| Summary: | <www-apache/mod_security-2.7.3 : XML External Entity Processing Vulnerability (CVE-2013-1915) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | flameeyes |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/52847/ | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Go for it, 2.7.3 is in tree and should be fine to go stable. Arches, please test and mark stable: =www-apache/mod_security-2.7.3 Target keywords : "amd64 ppc sparc x86 amd64 stable ppc stable x86 stable sparc stable CVE-2013-1915 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1915): ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability. GLSA vote: no. GLSA vote: no. Closing as [noglsa] |
From ${URL} : Description Positive Technologies has reported a vulnerability in ModSecurity, which can be exploited by malicious people to disclose potentially sensitive information or cause a DoS (Denial of Service). The vulnerability is caused due to an error when parsing external XML entities and can be exploited to e.g. disclose local files or cause excessive memory and CPU consumption. The vulnerability is reported in version 2.7.2. Prior versions may also be affected. Solution Update to version 2.7.3. Provided and/or discovered by Timur Yunusov and Alexey Osipov, Positive Technologies Original Advisory ModSecurity: https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES