CVE-2011-3639: Input Validation

First published: Tue Nov 08 2011(Updated: )

SUSE reported that upstream patch for <a href="https://access.redhat.com/security/cve/CVE-2011-3368">CVE-2011-3368</a> (<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2011-3368 httpd: reverse web proxy vulnerability" href="show_bug.cgi?id=740045">bug #740045</a>), when applied to httpd versions before 2.2.18, does not completely address the issue, when attacker sends HTTP 0.9 requests:: <a href="https://bugzilla.novell.com/show_bug.cgi?id=722545#c15">https://bugzilla.novell.com/show_bug.cgi?id=722545#c15</a> <a href="http://thread.gmane.org/gmane.comp.apache.devel/45978">http://thread.gmane.org/gmane.comp.apache.devel/45978</a> <a href="http://thread.gmane.org/gmane.comp.security.oss.general/6102">http://thread.gmane.org/gmane.comp.security.oss.general/6102</a> The fix has been created upstream and committed to trunk: <a href="http://thread.gmane.org/gmane.comp.apache.devel/45978/focus=45979">http://thread.gmane.org/gmane.comp.apache.devel/45978/focus=45979</a> <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1188745">http://svn.apache.org/viewvc?view=revision&amp;revision=1188745</a> Upstream also confirmed this additional fix is not required for httpd versions 2.2.18 and later: <a href="http://thread.gmane.org/gmane.comp.apache.devel/45978/focus=45983">http://thread.gmane.org/gmane.comp.apache.devel/45978/focus=45983</a> <a href="http://thread.gmane.org/gmane.comp.apache.devel/45978/focus=45985">http://thread.gmane.org/gmane.comp.apache.devel/45978/focus=45985</a>

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-historical
• collector/nvd-index
• agent/references
• agent/type
• agent/softwarecombine
• agent/first-publish-date
• collector/mitre-cve
• source/MITRE
• agent/severity
• agent/author
• agent/last-modified-date
• agent/weakness
• agent/description
• agent/tags
• agent/event
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2011-3639
• vendor/apache
• canonical/apache http server
• version/apache http server/2.0.42
• version/apache http server/2.0.58
• version/apache http server/2.2.11
• version/apache http server/2.2.0
• version/apache http server/2.2.10
• version/apache http server/2.2.13
• version/apache http server/2.0.47
• version/apache http server/2.0.56
• version/apache http server/2.0.50
• version/apache http server/2.0.27
• version/apache http server/2.2.2
• version/apache http server/2.0.12
• version/apache http server/2.0.20
• canonical/apache http server2.0a9
• version/apache http server/2.2.4
• version/apache http server/2.0.35
• version/apache http server/2.0.37
• version/apache http server/2.0.55
• version/apache http server/2.2.17
• version/apache http server/2.0.44
• version/apache http server/2.2.16
• version/apache http server/2.0.39
• version/apache http server/2.0.18
• version/apache http server/2.0.25
• version/apache http server/2.2.8
• version/apache http server/2.0.52
• canonical/apache http server2.0a7
• version/apache http server/2.0.21
• version/apache http server/2.0.53
• version/apache http server/2.0.57
• version/apache http server/2.0.51
• version/apache http server/2.0.33
• version/apache http server/2.0.17
• version/apache http server/2.0.63
• version/apache http server/2.2.14
• version/apache http server/2.0.22
• version/apache http server/2.0.15
• version/apache http server/2.0.41
• version/apache http server/2.0.49
• version/apache http server/2.0.29
• version/apache http server/2.0.26
• canonical/apache http server2.0a8
• version/apache http server/2.0.23
• canonical/apache http server2.0a2
• version/apache http server/2.0.61
• version/apache http server/2.2.6
• version/apache http server/2.0.32
• version/apache http server/2.0.34
• canonical/apache http server2.0a5
• canonical/apache http server2.0a3
• version/apache http server/2.0.38
• version/apache http server/2.0.19
• version/apache http server/2.2.9
• canonical/apache http server2.0a4
• version/apache http server/2.0.24
• version/apache http server/2.0.48
• version/apache http server/2.0.16
• version/apache http server/2.0.45
• version/apache http server/2.2.12
• version/apache http server/2.0.40
• version/apache http server/2.0.36
• canonical/apache http server2.0a6
• version/apache http server/2.2.3
• version/apache http server/2.0.46
• version/apache http server/2.0.54
• version/apache http server/2.2.15
• version/apache http server/2.0.43
• version/apache http server/2.0.11
• version/apache http server/2.0.59
• version/apache http server/2.0.14
• version/apache http server/2.0.28
• version/apache http server/2.0.31
• canonical/apache http server2.0a1
• version/apache http server/2.0.30
• version/apache http server/2.2.1
• version/apache http server/2.0.13