             <id name="REDHAT">RHSA-2017:2479</id>         
             <id name="REDHAT">RHSA-2017:2483</id>         
             <id name="REDHAT">RHSA-2017:2708</id>         
             <id name="REDHAT">RHSA-2017:2709</id>         
             <id name="REDHAT">RHSA-2017:2710</id>         
             <id name="REDHAT">RHSA-2017:3113</id>         
             <id name="REDHAT">RHSA-2017:3114</id>         
             <id name="REDHAT">RHSA-2017:3193</id>         
             <id name="REDHAT">RHSA-2017:3194</id>         
             <id name="REDHAT">RHSA-2017:3195</id>         
             <id name="REDHAT">RHSA-2017:3239</id>         
             <id name="REDHAT">RHSA-2017:3240</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="0">2.2.34</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.27</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201706-931</cnnvd>      <name>Apache HTTPD: mod_auth_digest 中未初始化的內存反射 (CVE-2017-9788)</name>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的影响: mod_auth_digest.  检查 Web 服务器配置以进行验证.  [Proxy-]Authorization 标头中的值佔位符类型为 'Digest' 未经 mod_auth_digest 在连续的 key=value 赋值之前或之间初始化或重置. 提供没有 '=' 的初始密钥赋值可以反映先前请求使用的未初始化池内存的陈旧值, 导致潜在机密信息洩漏, 以及段错误.</Description>   </Vulnerability>   <Vulnerability added="2017-07-14" gvid="ID101201" id="101201" modified="2017-10-30" published="2017-07-13" version="2.0">      
        
        <severity>5</severity>      
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">99568</id>         
             <id name="CVE">CVE-2017-9789</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.26</low>                     
                               <high inclusive="0">2.4.27</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201706-930</cnnvd>      <name>Apache HTTPD: 在 mod_http2 中的 read after free (CVE-2017-9789)</name>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的影响: mod_http2.  检查 Web 服务器配置以进行验证.  当处于压力之下, 关闭许多连接时, HTTP/2 处理代码有时会在释放后访问内存, 从而导致潜在的不稳定行为.</Description>   </Vulnerability>   <Vulnerability added="2017-09-22" gvid="ID101202" id="101202" modified="2018-10-19" published="2017-09-18" version="2.0">      
        
        <severity>5</severity>      
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">100872</id>         
             <id name="BID">105598</id>         
             <id name="CVE">CVE-2017-9798</id>         
             <id name="DEBIAN">DSA-3980</id>         
             <id name="REDHAT">RHSA-2017:2882</id>         
             <id name="REDHAT">RHSA-2017:2972</id>         
             <id name="REDHAT">RHSA-2017:3018</id>         
             <id name="REDHAT">RHSA-2017:3113</id>         
             <id name="REDHAT">RHSA-2017:3114</id>         
             <id name="REDHAT">RHSA-2017:3193</id>         
             <id name="REDHAT">RHSA-2017:3194</id>         
             <id name="REDHAT">RHSA-2017:3195</id>         
             <id name="REDHAT">RHSA-2017:3239</id>         
             <id name="REDHAT">RHSA-2017:3240</id>         
             <id name="REDHAT">RHSA-2017:3475</id>         
             <id name="REDHAT">RHSA-2017:3476</id>         
             <id name="REDHAT">RHSA-2017:3477</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_22.html</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.2.0</low>                     
                               <high inclusive="1">2.2.34</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.28</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9</Solutions>      <cnnvd>CNNVD-201706-921</cnnvd>      <name>Apache HTTPD: 在 .htaccess 中使用 &lt;Limit &gt; 和無法識別的方法時存在 use-after-free (&quot;OptionsBleed&quot;) (CVE-2017-9798)</name>      <Description>当在 .htaccess 文件中 &lt;Limit {method}&gt; 中给出无法识别的 HTTP 方法时, .htaccess文件由相应的请求处理, 全局方法表在当前工作进程中被破坏, 导致行为不稳定. 通过在 httpd 版本 2.2.32 及更高版本中的全局 httpd.conf RegisterHttpMethod 指令中列出所有异常 HTTP 方法, 可以避免此行为. 允许其他 .htaccess 指令同时拒绝 &lt;Limit &gt; 指令, 请参阅 AllowOverrideList 指令. 源代码补丁是; http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch 注意 2.2 是产品寿命终止, 计划不再更新此修复程序. 建议用户迁移到 2.4.28 或更高版本以进行此修复和其他修复.</Description>   </Vulnerability>   <Vulnerability added="2018-09-26" gvid="ID101203" id="101203" modified="2019-02-21" published="2018-09-25" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">105414</id>         
             <id name="CVE">CVE-2018-11763</id>         
             <id name="REDHAT">RHSA-2018:3558</id>         
             <id name="REDHAT">RHSA-2019:0366</id>         
             <id name="REDHAT">RHSA-2019:0367</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.18</low>                     
                               <high inclusive="0">2.4.35</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201809-1130</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>通过发送最大大小的连续SETTINGS帧，可以保持正在进行的HTTP/2连接，并且永远不会超时。这可能会被滥用于服务器上的DoS。这仅影响已启用h2协议的服务器。</Description>      <name>Apache HTTPD：通过连续设置进行HTTP/2连接的DoS(CVE-2018-11763)</name>   </Vulnerability>   <Vulnerability added="2018-03-26" gvid="ID101204" id="101204" modified="2019-02-21" published="2018-03-26" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:S/C:N/I:P/A:N)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">103520</id>         
             <id name="CVE">CVE-2018-1283</id>         
             <id name="DEBIAN">DSA-4164</id>         
             <id name="REDHAT">RHSA-2018:3558</id>         
             <id name="REDHAT">RHSA-2019:0366</id>         
             <id name="REDHAT">RHSA-2019:0367</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.33</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201803-940</cnnvd>      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的攻击：mod_session。 查看Web服务器配置以进行验证。当mod_session配置为将其会话数据转发到CGI应用程序（SessionEnv on，而不是默认值）时，远程用户可以使用Session标头影响其内容。
这来自mod_session用于将其数据转发到CGI的HTTP_SESSION变量名，因为根据CGI规范，Apache HTTP Server也使用前缀HTTP_来传递HTTP头字段。严重性设置为“中等”，因为SessionEnv on不是默认配置，也不是常见配置，但在这种情况下应该认为更严重，因为可能存在远程利用。</Description>      <name>Apache HTTPD：篡改CGI应用程序的mod_session数据(CVE-2018-1283)</name>   </Vulnerability>   <Vulnerability added="2018-03-26" gvid="ID101205" id="101205" modified="2019-02-21" published="2018-03-26" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">103515</id>         
             <id name="CVE">CVE-2018-1301</id>         
             <id name="DEBIAN">DSA-4164</id>         
             <id name="REDHAT">RHSA-2018:3558</id>         
             <id name="REDHAT">RHSA-2019:0366</id>         
             <id name="REDHAT">RHSA-2019:0367</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.33</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201803-939</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>由于在读取HTTP标头达到大小限制后进行了越界访问，因此特制的请求可能会导致Apache HTTP Server 2.4.33之前版本崩溃。在非调试模式（日志和构建级别）中触发此漏洞非常困难，因此将其归类为常见服务器使用的低风险。</Description>      <name>Apache HTTPD：读取HTTP请求失败后可能的超出访问权限(CVE-2018-1301)</name>   </Vulnerability>   <Vulnerability added="2018-03-26" gvid="ID101206" id="101206" modified="2019-02-21" published="2018-03-26" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">103528</id>         
             <id name="CVE">CVE-2018-1302</id>         
             <id name="REDHAT">RHSA-2019:0366</id>         
             <id name="REDHAT">RHSA-2019:0367</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.17</low>                     
                               <high inclusive="0">2.4.33</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201803-938</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>当HTTP/2流在处理后被销毁时，版本2.4.33之前的Apache HTTP Server可能已经写入了一个可能已经释放的内存的NULL指针。服务器维护的内存池使得这种漏洞很难在通常的配置中触发，报告者和团队无法在调试版本之外重现它，因此它被归类为低风险。</Description>      <name>Apache HTTPD：在HTTP/2流关闭后可以自由写入(CVE-2018-1302)</name>   </Vulnerability>   <Vulnerability added="2018-03-26" gvid="ID101207" id="101207" modified="2019-02-21" published="2018-03-26" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">103522</id>         
             <id name="CVE">CVE-2018-1303</id>         
             <id name="DEBIAN">DSA-4164</id>         
             <id name="REDHAT">RHSA-2018:3558</id>         
             <id name="REDHAT">RHSA-2019:0366</id>         
             <id name="REDHAT">RHSA-2019:0367</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.6</low>                     
                               <high inclusive="0">2.4.33</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201803-937</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的攻击：mod_cache_socache。 查看Web服务器配置以进行验证。由于在准备将数据缓存在共享内存中时读取越界，特制的HTTP请求标头可能会导致Apache HTTP Server 2.4.33之前版本崩溃。可以用作针对mod_cache_socache用户的拒绝服务攻击。</Description>      <name>Apache HTTPD：mod_cache_socache中可能越界读取 (CVE-2018-1303)</name>   </Vulnerability>   <Vulnerability added="2018-03-26" gvid="ID101208" id="101208" modified="2019-07-31" published="2018-03-26" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:P/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">103524</id>         
             <id name="CVE">CVE-2018-1312</id>         
             <id name="DEBIAN">DSA-4164</id>         
             <id name="REDHAT">RHSA-2018:3558</id>         
             <id name="REDHAT">RHSA-2019:0366</id>         
             <id name="REDHAT">RHSA-2019:0367</id>         
             <id name="REDHAT">RHSA-2019:1898</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.1</low>                     
                               <high inclusive="0">2.4.33</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201803-936</cnnvd>      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的攻击：mod_auth_digest。查看Web服务器配置以进行验证。在生成HTTP摘要式身份验证质询时，使用伪随机种子未正确生成为防止回复攻击而发送的随机数。在使用常见摘要式身份验证配置的服务器群集中，攻击者可以在服务器上重放HTTP请求而无需检测。</Description>      <name>Apache HTTPD：mod_auth_digest中生成弱摘要验证随机数(CVE-2018-1312)</name>   </Vulnerability>   <Vulnerability added="2018-07-19" gvid="ID101209" id="101209" modified="2019-02-21" published="2018-07-19" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2018-1333</id>         
             <id name="REDHAT">RHSA-2018:3558</id>         
             <id name="REDHAT">RHSA-2019:0366</id>         
             <id name="REDHAT">RHSA-2019:0367</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.18</low>                     
                               <high inclusive="0">2.4.34</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接: 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201811-656</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>通过特别制定HTTP / 2请求，Worker将被分配60秒（超过必要时间），导致worker超负荷和拒绝服务。此问题仅影响已配置并启用HTTP/2支持的服务器，这不是默认设置</Description>      <name>Apache HTTPD：用于通过精心设计的请求进行HTTP/2连接的DoS (CVE-2018-1333)</name>   </Vulnerability>   <Vulnerability added="2019-01-24" gvid="ID101210" id="101210" modified="2019-12-12" published="2019-01-24" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">106685</id>         
             <id name="CVE">CVE-2018-17189</id>         
             <id name="DEBIAN">DSA-4422</id>         
             <id name="REDHAT">RHSA-2019:3932</id>         
             <id name="REDHAT">RHSA-2019:3933</id>         
             <id name="REDHAT">RHSA-2019:3935</id>         
             <id name="REDHAT">RHSA-2019:4126</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.17</low>                     
                               <high inclusive="0">2.4.38</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201901-831</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.</Description>      <name>Apache HTTPD: DoS for HTTP/2 connections via slow request bodies (CVE-2018-17189)</name>   </Vulnerability>   <Vulnerability added="2019-01-24" gvid="ID101211" id="101211" modified="2019-12-12" published="2019-01-24" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:P/A:N)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">106742</id>         
             <id name="CVE">CVE-2018-17199</id>         
             <id name="DEBIAN">DSA-4422</id>         
             <id name="REDHAT">RHSA-2019:3932</id>         
             <id name="REDHAT">RHSA-2019:3933</id>         
             <id name="REDHAT">RHSA-2019:3935</id>         
             <id name="REDHAT">RHSA-2019:4126</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.0</low>                     
                               <high inclusive="0">2.4.38</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201901-832</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_session_cookie.  Review your web server configuration for validation.  In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.</Description>      <name>Apache HTTPD: mod_session_cookie does not respect expiry time (CVE-2018-17199)</name>   </Vulnerability>   <Vulnerability added="2018-07-19" gvid="ID101212" id="101212" modified="2018-09-17" published="2018-07-18" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2018-8011</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.33</low>                     
                               <high inclusive="0">2.4.34</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011</Solutions>      <cnnvd>CNNVD-201807-1324</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>受影响的资产仅在运行以下模块之一时才容易受到此漏洞的攻击：mod_md。 查看Web服务器配置以进行验证。通过特别制作HTTP请求，mod_md质询处理程序将取消引用NULL指针并导致子进程发生段错误。 这可以用于服务器的DoS。</Description>      <name>Apache HTTPD：mod_md，DoS通过Coredumps对特制请求进行处理(CVE-2018-8011)</name>   </Vulnerability>   <Vulnerability added="2019-01-24" gvid="ID101213" id="101213" modified="2019-02-19" published="2019-01-24" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>OpenSSL</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">106743</id>         
             <id name="CVE">CVE-2019-0190</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.37</low>                     
                               <high inclusive="0">2.4.38</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201901-833</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_ssl.  Review your web server configuration for validation.  A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service.  This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.</Description>      <name>Apache HTTPD: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 (CVE-2019-0190)</name>   </Vulnerability>   <Vulnerability added="2019-04-02" gvid="ID101214" id="101214" modified="2019-11-22" published="2019-04-02" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">107669</id>         
             <id name="CVE">CVE-2019-0196</id>         
             <id name="DEBIAN">DSA-4422</id>         
