2.4.9 released http://mail-archives.apache.org/mod_mbox/httpd-announce/201403.mbox/%3CF590EEF7-7D4F-4ED7-A810-97ED5AA17DCE%40apache.org%3E
Changelog: CVE-2014-0098 (cve.mitre.org) Segfaults with truncated cookie logging. mod_log_config: Prevent segfaults when logging truncated cookies. Clean up the cookie logging parser to recognize only the cookie=value pairs, not valueless cookies. CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track of length of cdata properly when removing leading spaces. Eliminates a potential denial of service from specifically crafted DAV WRITE requests
+*apache-2.4.9 (18 Mar 2014) + + 18 Mar 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.4.6-r2.ebuild, + +apache-2.4.9.ebuild: + Security bump (bug #504990). Removed old. +
Patrick, do you know if those vulnerabilities affect 2.2.x too?
Reopening, as according to RHSA about those CVEs[1], 2.2 branch is also vulnerable [1] - https://rhn.redhat.com/errata/RHSA-2014-0369.html
These two CVE's are fixed in the 2.2 branch in 2.2.27, which is currently stable. Adding to an existing GLSA request.
CVE-2014-0098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0098): The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
CVE-2013-6438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6438): The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.
This issue was resolved and addressed in GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml by GLSA coordinator Kristian Fiskerstrand (K_F).