Common Vulnerabilities and Exposures
From SpinetiX Support Wiki
This page is no longer maintained. Please refer to Security and Release notes pages for updates.
Description
CVE stands for Common Vulnerabilities and Exposures, which is a dictionary of publicly known information security vulnerabilities and exposures.
- An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.
- An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
See also the dedicated article about Meltdown and Spectre vulnerabilities.
List of CVEs
The table below contains a list of CVEs related to the SpinetiX players up to firmware 4.2.3, grouped by the affected component and the firmware version in which they were fixed. For more details and updates, see firmware release notes page.
| CVE codes | Component | Fixed in firmware | Notes |
|---|---|---|---|
| CVE-2015-0228 | Apache httpd | Low security impact: mod_lua: Crash in websockets PING handling. Not vulnerable as it only affects httpd 2.4.7 and later. | |
| CVE-2017-14106 | Linux kernel | 4.2.3 | This should not affect the device. |
| CVE-2016-2161, CVE-2016-8743, CVE-2017-3169, CVE-2017-7679 | Apache httpd | 4.2.3 | These could affect the device. |
| CVE-2016-0736, CVE-2017-7668, CVE-2017-3167, CVE-2017-9788 | Apache httpd | 4.2.3 | These do not affect the device. |
| CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229, CVE-2016-10397, CVE-2017-7890 | PHP | 4.2.3 | These could affect the device. |
| CVE-2017-11143, CVE-2017-11147, CVE-2017-11628 | PHP | 4.2.3 | These do not affect the device. |
| CVE-2017-3735 | OpenSSL | 4.2.3 | This could affect the device. |
| CVE-2015-5180, CVE-2017-12132 | glibc | 4.2.3 | These could affect the device. |
| CVE-2014-9984 | glibc | 4.2.3 | This does not affect the device. |
| CVE-2017-5969 | libxml2 | 4.2.3 | This does not affect the device. |
| CVE-2017-10989 | sqlite3 | 4.2.3 | This does not affect the device. |
| CVE-2017-9233, CVE-2016-9063 | expat | 4.2.3 | These could affect the device. |
| CVE-2017-7526 | gcrypt | 4.2.3 | This could affect the device. |
| CVE-2017-10790 | libtasn1 | 4.2.3 | This could affect the device. |
| CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113 | ncurses | 4.2.3 | These do not affect the device. |
| CVE-2015-5224 | util-linux | 4.2.3 | This could affect the device. |
| CVE-2017-1000100 | curl | 4.2.3 | This does not affect the device. |
| CVE-2017-12424 | shadow | 4.2.3 | This does not affect the device. |
| CVE-2017-7302, CVE-2017-7300, CVE-2017-7614, CVE-2017-7301, CVE-2017-7299, CVE-2017-12451 | binutils | 4.2.3 | These do not affect the device. |
| CVE-2016-8743, CVE-2017-7679, CVE-2017-9788, CVE-2017-9798 | Apache httpd | 3.4.2 | These could affect the device.
The Apache httpd version is now 2.2.34, plus security patches. |
| CVE-2016-5387, CVE-2017-7668, CVE-2017-3169, CVE-2017-3167 | Apache httpd | 3.4.2 | These do not affect the device.
The Apache httpd version is now 2.2.34, plus security patches. |
| CVE-2016-9042, CVE-2017-6464, CVE-2017-6462, CVE-2017-6463, CVE-2017-6458, CVE-2017-6451, CVE-2017-6460 | NTP | 4.2.2 | Only CVE-2016-9042 affects the device.
