Updated apache package fixes security vulnerabilities
Publication date: 29 Jul 2014Modification date: 29 Jul 2014
Type: security
Affected Mageia releases : 3
CVE: CVE-2014-0118 , CVE-2014-0226 , CVE-2014-0231
Description
A race condition flaw, leading to heap-based buffer overflows, was found in
the mod_status httpd module. A remote attacker able to access a status page
served by mod_status on a server using a threaded Multi-Processing Module
(MPM) could send a specially crafted request that would cause the httpd
child process to crash or, possibly, allow the attacker to execute
arbitrary code with the privileges of the "apache" user (CVE-2014-0226).
A denial of service flaw was found in the way httpd's mod_deflate module
handled request body decompression (configured via the "DEFLATE" input
filter). A remote attacker able to send a request whose body would be
decompressed could use this flaw to consume an excessive amount of system
memory and CPU on the target system (CVE-2014-0118).
A denial of service flaw was found in the way httpd's mod_cgid module
executed CGI scripts that did not read data from the standard input.
A remote attacker could submit a specially crafted request that would cause
the httpd child process to hang indefinitely (CVE-2014-0231).
References
- https://bugs.mageia.org/show_bug.cgi?id=13788
- http://httpd.apache.org/security/vulnerabilities_24.html
- https://rhn.redhat.com/errata/RHSA-2014-0921.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
SRPMS
3/core
- apache-2.4.4-7.8.mga3