[v2.5] apache2: multiple issues (CVE-2014-0117 CVE-2014-0118 CVE-2014-0226 CVE-2014-0231)
The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header (CVE-2014-0117).
The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size (CVE-2014-0117).
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c (CVE-2014-0226).
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor (CVE-2014-0231).
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0117
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0118
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0231
The latest version with the issues fixed:
http://httpd.apache.org/download.cgi\#apache24
(from redmine: issue id 3204, created on 2014-07-21, closed on 2014-07-24)
- Relations:
- parent #3203 (closed)
- Changesets:
- Revision 4de2cfda by Natanael Copa on 2014-07-22T08:29:56Z:
main/apache2: security upgrade to 2.4.10 (CVE-2014-0117,CVE-2014-0118,CVE-2014-0226,CVE-2014-0231)
fixes #3204