             <id name="REDHAT">RHSA-2019:3932</id>         
             <id name="REDHAT">RHSA-2019:3933</id>         
             <id name="REDHAT">RHSA-2019:3935</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.17</low>                     
                               <high inclusive="0">2.4.39</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201904-040</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_http2.  Review your web server configuration for validation.  Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly.</Description>      <name>Apache HTTPD: mod_http2, read-after-free on a string compare (CVE-2019-0196)</name>   </Vulnerability>   <Vulnerability added="2019-04-02" gvid="ID101215" id="101215" modified="2019-11-22" published="2019-04-02" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:S/C:N/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">107665</id>         
             <id name="CVE">CVE-2019-0197</id>         
             <id name="REDHAT">RHSA-2019:3932</id>         
             <id name="REDHAT">RHSA-2019:3933</id>         
             <id name="REDHAT">RHSA-2019:3935</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.34</low>                     
                               <high inclusive="0">2.4.39</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201904-041</cnnvd>      <cvsscode>4.9</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_http2.  Review your web server configuration for validation.  When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for https: and did not configure the &amp;quot;H2Upgrade on&amp;quot; is unaffected by this.</Description>      <name>Apache HTTPD:mod_http2, 可能在后期升级时崩溃(CVE-2019-0197)</name>   </Vulnerability>   <Vulnerability added="2019-04-02" gvid="ID101216" id="101216" modified="2019-06-20" published="2019-04-02" version="2.0">      
        
        
        <cvss>(AV:L/AC:L/Au:N/C:C/I:C/A:C)</cvss>      
        <cvss3>CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Privilege Escalation</tag>         
             <tag>Remote Execution</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">107666</id>         
             <id name="CVE">CVE-2019-0211</id>         
             <id name="DEBIAN">DSA-4422</id>         
             <id name="REDHAT">RHBA-2019:0959</id>         
             <id name="REDHAT">RHSA-2019:0746</id>         
             <id name="REDHAT">RHSA-2019:0980</id>         
             <id name="REDHAT">RHSA-2019:1296</id>         
             <id name="REDHAT">RHSA-2019:1297</id>         
             <id name="REDHAT">RHSA-2019:1543</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.17</low>                     
                               <high inclusive="0">2.4.39</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201904-042</cnnvd>      <cvsscode>7.2</cvsscode>      <severity>Severe</severity>      <Description>In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.</Description>      <name>Apache HTTPD: Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211)</name>   </Vulnerability>   <Vulnerability added="2019-04-02" gvid="ID101217" id="101217" modified="2019-05-09" published="2019-04-02" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:S/C:P/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">107667</id>         
             <id name="CVE">CVE-2019-0215</id>         
             <id name="REDHAT">RHSA-2019:0980</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.37</low>                     
                               <high inclusive="0">2.4.39</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201904-047</cnnvd>      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_ssl.  Review your web server configuration for validation.  In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.</Description>      <name>Apache HTTPD:mod_ssl访问控制旁路(CVE-2019-0215)</name>   </Vulnerability>   <Vulnerability added="2019-04-02" gvid="ID101218" id="101218" modified="2019-12-12" published="2019-04-02" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:S/C:P/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">107668</id>         
             <id name="CVE">CVE-2019-0217</id>         
             <id name="DEBIAN">DSA-4422</id>         
             <id name="REDHAT">RHSA-2019:2343</id>         
             <id name="REDHAT">RHSA-2019:3436</id>         
             <id name="REDHAT">RHSA-2019:3932</id>         
             <id name="REDHAT">RHSA-2019:3933</id>         
             <id name="REDHAT">RHSA-2019:3935</id>         
             <id name="REDHAT">RHSA-2019:4126</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.0</low>                     
