New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

Apache2 updated to fix four security issues and one non-security bug.

The following vulnerabilities have been fixed :

  - mod_headers rules could be bypassed via chunked     requests. Adds 'MergeTrailers' directive to restore     legacy behavior. (bsc#871310, CVE-2013-5704)

  - An empty value in Content-Type could lead to a crash     through a null pointer dereference and a denial of     service. (bsc#899836, CVE-2014-3581)

  - Remote attackers could bypass intended access     restrictions in mod_lua LuaAuthzProvider when multiple     Require directives with different arguments are used.
    (bsc#909715, CVE-2014-8109)

  - Remote attackers could cause a denial of service     (child-process crash) by sending a crafted WebSocket     Ping frame after a Lua script has called the wsupgrade     function. (bsc#918352, CVE-2015-0228)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.12. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in module mod_headers that can allow HTTP     trailers to replace HTTP headers late during request     processing, which a remote attacker can exploit to     inject arbitrary headers. This can also cause some     modules to function incorrectly or appear to function     incorrectly. (CVE-2013-5704)

  - A NULL pointer dereference flaw exists in module     mod_cache. A remote attacker, using an empty HTTP     Content-Type header, can exploit this vulnerability to     crash a caching forward proxy configuration, resulting     in a denial of service if using a threaded MPM.
    (CVE-2014-3581)

  - A out-of-bounds memory read flaw exists in module     mod_proxy_fcgi. An attacker, using a remote FastCGI     server to send long response headers, can exploit this     vulnerability to cause a denial of service by causing     a buffer over-read. (CVE-2014-3583)

  - A flaw exists in module mod_lua when handling a     LuaAuthzProvider used in multiple Require directives     with different arguments. An attacker can exploit this     vulnerability to bypass intended access restrictions.
    (CVE-2014-8109)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. (CVE-2014-8109)

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
(CVE-2013-5704)

A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled.
(CVE-2014-3581)

The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers. (CVE-2014-3583)

Update to new version 2.4.12.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version MAIN 6.06, has httpd packages installed that are affected by multiple vulnerabilities:

  - Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap     memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and     prior versions. (CVE-2022-23943)

  - The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass RequestHeader     unset directives by placing a header in the trailer portion of data sent with chunked transfer coding.
    NOTE: the vendor states this is not a security issue in httpd as such. (CVE-2013-5704)

  - The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache     HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference     and application crash) via an empty HTTP Content-Type header. (CVE-2014-3581)

  - The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server     2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via     long response headers. (CVE-2014-3583)

  - mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua authorization provider is used with different arguments     within different contexts, which allows remote attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a certain directory, and authorization for a second     group to access a second directory. (CVE-2014-8109)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in Apache HTTP Server 2.4.0     to 2.4.38. When the path component of a request URL     contains multiple consecutive slashes ('/'), directives     such as LocationMatch and RewriteRule must account for     duplicates in regular expressions while other aspects     of the servers processing will implicitly collapse     them.(CVE-2019-0220)

  - A specially crafted request could have crashed the     Apache HTTP Server prior to version 2.4.30, due to an     out of bound access after a size limit is reached by     reading the HTTP header. This vulnerability is     considered very hard if not impossible to trigger in     non-debug mode (both log and build level), so it is     classified as low risk for common server     usage.(CVE-2018-1301)

  - In Apache httpd 2.4.0 to 2.4.29, when mod_session is     configured to forward its session data to CGI     applications (SessionEnv on, not the default), a remote     user may influence their content by using a 'Session'     header. This comes from the 'HTTP_SESSION' variable     name used by mod_session to forward its data to CGIs,     since the prefix 'HTTP_' is also used by the Apache     HTTP Server to pass HTTP header fields, per CGI     specifications.(CVE-2018-1283)