NTP updated from 4.2.8p9 to 4.2.8p10 |
| CVE-2016-9933, CVE-2016-9138, CVE-2016-10158, CVE-2016-10161, CVE-2017-7272, CVE-2016-5399, CVE-2016-7478 | PHP | 4.2.2 | These affect the device. |
| CVE-2014-9912, CVE-2016-9137, CVE-2016-9935, CVE-2016-9934, CVE-2016-10160, CVE-2016-10159 | PHP | 4.2.2 | These do not affect the device. |
| CVE-2016-1234, CVE-2016-3706, CVE-2016-4429, CVE-2016-5417, CVE-2015-8982, CVE-2015-8983, CVE-2015-8984 | glibc | 4.2.2 | These could affect the device. |
| CVE-2014-4043, CVE-2016-3075, CVE-2016-6323 | glibc | 4.2.2 | These do not affect the device. |
| CVE-2015-3217, CVE-2017-7186, CVE-2017-7245, CVE-2017-7244, CVE-2017-7246 | pcre | 4.2.2 | These affect the device. |
| CVE-2016-10009, CVE-2016-10011, CVE-2016-10012, CVE-2016-1908 | OpenSSH | 4.2.2 | These do not affect the device. |
| CVE-2016-6313, CVE-2014-3591 | libgcrypt | 4.2.2 | Only CVE-2016-6313 affects the device. |
| CVE-2017-3731, CVE-2016-7056 | OpenSSL | 4.2.2, 3.4.1 | These do not affect the device. |
| CVE-2016-7543, CVE-2016-9401, CVE-2016-0634 | bash | 4.2.2 | These do not affect the device. |
| CVE-2016-10087 | libpng | 4.2.2 | This appears to not affect the device. |
| CVE-2014-9939, CVE-2017-6965, CVE-2017-6966, CVE-2017-7210, CVE-2017-7223, CVE-2017-7225, CVE-2017-7224, CVE-2017-7226, CVE-2017-7227 | binutils | 4.2.2 | These do not affect the device. |
| CVE-2016-10244, CVE-2016-10328, CVE-2017-8105, CVE-2017-8287 | FreeType | 4.2.2 | These affect the device. |
| CVE-2014-9645 | busybox | 4.2.2 | This does not affect the device. |
| CVE-2016-10195, CVE-2016-10196, CVE-2016-10197 | libevent | 4.2.2 | These do not affect the device. |
| CVE-2017-6891, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337, CVE-2017-7869 | GnuTLS | 4.2.2 | Only CVE-2017-6891 may affect the firmware. |
| CVE-2017-7407 | curl | 4.2.2 | This does not affect the device. |
| CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050, CVE-2017-0663 | libxml2 | 4.2.2, 3.4.1 | These affect the device. |
| CVE-2017-7611, CVE-2017-7610, CVE-2017-7613, CVE-2017-7612, CVE-2016-10255, CVE-2016-10254 | elfutils | 4.2.2 | These do not affect the device. |
| CVE-2016-9840, CVE-2016-9841, CVE-2016-9842 and CVE-2016-9843 | ZLib | 4.2.2 | Only CVE-2016-9840 and CVE-2016-9841 affect the device. |
| CVE-2017-7867, CVE-2017-7868, CVE-2014-9654 | ICU | 4.2.2 | These affect the device. |
| CVE-2017-1000364, CVE-2017-6214 | Linux kernel | 4.2.1 build 2 | |
| CVE-2017-1000366 | glibc | 4.2.1 build 2 | From analysis it seems this was not exploitable in the HMP / DiVA. |
| CVE-2016-7431, CVE-2016-7434, CVE-2016-7433 | NTP | 4.2.0 | These affect the device. NTP updated from 4.2.8p8 to 4.2.8p9. |
| CVE-2016-9311, CVE-2016-9310, CVE-2016-7427, CVE-2016-7428, CVE-2016-9312, CVE-2016-7429, CVE-2016-7426 | NTP | 4.2.0 | These do not affect the device. NTP updated from 4.2.8p8 to 4.2.8p9. |
| CVE-2015-6835, CVE-2016-4539, CVE-2016-4543, CVE-2016-4542, CVE-2016-4544, CVE-2015-8865, CVE-2016-4070, CVE-2014-9767, CVE-2015-4603, CVE-2015-8867, CVE-2015-4602, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598, CVE-2015-8877, CVE-2015-8873, CVE-2015-8876, CVE-2015-8874, CVE-2016-5385, CVE-2016-5766, CVE-2016-5767, CVE-2016-6128, CVE-2016-5771, CVE-2016-5773, CVE-2016-3132, CVE-2016-5768, CVE-2016-5094, CVE-2016-5095, CVE-2016-5096, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6292, CVE-2016-6291, CVE-2016-6297, CVE-2016-7124, CVE-2016-7414, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7411, CVE-2016-7417, CVE-2016-6207, CVE-2016-7568, CVE-2015-8935, CVE-2016-7125 | PHP | 4.2.0 | These could affect the device. |