                               <high inclusive="0">2.4.39</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201904-044</cnnvd>      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_auth_digest.  Review your web server configuration for validation.  In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.</Description>      <name>Apache HTTPD:mod_auth_digest访问控制旁路(CVE-2019-0217)</name>   </Vulnerability>   <Vulnerability added="2019-04-02" gvid="ID101219" id="101219" modified="2020-02-03" published="2019-04-02" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:N)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="BID">107670</id>         
             <id name="CVE">CVE-2019-0220</id>         
             <id name="DEBIAN">DSA-4422</id>         
             <id name="REDHAT">RHSA-2019:2343</id>         
             <id name="REDHAT">RHSA-2019:3436</id>         
             <id name="REDHAT">RHSA-2019:4126</id>         
             <id name="REDHAT">RHSA-2020:0250</id>         
             <id name="REDHAT">RHSA-2020:0251</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.0</low>                     
                               <high inclusive="0">2.4.39</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201904-043</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>When the path component of a request URL contains multiple consecutive slashes (&amp;#39;/&amp;#39;), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.</Description>      <name>Apache HTTPD:Apache httpd URL规范化不一致(CVE-2019-0220)</name>   </Vulnerability>   <Vulnerability added="2019-08-16" gvid="ID101220" id="101220" modified="2020-01-30" published="2019-08-16" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2019-10081</id>         
             <id name="DEBIAN">DSA-4509</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.20</low>                     
                               <high inclusive="0">2.4.41</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201908-1098</cnnvd>      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_http2.  Review your web server configuration for validation.  HTTP/2 very early pushes, for example configured with &amp;quot;H2PushResource&amp;quot;, could lead to an overwrite of memory in the pushing request&amp;#39;s pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.</Description>      <name>Apache HTTPD : mod_http2，早期推送时内存损坏(CVE-2019-10081)</name>   </Vulnerability>   <Vulnerability added="2019-08-16" gvid="ID101221" id="101221" modified="2019-10-01" published="2019-08-16" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:P/I:N/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2019-10082</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.18</low>                     
                               <high inclusive="0">2.4.41</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201908-1143</cnnvd>      <cvsscode>6.4</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_http2.  Review your web server configuration for validation.  Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.</Description>      <name>Apache HTTPD : mod_http2，在h2连接关闭时自由读取(CVE-2019-10082)</name>   </Vulnerability>   <Vulnerability added="2019-08-16" gvid="ID101222" id="101222" modified="2019-12-12" published="2019-08-16" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:N/I:P/A:N)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
             <tag>XSS</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2019-10092</id>         
             <id name="REDHAT">RHSA-2019:4126</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.0</low>                     
                               <high inclusive="0">2.4.41</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201908-1144</cnnvd>      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_proxy.  Review your web server configuration for validation.  A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. We have taken this opportunity to also remove request data from many other in-built error messages.  Note however this issue did not affect them directly and their output was already escaped to prevent cross-site scripting attacks.</Description>      <name>Apache HTTPD : mod_proxy错误页面中有限的跨站点脚本(CVE-2019-10092)</name>   </Vulnerability>   <Vulnerability added="2019-08-16" gvid="ID101223" id="101223" modified="2019-12-12" published="2019-08-16" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:S/C:P/I:P/A:P)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2019-10097</id>         
             <id name="REDHAT">RHSA-2019:4126</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.33</low>                     