  - mod_lua.c in the mod_lua module in the Apache HTTP     Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua     authorization provider is used with different arguments     within different contexts, which allows remote     attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple     Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a     certain directory, and authorization for a second group     to access a second directory.(CVE-2014-8109)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the httpd packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in Apache HTTP Server 2.4.0     to 2.4.38. When the path component of a request URL     contains multiple consecutive slashes ('/'), directives     such as LocationMatch and RewriteRule must account for     duplicates in regular expressions while other aspects     of the servers processing will implicitly collapse     them.(CVE-2019-0220)

  - A specially crafted request could have crashed the     Apache HTTP Server prior to version 2.4.30, due to an     out of bound access after a size limit is reached by     reading the HTTP header. This vulnerability is     considered very hard if not impossible to trigger in     non-debug mode (both log and build level), so it is     classified as low risk for common server     usage.(CVE-2018-1301)

  - In Apache httpd 2.4.0 to 2.4.29, when mod_session is     configured to forward its session data to CGI     applications (SessionEnv on, not the default), a remote     user may influence their content by using a 'Session'     header. This comes from the 'HTTP_SESSION' variable     name used by mod_session to forward its data to CGIs,     since the prefix 'HTTP_' is also used by the Apache     HTTP Server to pass HTTP header fields, per CGI     specifications.(CVE-2018-1283)

  - mod_lua.c in the mod_lua module in the Apache HTTP     Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua     authorization provider is used with different arguments     within different contexts, which allows remote     attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple     Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a     certain directory, and authorization for a second group     to access a second directory.(CVE-2014-8109)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2523-1 advisory.

    Martin Holst Swende discovered that the mod_headers module allowed HTTP trailers to replace HTTP headers     during request processing. A remote attacker could possibly use this issue to bypass RequestHeaders     directives. (CVE-2013-5704)

    Mark Montague discovered that the mod_cache module incorrectly handled empty HTTP Content-Type headers. A     remote attacker could use this issue to cause the server to stop responding, leading to a denial of     service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-3581)

    Teguh P. Alko discovered that the mod_proxy_fcgi module incorrectly handled long response headers. A     remote attacker could use this issue to cause the server to stop responding, leading to a denial of     service. This issue only affected Ubuntu 14.10. (CVE-2014-3583)

    It was discovered that the mod_lua module incorrectly handled different arguments within different     contexts. A remote attacker could possibly use this issue to bypass intended access restrictions. This     issue only affected Ubuntu 14.10. (CVE-2014-8109)

    Guido Vranken discovered that the mod_lua module incorrectly handled a specially crafted websocket PING in     certain circumstances. A remote attacker could possibly use this issue to cause the server to stop     responding, leading to a denial of service. This issue only affected Ubuntu 14.10. (CVE-2015-0228)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated apache packages fix security vulnerabilities :

Apache HTTPD before 2.4.9 was vulnerable to a denial of service in mod_dav when handling DAV_WRITE requests (CVE-2013-6438).

Apache HTTPD before 2.4.9 was vulnerable to a denial of service when logging cookies (CVE-2014-0098).

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the apache user (CVE-2014-0226).

A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash (CVE-2014-0117).

A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the DEFLATE input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system (CVE-2014-0118).

A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely (CVE-2014-0231).

A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled (CVE-2014-3581).

mod_lua.c in the mod_lua module in the Apache HTTP Server through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory (CVE-2014-8109).

In the mod_lua module in the Apache HTTP Server through 2.4.10, a maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash (CVE-2015-0228).

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers (CVE-2013-5704).

Note: With this update, httpd has been modified to not merge HTTP Trailer headers with other HTTP request headers. A newly introduced configuration directive MergeTrailers can be used to re-enable the old method of processing Trailer headers, which also re-introduces the aforementioned flaw.

This update also fixes the following bug :

Prior to this update, the mod_proxy_wstunnel module failed to set up an SSL connection when configured to use a back end server using the wss: URL scheme, causing proxied connections to fail. In these updated packages, SSL is used when proxying to wss: back end servers (rhbz#1141950).