| CVE-2016-4071, CVE-2015-6834, CVE-2016-4538, CVE-2016-4537, CVE-2016-4541, CVE-2016-4540, CVE-2016-4342, CVE-2016-2554, CVE-2016-4343, CVE-2015-6837, CVE-2015-6838, CVE-2015-4642, CVE-2015-4600, CVE-2015-4599, CVE-2015-8866, CVE-2015-5589, CVE-2015-8838, CVE-2015-8835, CVE-2016-3185, CVE-2015-8878, CVE-2015-4116, CVE-2013-7456, CVE-2016-5093, CVE-2016-5772, CVE-2016-5769, CVE-2016-5114, CVE-2016-6294, CVE-2016-6295, CVE-2016-7129, CVE-2016-7413, CVE-2016-7412, CVE-2016-7416, CVE-2016-7418, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132 | PHP | 4.2.0 | These do not affect the device. |
| CVE-2016-5387 | Apache httpd | 4.2.0 | This affects the device. |
| CVE-2016-4447, CVE-2016-4448, CVE-2016-1762, CVE-2016-4449, CVE-2016-4483, CVE-2016-5131 | libxml2 | 4.2.0, 3.4.0 | These could affect the device. |
| CVE-2015-6837, CVE-2015-6838 | libxml2 | 4.2.0, 3.4.0 | These do not affect the device. |
| CVE-2016-8610 | OpenSSL | 4.2.0, 3.4.0 | This affects the device. |
| CVE-2016-4472, CVE-2012-6702, CVE-2016-5300, CVE-2016-0718 | expat | 4.2.0, 3.4.0 | These could affect the device. |
| CVE-2016-6261, CVE-2015-8948, CVE-2016-6262, CVE-2016-6263 | ibidn | 4.2.0 | These could affect the device. |
| CVE-2014-9747, CVE-2014-9746 | FreeType | 4.2.0 | These could affect the device. |
| CVE-2016-5384 | fontconfig | 4.2.0, 3.4.0 | This does not affect the device. |
| CVE-2016-2148, CVE-2016-2147, CVE-2016-6301 | busybox | 4.2.0 | These do not affect the device. |
| CVE-2016-3189 | bzip2 | 4.2.0 | This does not affect the device. |
| CVE-2016-8858 | OpenSSH | 4.2.0 | This affects the device. |
| CVE-2016-6515, CVE-2016-6210, CVE-2016-5615 | OpenSSH | 4.2.0 | These do not affect the device. |
| CVE-2016-5011 | util-linux | 4.2.0 | This affects the device. |
| CVE-2016-6321 | tar | 4.2.0 | This could affect the device. |
| CVE-2016-4008 | libtasn1 | 4.2.0 | This affects the device. |
| CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-9586 | curl | 4.2.0 | These do not affect the device. |
| CVE-2016-5195 | Linux kernel | 4.2.0 | "Dirty COW" affects the device firmware although it could not be directly exploited. |
| CVE-2015-8947 | harfbuzz | 3.4.0 | This affects the device. |
| CVE-2016-3190 | cairo | 3.4.0 | This affects the device. |
| CVE-2016-6304, CVE-2016-2183, CVE-2016-6303, CVE-2016-6302, CVE-2016-2182, CVE-2016-2180 | OpenSSL | 4.1.0 build 2, 3.3.0 build 3 | These could affect the device. CVE-2016-6304 is high severity for firmware 4.1, but does not affect firmware 3.3. |
| CVE-2016-2179, CVE-2016-2181, CVE-2016-6306 | OpenSSL | 4.1.0 build 2 | These do not affect the device. |
| CVE-2015-5276 | libstdc++ | 4.1.0 | Does not affect the firmware. |
| CVE-2015-8777, CVE-2015-8779, CVE-2014-9761, CVE-2015-8776 | glibc | 4.1.0 | |
| CVE-2015-8139, CVE-2015-5300, CVE-2015-8138, CVE-2015-7704, CVE-2016-1549, CVE-2016-4954, CVE-2016-1548, CVE-2016-4955, CVE-2016-1547, CVE-2016-4957, CVE-2016-4953, CVE-2016-2518 | ntp | 4.1.0 | These affect the device. CVE-2015-7704 was previously fixed, but incomplete. Updated ntp to 4.2.8p8. |
| CVE-2015-7974, CVE-2015-8158, CVE-2015-7976, CVE-2015-7973, CVE-2015-7978, CVE-2015-7977, CVE-2015-7979, CVE-2015-8140, CVE-2016-2517, CVE-2016-2516, CVE-2016-1550, CVE-2016-2519, CVE-2016-1551, CVE-2016-4956 | ntp | 4.1.0 | These do not affect the device. Updated ntp to 4.2.8p8. |
| CVE-2016-2326, CVE-2016-0754 | curl | 4.1.0 | These do not affect the device. |
| CVE-2015-1038, CVE-2016-2335 | p7zip | 4.1.0, 3.3.0 | These could potentially affect the device. |
| CVE-2016-4073 | PHP | 4.1.0 | This affects the device. |
| CVE-2016-3141, CVE-2016-3142, CVE-2016-4072 | PHP | 4.1.0 | These do not affect the device. |
| CVE-2016-3191 | pcre | 4.1.0 | This could affect the device. |
| CVE-2016-2774 | DHCP | 4.1.0 | This could affect the device. |
| CVE-2016-3115, CVE-2015-8325 | OpenSSH | 4.1.0 | These do not affect the device. |
| CVE-2016-2177, CVE-2016-2178 | OpenSSL | 4.1.0, 3.3.0 | These affect the device / Elementi. |
| CVE-2016-0703, CVE-2016-0704 | OpenSSL | 4.1.0, 3.3.0 | These do not affect the device / Elementi. |
| CVE-2016-3705, CVE-2016-3627, CVE-2016-1833, CVE-2016-1834, CVE-2016-1835, CVE-2016-1836, CVE-2016-1838, CVE-2016-1840 | libxml2 | 4.1.0, 3.3.0 | These affect the device / Elementi.
Firmware 3.3.0: updated libxml2 to version 2.9.1 with all security patches. |
| CVE-2015-8710, CVE-2016-2073, CVE-2015-8806, CVE-2016-1839, CVE-2016-1837 | libxml2 | 4.1.0, 3.3.0 | These do not affect the device / Elementi.
Firmware 3.3.0: updated libxml2 to version 2.9.1 with all security patches. |
| CVE-2015-8540, CVE-2015-8472, CVE-2015-8126, CVE-2015-7981 | libpng | 4.1.0, 3.3.0 | Firmware 3.3.0: updated libxml2 to version 2.9.1 with all security patches. |
| CVE-2016-2108 | OpenSSL | 4.0.2 build 2, 3.2.2 | Could affect the device. |
| CVE-2016-0798, CVE-2016-2176, CVE-2016-2107 | OpenSSL | 4.0.2 build 2, 3.2.2 | Do not affect the device (no firmware component enables TLS-SRP). |
| CVE-2016-2105, CVE-2016-2106, CVE-2016-2109 | OpenSSL | 4.0.2 build 2, 3.2.2 | Should not affect the device. |
| CVE-2015-8388, CVE-2015-8390, CVE-2015-8381, CVE-2015-8395, CVE-2015-8393, CVE-2015-8389, CVE-2015-8391, CVE-2015-8394, CVE-2015-8385, CVE-2015-8392, CVE-2015-8386, CVE-2015-8380, CVE-2015-8387, CVE-2015-8384 | pcre | 4.0.2 | Could affect the device. |
| CVE-2015-7499, CVE-2015-7500, CVE-2015-7498, CVE-2015-8241, CVE-2015-8317 | libxml2 | 4.0.2 | Could affect the device. |
| CVE-2016-1907 | OpenSSH | 4.0.2 | Could affect the device. |
| CVE-2016-0777, CVE-2016-0778 | OpenSSH | 4.0.2 | Do not affect the device. |
| CVE-2015-7575 | OpenSSL | 4.0.2 | Could affect the device. Does not affect 3.x firmware versions because OpenSSL 0.9.8 and lower are not affected. |
| CVE-2015-3197 | OpenSSL | 4.0.2, 3.2.2 | Could affect the device. |
| CVE-2015-6831, CVE-2016-1903, CVE-2015-6832, CVE-2015-6836, CVE-2015-6833, CVE-2015-5590 | PHP | 4.0.2 | Could affect the device. |
| CVE-2015-8472 | libpng | 4.0.2, 3.2.2 | Could affect the device. |
| CVE-2015-8605 | DHCP | 4.0.2 | Could affect the device. |
| CVE-2015-7547 | glibc | 4.0.1 build 2 | Firmware 3.x or lower is not affected by the glibc getaddrinfo() stack-based buffer overflow vulnerability. |
| CVE-2016-0800, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702 | OpenSSL | 4.0.1 build 2, 3.2.2 | Could affect the device. SSLv2 has been removed as part of the fix for CVE-2016-0800. |
