Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507866 - <www-servers/apache-2.2.27: truncated cookie logging segfault and mod_dav DOS (CVE-2013-6438,CVE-2014-0098)
Summary: <www-servers/apache-2.2.27: truncated cookie logging segfault and mod_dav DOS...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.apache.org/dist/httpd/CHAN...
Whiteboard: A3 [glsa]
Keywords:
Depends on: 504300
Blocks:
  Show dependency tree
 
Reported: 2014-04-17 05:47 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified: 2014-08-31 11:18 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-04-17 05:47:08 UTC
from URL:

Changes with Apache 2.2.27

  *) SECURITY: CVE-2014-0098 (cve.mitre.org)
     Clean up cookie logging with fewer redundant string parsing passes.
     Log only cookies with a value assignment. Prevents segfaults when
     logging truncated cookies.
     [William Rowe, Ruediger Pluem, Jim Jagielski]

  *) SECURITY: CVE-2013-6438 (cve.mitre.org)
     mod_dav: Keep track of length of cdata properly when removing
     leading spaces. Eliminates a potential denial of service from
     specifically crafted DAV WRITE requests
     [Amin Tora <Amin.Tora neustar.biz>]
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-04-19 17:06:39 UTC
Arches please test and mark stable the following packages:

=app-admin/apache-tools-2.2.27
=www-servers/apache-2.2.27

Target keywords:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 2 Agostino Sarubbo gentoo-dev 2014-04-20 09:51:51 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-04-21 10:08:01 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-04-21 10:44:38 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-04-22 12:28:28 UTC
arm stable
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 20:17:05 UTC
CVE-2014-0098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0098):
  The log_cookie function in mod_log_config.c in the mod_log_config module in
  the Apache HTTP Server before 2.4.8 allows remote attackers to cause a
  denial of service (segmentation fault and daemon crash) via a crafted cookie
  that is not properly handled during truncation.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 20:18:07 UTC
CVE-2013-6438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6438):
  The dav_xml_get_cdata function in main/util.c in the mod_dav module in the
  Apache HTTP Server before 2.4.8 does not properly remove whitespace
  characters from CDATA sections, which allows remote attackers to cause a
  denial of service (daemon crash) via a crafted DAV WRITE request.
Comment 8 Agostino Sarubbo gentoo-dev 2014-05-10 14:02:18 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-05-11 08:06:19 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-05-13 15:17:44 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-05-14 16:07:49 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-05-17 13:50:55 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-05-20 22:08:02 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

New GLSA Request filed.
Comment 14 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-05-21 06:27:09 UTC
(In reply to Yury German from comment #13)
> Maintainer(s), please drop the vulnerable version.
> 
Done.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-05-24 03:52:01 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #14)
> (In reply to Yury German from comment #13)
> > Maintainer(s), please drop the vulnerable version.
> > 
> Done.

Thank you for cleanup.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:18:30 UTC
This issue was resolved and addressed in
 GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).