CVE-2003-1581

NameCVE-2003-1581
DescriptionThe Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs570740

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)jessie, jessie (lts)2.4.10-10+deb8u25vulnerable
stretch (security)2.4.25-3+deb9u13vulnerable
stretch (lts), stretch2.4.25-3+deb9u15vulnerable
buster2.4.38-3+deb10u8vulnerable
buster (security)2.4.38-3+deb10u10vulnerable
bullseye2.4.56-1~deb11u2vulnerable
bullseye (security)2.4.56-1~deb11u1vulnerable
bookworm2.4.57-2vulnerable
sid, trixie2.4.58-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apachesource(unstable)(unfixed)unimportant
apache2source(unstable)(unfixed)unimportant570740

Notes

not really an apache issue; if an apache log analyzer is known vulnerable,
then that itself should be fixed

Search for package or bug name: Reporting problems