|
|
Subscribe / Log in / New account

Mageia alert MGASA-2014-0527 (apache)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2014-0527: Updated apache packages fix security vulnerabilities 


Date:
    	      Sat, 13 Dec 2014 21:16:28 +0100


Message-ID:
    	      <20141213201628.2DF5243DC0@valstar.mageia.org>


MGASA-2014-0527 - Updated apache packages fix security vulnerabilities

Publication date: 13 Dec 2014
URL: http://advisories.mageia.org/MGASA-2014-0527.html
Type: security
Affected Mageia releases: 4
CVE: CVE-2014-3581,
     CVE-2014-5704

Description:
Updated apache packages fix security vulnerabilities:

A NULL pointer dereference flaw was found in the way the mod_cache httpd
module handled Content-Type headers. A malicious HTTP server could cause
the httpd child process to crash when the Apache HTTP server was configured
to proxy to a server with caching enabled (CVE-2014-3581).

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could use
Trailer headers to set additional HTTP headers after header processing was
performed by other modules. This could, for example, lead to a bypass of
header restrictions defined with mod_headers (CVE-2013-5704).

Note: With this update, httpd has been modified to not merge HTTP Trailer
headers with other HTTP request headers. A newly introduced configuration
directive MergeTrailers can be used to re-enable the old method of
processing Trailer headers, which also re-introduces the aforementioned
flaw.

This update also fixes the following bug:

Prior to this update, the mod_proxy_wstunnel module failed to set up an
SSL connection when configured to use a back end server using the "wss:"
URL scheme, causing proxied connections to fail. In these updated packages,
SSL is used when proxying to "wss:" back end servers (rhbz#1141950).

References:
- https://bugs.mageia.org/show_bug.cgi?id=14773
- https://bugzilla.redhat.com/show_bug.cgi?id=1141950
- https://rhn.redhat.com/errata/RHSA-2014-1972.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5704

SRPMS:
- 4/core/apache-2.4.7-5.4.mga4
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds