Updated apache package fixes security vulnerabilities
Publication date: 29 Jul 2014Modification date: 22 Jan 2022
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0117 , CVE-2014-0118 , CVE-2014-0226 , CVE-2014-0231
Description
A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user (CVE-2014-0226). A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash (CVE-2014-0117). A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system (CVE-2014-0118). A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely (CVE-2014-0231).
References
- https://bugs.mageia.org/show_bug.cgi?id=13788
- http://httpd.apache.org/security/vulnerabilities_24.html
- https://rhn.redhat.com/errata/RHSA-2014-0921.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
SRPMS
4/core
- apache-2.4.7-5.3.mga4