| Name | CVE-2003-1581 |
| Description | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 570740 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| apache2 (PTS) | jessie, jessie (lts) | 2.4.10-10+deb8u29 | vulnerable |
| stretch (security) | 2.4.25-3+deb9u13 | vulnerable |
| stretch (lts), stretch | 2.4.25-3+deb9u19 | vulnerable |
| buster, buster (lts) | 2.4.59-1~deb10u4 | vulnerable |
| buster (security) | 2.4.59-1~deb10u1 | vulnerable |
| bullseye | 2.4.62-1~deb11u1 | vulnerable |
| bullseye (security) | 2.4.62-1~deb11u2 | vulnerable |
| bookworm (security), bookworm | 2.4.62-1~deb12u2 | vulnerable |
| sid, trixie | 2.4.62-3 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| apache | source | (unstable) | (unfixed) | unimportant | | |
| apache2 | source | (unstable) | (unfixed) | unimportant | | 570740 |
Notes
not really an apache issue; if an apache log analyzer is known vulnerable,
then that itself should be fixed