| CVE-2016-0703, CVE-2016-0704 | OpenSSL | 4.0.1, 3.2.1 | Solved as a side effect of the fix for CVE-2015-0293. |
| CVE-2015-7853, CVE-2015-7852, CVE-2015-7855, CVE-2015-7704, CVE-2015-7705 | NTP | 4.0.1 | Could affect the device. |
| CVE-2015-7852, CVE-2015-7850, CVE-2015-7701, CVE-2015-7871, CVE-2015-7703, CVE-2015-7691, CVE-2015-7692 | NTP | 4.0.1 | Should not affect the device. |
| CVE-2015-6564, CVE-2015-6563 | OpenSSH | 4.0.1 | Did not affect the device in normal operating conditions. |
| CVE-2015-3194, CVE-2015-3196 | OpenSSH | 4.0.1 | Could affect the device. |
| CVE-2015-3195 | OpenSSH | 4.0.1 | Should not affect the device. |
| CVE-2015-8382, CVE-2015-2328, CVE-2015-2327 | pcre | 4.0.1 | Could potentially affect the device. |
| CVE-2015-1283 | expat | 4.0.1 | Could affect the device. |
| CVE-2015-5312, CVE-2015-7497, CVE-2015-8242, CVE-2015-8035, CVE-2015-7942, CVE-2015-7941 | libxml2 | 4.0.1 | Could affect the device. |
| CVE-2015-8126 | libpng | 4.0.1, 3.2.2 | Could affect the device. |
| CVE-2014-9745 | FreeType | 4.0.1 | Could affect the device. |
| CVE-2015-7803, CVE-2015-7804 | PHP | 4.0.1 | Should not affect the device. |
| CVE-2013-5704 | Apache httpd | 4.0.1, 3.2.2 | Low security impact: HTTP Trailers processing bypass. |
| CVE-2013-6438 | Apache httpd | 4.0.0 | Moderate security impact: mod_dav crash. |
| CVE-2014-0098, CVE-2014-0098 | Apache httpd | 4.0.0 | Low security impact: mod_log_config crash. |
| CVE-2013-4352, CVE-2014-3581 | Apache httpd | 4.0.0 | Low security impact: mod_cache crash. |
| CVE-2014-0226 | Apache httpd | 4.0.0, 3.2.2 | Moderate security impact: mod_status buffer overflow. Does not affect lower firmware versions because threaded MPM is not used. |
| CVE-2014-0118 | Apache httpd | 4.0.0, 3.2.2 | Moderate security impact: mod_deflate denial of service. Does not affect lower firmware versions because mod_deflate is not used. |
| CVE-2014-0117 | Apache httpd | 4.0.0 | Moderate security impact: mod_proxy denial of service. |
| CVE-2014-0231 | Apache httpd | 4.0.0, 3.2.2 | Important security impact: mod_cgid denial of service. Does not affect lower firmware versions because mod_cgid is not used. |
| CVE-2014-3583 | Apache httpd | 4.0.0 | Low security impact: mod_proxy_fcgi out-of-bounds memory read. |
| CVE-2014-8109 | Apache httpd | 4.0.0 | Low security impact: mod_lua multiple "Require" directive handling is broken. |
| CVE-2015-3185 | Apache httpd | 4.0.0 | Low security impact: ap_some_auth_required API unusable. |
| CVE-2015-3183 | Apache httpd | 4.0.0, 3.2.2 | Low security impact: HTTP request smuggling attack against chunked request parser. |
| CVE-2015-0253 | Apache httpd | 4.0.0 | Low security impact: Crash in ErrorDocument 400 handling. |
| CVE-2015-8540, CVE-2015-7981, CVE-2014-9495, CVE-2012-3386, CVE-2011-3048, CVE-2011-3026, CVE-2011-2690, CVE-2011-2691, CVE-2011-2692, CVE-2010-1205, CVE-2012-3425 | libpng | 3.2.2 | Updated libpng to 1.2.56. |
| CVE-2015-1788, CVE-2015-1789, CVE-2015-1791, CVE-2015-0286, CVE-2015-0287, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288, CVE-2014-3570, CVE-2014-3571, CVE-2015-0204, CVE-2014-3572, CVE-2014-8275, CVE-2014-3569, CVE-2014-3567, CVE-2014-3568 | OpenSSL | 3.2.1 | Could affect the device. |
| CVE-2015-3195, CVE-2015-1790, CVE-2015-1792, CVE-2015-0289 | OpenSSL | 3.2.1 | Should not affect the device. |