According to the versions of the httpd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in Apache HTTP Server 2.4.0     to 2.4.38. When the path component of a request URL     contains multiple consecutive slashes ('/'), directives     such as LocationMatch and RewriteRule must account for     duplicates in regular expressions while other aspects     of the servers processing will implicitly collapse     them.(CVE-2019-0220)

  - A specially crafted request could have crashed the     Apache HTTP Server prior to version 2.4.30, due to an     out of bound access after a size limit is reached by     reading the HTTP header. This vulnerability is     considered very hard if not impossible to trigger in     non-debug mode (both log and build level), so it is     classified as low risk for common server     usage.(CVE-2018-1301)

  - In Apache httpd 2.4.0 to 2.4.29, when mod_session is     configured to forward its session data to CGI     applications (SessionEnv on, not the default), a remote     user may influence their content by using a 'Session'     header. This comes from the 'HTTP_SESSION' variable     name used by mod_session to forward its data to CGIs,     since the prefix 'HTTP_' is also used by the Apache     HTTP Server to pass HTTP header fields, per CGI     specifications.(CVE-2018-1283)

  - mod_lua.c in the mod_lua module in the Apache HTTP     Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua     authorization provider is used with different arguments     within different contexts, which allows remote     attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple     Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a     certain directory, and authorization for a second group     to access a second directory.(CVE-2014-8109)

  - In Apache HTTP server 2.4.0 to 2.4.39, Redirects     configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines     and redirect instead to an unexpected URL within the     request URL.(CVE-2019-10098)

  - In Apache HTTP Server 2.4.0-2.4.39, a limited     cross-site scripting issue was reported affecting the     mod_proxy error page. An attacker could cause the link     on the error page to be malformed and instead point to     a page of their choice. This would only be exploitable     where a server was set up with proxying enabled but was     misconfigured in such a way that the Proxy Error page     was displayed.(CVE-2019-10092)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua authorization provider is used with different arguments     within different contexts, which allows remote attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a certain directory, and authorization for a second     group to access a second directory. (CVE-2014-8109)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-006. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - CoreText
  - FontParser
  - Libinfo
  - libxml2
  - OpenSSL
  - perl
  - PostgreSQL
  - QL Office
  - Quartz Composer Framework
  - QuickTime 7
  - SceneKit

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote Mac OS X host has a version of OS X Server installed that is prior to 5.0.3. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in the mod_headers module that allows HTTP     trailers to replace HTTP headers late during request     processing. A remote attacker can exploit this to inject     arbitrary headers. This can also cause some modules to     function incorrectly or appear to function incorrectly.
    (CVE-2013-5704)

  - A privilege escalation vulnerability exists due to the     'make check' command not properly invoking initdb to     specify authentication requirements for a database     cluster to be used for tests. A local attacker can     exploit this issue to gain temporary server access and     elevated privileges. (CVE-2014-0067)

  - A NULL pointer dereference flaw exists in module     mod_cache. A remote attacker, using an empty HTTP     Content-Type header, can exploit this vulnerability to     crash a caching forward proxy configuration, resulting     in a denial of service if using a threaded MPM.
    (CVE-2014-3581)

  - A out-of-bounds memory read flaw exists in module     mod_proxy_fcgi. An attacker, using a remote FastCGI     server to send long response headers, can exploit this     vulnerability to cause a denial of service by causing     a buffer over-read. (CVE-2014-3583)

  - A flaw exists in module mod_lua when handling a     LuaAuthzProvider used in multiple Require directives     with different arguments. An attacker can exploit this     vulnerability to bypass intended access restrictions.
    (CVE-2014-8109)

  - An information disclosure vulnerability exists due to     improper handling of restricted column values in     constraint-violation error messages. An authenticated,     remote attacker can exploit this to gain access to     sensitive information. (CVE-2014-8161)

  - A flaw exists within the Domain Name Service due to an     error in the code used to follow delegations. A remote     attacker, with a maliciously-constructed zone or query,     can cause the service to issue unlimited queries,     resulting in resource exhaustion. (CVE-2014-8500)

