CVE-2003-1581

NameCVE-2003-1581
DescriptionThe Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs570740

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)stretch2.4.25-3+deb9u9vulnerable
stretch (security)2.4.25-3+deb9u13vulnerable
buster, buster (security)2.4.38-3+deb10u7vulnerable
bullseye2.4.53-1~deb11u1vulnerable
bullseye (security)2.4.52-1~deb11u2vulnerable
bookworm, sid2.4.54-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apachesource(unstable)(unfixed)unimportant
apache2source(unstable)(unfixed)unimportant570740

Notes

not really an apache issue; if an apache log analyzer is known vulnerable,
then that itself should be fixed

Search for package or bug name: Reporting problems