enterprise-support team mailing list archive

Thread
Date

[Bug 1425141] Re: mod_headers CVE-2013-5704

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1425141@xxxxxxxxxxxxxxxxxx>
Date: Tue, 10 Mar 2015 14:35:18 -0000
Reply-to: Bug 1425141 <1425141@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package apache2 - 2.4.10-1ubuntu1.1

---------------
apache2 (2.4.10-1ubuntu1.1) utopic-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
  * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response
    headers
    - debian/patches/CVE-2014-3583.patch: properly handle length in
      modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2014-3583
  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    directives
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
      modules/lua/lua_request.c.
    - CVE-2015-0228
 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>   Thu, 05 Mar 2015 12:05:47 -0500

** Changed in: apache2 (Ubuntu Utopic)
       Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-5704

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3581

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3583

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-8109

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-0228

** Changed in: apache2 (Ubuntu Lucid)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1425141

Title:
  mod_headers CVE-2013-5704

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1425141/+subscriptions