  - A flaw exists in the lua_websocket_read() function in     the 'mod_lua' module due to incorrect handling of     WebSocket PING frames. A remote attacker can exploit     this, by sending a crafted WebSocket PING frame after a     Lua script has called the wsupgrade() function, to crash     a child process, resulting in a denial of service     condition. (CVE-2015-0228)

  - Multiple vulnerabilities exist due to several buffer     overflow errors related to the 'to_char' functions. An     authenticated, remote attacker can exploit these issues     to cause a denial of service or arbitrary code     execution. (CVE-2015-0241)

  - Multiple vulnerabilities exist due to several     stack-based buffer overflow errors in various *printf()     functions. The overflows are due to improper validation     of user-supplied input when formatting a floating point     number where the requested precision is greater than     approximately 500. An authenticated, remote attacker     can exploit these issues to cause a denial of service or     arbitrary code execution. (CVE-2015-0242)

  - Multiple vulnerabilities exist due to an overflow     condition in multiple functions in the 'pgcrypto'     extension. The overflows are due to improper validation     of user-supplied input when tracking memory sizes. An     authenticated, remote attacker can exploit these issues     to cause a denial of service or arbitrary code     execution. (CVE-2015-0243)

  - A SQL injection vulnerability exists due to improper     sanitization of user-supplied input when handling     crafted binary data within a command parameter. An     authenticated, remote attacker can exploit this issue     to inject or manipulate SQL queries, allowing the     manipulation or disclosure of arbitrary data.
    (CVE-2015-0244)

  - A NULL pointer dereference flaw exists in the     read_request_line() function due to a failure to     initialize the protocol structure member. A remote     attacker can exploit this flaw, on installations that     enable the INCLUDES filter and has an ErrorDocument 400     directive specifying a local URI, by sending a request     that lacks a method, to cause a denial of service     condition. (CVE-2015-0253)

  - A denial of service vulnerability exists due to an error     relating to DNSSEC validation and the managed-keys     feature. A remote attacker can trigger an incorrect     trust-anchor management scenario in which no key is     ready for use, resulting in an assertion failure and     daemon crash. (CVE-2015-1349)

  - A flaw exists in PostgreSQL client disconnect timeout     expiration that is triggered when a timeout interrupt     is fired partway through the session shutdown sequence.     (CVE-2015-3165)

  - A flaw exists in the printf() functions due to a failure     to check for errors. A remote attacker can use this to     gain access to sensitive information. (CVE-2015-3166)

  - The pgcrypto component in PostgreSQL has multiple error     messages for decryption with an incorrect key. A remote     attacker can use this to recover keys from other     systems. (CVE-2015-3167)

  - A flaw exists in the chunked transfer coding     implementation due to a failure to properly parse chunk     headers. A remote attacker can exploit this to conduct     HTTP request smuggling attacks. (CVE-2015-3183)

  - A flaw exists in the ap_some_auth_required() function     due to a failure to consider that a Require directive     may be associated with an authorization setting rather     than an authentication setting. A remote attacker can     exploit this, if a module that relies on the 2.2 API     behavior exists, to bypass intended access restrictions.
    (CVE-2015-3185)

  - Multiple unspecified XML flaws exist in the Wiki Server     based on Twisted. (CVE-2015-5911)

Apache HTTP SERVER PROJECT reports : mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with response headers' size above 8K.

mod_cache: Avoid a crash when Content-Type has an empty value. PR 56924.

mod_lua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments. PR57204.

core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds 'MergeTrailers' directive to restore legacy behavior.

