Summary: | <www-servers/apache-2.2.25: mod_rewrite allows terminal escape sequences to be written to the log file (CVE-2013-1862) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | alexanderyt, andreis.vinogradovs, mail, mike, patrick | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=953729 | ||||||
Whiteboard: | A3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 476568 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Agostino Sarubbo
2013-04-19 19:37:00 UTC
Vulnerability Summary for CVE-2013-1862: Exploitability Subscore: 4.9 Authentication: Not required to exploit Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service Vulnerable software and versions (version from portage listed) cpe:/a:apache:http_server:2.2.4 cpe:/a:apache:http_server:2.2.24 Created attachment 352658 [details, diff]
A modified ebuild of version 2.2.24 which applies files/mod_rewrite-CVE-2013-1862.patch
@maintainers: This is fixed in 2.2.25, just released. Added to existing GLSA draft CVE-2013-1862 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1862): mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. This issue was resolved and addressed in GLSA 201309-12 at http://security.gentoo.org/glsa/glsa-201309-12.xml by GLSA coordinator Sean Amoss (ackle). |