| CVE-2015-0235 | glibc | 3.1.1 build 2, 3.0.6 build 3, 2.2.7 build 3 | The glibc GHOST vulnerability could potentially lead to execution of arbitrary commands, although no vector of attack is currently known in the case of HMP. |
| CVE-2013-6438, CVE-2013-1896 | Apache httpd | 3.1.0 | Updated HTTP server to Apache httpd 2.2.27, fixing security vulnerabilities which could affect the HMP. |
| CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 | bash | 3.1.0,
3.0.6 build 2, 2.2.7 build 2 |
Fixed the Shellshock bash vulnerabilities which could potentially lead to execution of arbitrary commands, although no vector of attack is currently known. |
| CVE-2005-2974, CVE-2005-3350 | giflib | 3.0.0 | Updated giflib to 5.0.0. |
| CVE-2012-0037 | raptor | 3.0.0 | Updated raptor to 2.0.8. |
| CVE-2012-1126 to CVE-2012-1144, CVE-2011-3439, CVE-2011-3256, CVE-2011-0226 | FreeType | 3.0.0 | Updated FreeType to 2.4.10. |
| CVE-2012-0841, CVE-2011-3905, CVE-2010-4008, CVE-2011-2834, CVE-2011-1944, CVE-2011-0216, CVE-2011-3919 | libxml2 | 3.0.0 | Updated libxml2 to 2.9.0. |
| CVE-2008-4316 | glib | 3.0.0 | Updated glib to 2.34.1. |
| CVE-2012-5134 | libxml2 | 3.0.0, 2.2.6 | |
| CVE-2011-3368 | Apache httpd | 2.2.5 | Updated the embedded HTTP server to Apache 2.2.22. |
| CVE-2011-1002 | avahi | 2.2.5 | Fixed vulnerability (denial of service when empty UDP packets are received) of the Bonjour daemon (avahi). |
| CVE-2012-1147, CVE-2012-1148 | expat | 2.2.5 | Updated expat library. |
| CVE-2011-3192 | Apache httpd | 2.2.4 | Updated the embedded HTTP server to Apache 2.2.21. |
| CVE-2010-1452, CVE-2009-2412, CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 | Apache httpd | 2.2.3 | Updated the embedded HTTP server to Apache 2.2.19. |
| CVE-2010-0830, CVE-2009-4880, CVE-2009-4881, CVE-2010-0296 | libc | 2.2.1 | |
| CVE-2009-3560, CVE-2009-3720 | libexpat | 2.1.2 | |
| CVE-2009-3563 | NTP | 2.1.1 | |
| CVE-2009-3555 | OpenSSL | 2.1.1 |
Commonly-flagged vulnerabilities which do not apply to the HMP:
- CVE-2008-2939 affects a module we do not use (mod_proxy_ftp).
- CVE-2009-1191 affects a module we do not implement (mod_proxy_ajp.c).
- CVE-2009-1195 concerns .htaccess which is not used.
- CVE-2009-1890 affects a module we do not implement (mod_proxy).
- CVE-2009-1891 affects a module we do not implement (mod_deflate).
- CVE-2009-2699 only affects Solaris 10 and OpenSolaris.
- CVE-2009-3095 and CVE-2009-3094 affect a module we do not use (mod_proxy_ftp).
- CVE-2010-0408 only affects Apache on Windows, Netware, and OS/2.
- CVE-2010-0425 only affects Apache on Windows.
- CVE-2010-0434 only affects multi-threaded MPM systems - the HMP is not part of this category.
- CVE-2011-3348 affects a module we do not implement (mod_proxy_ajp).
- CVE-2011-3368 no proxying enabled.
- CVE-2011-3607 use of .htaccess files is disabled.
- CVE-2012-0021 cookie logging is not used.
- CVE-2012-0031 no unprivileged children are run.
- CVE-2012-0883 LD_LIBRARY_PATH is not used.
- CVE-2012-2687 multiviews is not enabled.
- CVE-2012-3499 only affects modules not included or whose features are not enabled.
- CVE-2012-4557 affects a module we do not implement (mod_proxy_ajp).
- CVE-2012-4558 only affects modules not included.
- CVE-2014-3523 (Apache httpd - WinNT MPM denial of service) does not affect the HMP since this is a Windows specific vulnerability.