The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - Apple ID OD Plug-in
  - AppleGraphicsControl
  - Bluetooth
  - bootp
  - CloudKit
  - CoreMedia Playback
  - CoreText
  - curl
  - Data Detectors Engine
  - Date & Time pref pane
  - Dictionary Application
  - DiskImages
  - dyld
  - FontParser
  - groff
  - ImageIO
  - Install Framework Legacy
  - IOFireWireFamily
  - IOGraphics
  - IOHIDFamily
  - Kernel
  - Libc
  - Libinfo
  - libpthread
  - libxml2
  - libxpc
  - mail_cmds
  - Notification Center OSX
  - ntfs
  - OpenSSH
  - OpenSSL
  - perl
  - PostgreSQL
  - python
  - QL Office
  - Quartz Composer Framework
  - Quick Look
  - QuickTime 7
  - SceneKit
  - Security
  - SMBClient
  - Speech UI
  - sudo
  - tcpdump
  - Text Formats
  - udf 

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

According to the version of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - mod_lua.c in the mod_lua module in the Apache HTTP     Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua     authorization provider is used with different arguments     within different contexts, which allows remote     attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple     Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a     certain directory, and authorization for a second group     to access a second directory. (CVE-2014-8109)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	名称	产品	系列	发布时间	最近更新时间	严重程度
82916	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : httpd (SSA:2015-111-03)	Nessus	Slackware Local Security Checks	2015/4/22	2021/1/14	medium
83945	SUSE SLES12 Security Update : apache2 (SUSE-SU-2015:0974-1)	Nessus	SuSE Local Security Checks	2015/6/2	2021/1/6	medium
81126	Apache 2.4.x < 2.4.12 Multiple Vulnerabilities	Nessus	Web Servers	2015/2/2	2022/4/11	medium
81329	Amazon Linux AMI : httpd24 (ALAS-2015-483)	Nessus	Amazon Linux Local Security Checks	2015/2/13	2018/4/18	medium
83963	Fedora 21 : httpd-2.4.12-1.fc21 (2015-9216)	Nessus	Fedora Local Security Checks	2015/6/3	2021/1/11	medium
297071	NewStart CGSL MAIN 6.06 : httpd Multiple Vulnerabilities (NS-SA-2025-0240)	Nessus	NewStart CGSL Local Security Checks	2026/1/28	2026/1/28	critical
130866	EulerOS 2.0 SP5 : httpd (EulerOS-SA-2019-2157)	Nessus	Huawei Local Security Checks	2019/11/12	2024/4/12	medium
134539	EulerOS Virtualization for ARM 64 3.0.2.0 : httpd (EulerOS-SA-2020-1250)	Nessus	Huawei Local Security Checks	2020/3/13	2024/3/22	medium
81755	Ubuntu 14.04 LTS : Apache HTTP Server vulnerabilities (USN-2523-1)	Nessus	Ubuntu Local Security Checks	2015/3/11	2025/9/3	high
82346	Mandriva Linux Security Advisory : apache (MDVSA-2015:093)	Nessus	Mandriva Local Security Checks	2015/3/30	2021/1/14	medium
135617	EulerOS Virtualization 3.0.2.2 : httpd (EulerOS-SA-2020-1455)	Nessus	Huawei Local Security Checks	2020/4/16	2024/3/15	medium
218553	Linux Distros Unpatched Vulnerability : CVE-2014-8109	Nessus	Misc.	2025/3/4	2025/9/4	critical
85409	Mac OS X Multiple Vulnerabilities (Security Update 2015-006)	Nessus	MacOS X Local Security Checks	2015/8/17	2024/5/28	high
86066	Mac OS X : OS X Server < 5.0.3 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	2015/9/22	2019/11/22	critical
81116	FreeBSD : apache24 -- several vulnerabilities (5804b9d4-a959-11e4-9363-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	2015/2/2	2021/1/6	medium
85408	Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	2015/8/17	2024/5/28	high
99802	EulerOS 2.0 SP1 : httpd (EulerOS-SA-2016-1039)	Nessus	Huawei Local Security Checks	2017/5/1	2025/12/22	medium

检测

插件搜索

medium

medium

medium

medium

medium

critical

medium

medium

high

medium

medium

critical

high

critical

medium

high

medium