                               <high inclusive="0">2.4.41</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201908-1141</cnnvd>      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_remoteip.  Review your web server configuration for validation.  When mod_remoteip was configured to use a trusted intermediary proxy server using the &amp;quot;PROXY&amp;quot; protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.</Description>      <name>Apache HTTPD : CVE-2019-10097 mod_remoteip : 堆栈缓冲区溢出和NULL指针解除引用(CVE-2019-10097)</name>   </Vulnerability>   <Vulnerability added="2019-08-16" gvid="ID101224" id="101224" modified="2019-10-01" published="2019-08-16" version="2.0">      
        
        
        <cvss>(AV:N/AC:M/Au:N/C:P/I:P/A:N)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CVE">CVE-2019-10098</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.0</low>                     
                               <high inclusive="0">2.4.41</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
http://httpd.apache.org/security/vulnerabilities_24.html</Solutions>      <cnnvd>CNNVD-201908-1142</cnnvd>      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_rewrite.  Review your web server configuration for validation.  Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.</Description>      <name>Apache HTTPD : mod_rewrite潜在的开放重定向(CVE-2019-10098)</name>   </Vulnerability>   <Vulnerability added="2019-08-16" gvid="ID101225" id="101225" modified="2019-11-22" published="2019-08-13" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:C)</cvss>      
        <cvss3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</cvss3>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Denial of Service</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="CERT-VN">605641</id>         
             <id name="CVE">CVE-2019-9517</id>         
             <id name="DEBIAN">DSA-4509</id>         
             <id name="REDHAT">RHSA-2019:2893</id>         
             <id name="REDHAT">RHSA-2019:2925</id>         
             <id name="REDHAT">RHSA-2019:2939</id>         
             <id name="REDHAT">RHSA-2019:2946</id>         
             <id name="REDHAT">RHSA-2019:2949</id>         
             <id name="REDHAT">RHSA-2019:2950</id>         
             <id name="REDHAT">RHSA-2019:2955</id>         
             <id name="REDHAT">RHSA-2019:3932</id>         
             <id name="REDHAT">RHSA-2019:3933</id>         
             <id name="REDHAT">RHSA-2019:3935</id>         
             <id name="URL">http://httpd.apache.org/security/vulnerabilities_24.html</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                <Product name="HTTPD" vendor="Apache">               
                     <version>                  
                          <range>                     
                               <low>2.4.20</low>                     
                               <high inclusive="0">2.4.41</high>                     
                          </range>                  
                     </version>               
                </Product>            
           </NetworkService>      </Check>      <Solutions>目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： 
https://http2.github.io/</Solutions>      <cnnvd>CNNVD-201908-943</cnnvd>      <cvsscode>7.8</cvsscode>      <severity>Critical</severity>      <Description>The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_http2.  Review your web server configuration for validation.  A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections.</Description>      <name>Apache HTTPD : mod_http2，通过耗尽h2工作人员的DoS攻击。 (CVE-2019-9517)</name>   </Vulnerability>   <Vulnerability added="2010-08-26" gvid="ID101226" id="101226" modified="2017-12-19" published="2010-02-02" version="2.0">      
        
        
        <cvss>(AV:N/AC:L/Au:N/C:C/I:C/A:C)</cvss>      
        <Tags>         
             <tag>Apache</tag>         
             <tag>Apache HTTP Server</tag>         
             <tag>Obsolete Software</tag>         
             <tag>Web</tag>         
        </Tags>      
        <AlternateIds>         
             <id name="URL">https://en.wikipedia.org/wiki/Apache_HTTP_Server</id>         
             <id name="URL">https://httpd.apache.org</id>         
        </AlternateIds>      
        
        
      <Check scope="endpoint">         <NetworkService type="HTTP|HTTPS">            
                  <Product name="HTTPD" vendor="Apache">               
                        <version>                  <range>                     <low>1.3</low>                     <high>2.4</high>                  </range>               </version>               
                  </Product>            
            </NetworkService>      </Check>      <Solutions>目前厂商还没有提供此漏洞的相关补丁或者升级程序，建议使用此软件的用户随时关注厂商的主页以获取最新版本： 
https://www.alice-dsl.de/</Solutions>      <cnnvd></cnnvd>      <cvsscode>10.0</cvsscode>      <severity>Critical</severity>      <Description>较早版本的Apache HTTPD（在2.4.X之前）不再正式支持。 这些版本可能存在未报告的漏洞。 应该升级到最新版本来减轻这些未知风险。</Description>      <name>过时的Apache httpd版本</name>   </Vulnerability></Vulns>