Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 506458 (CVE-2013-5704)

Summary: <www-servers/apache-2.2.31: bypass of mod_headers rules via chunked requests (CVE-2013-5704)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1082903
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-04-01 12:56:25 UTC
From ${URL} :

Martin Holst Swende discovered a flaw in the way mod_headers handled chunked requests. A remote attacker 
could use this flaw to bypass intended mod_headers restrictions, allowing them to send requests to 
applications that include headers that should have been removed by mod_headers.

Discussion and a possible patch is available from the following thread:

http://marc.info/?t=138219209900002&r=1&w=2

References:

http://martin.swende.se/blog/HTTPChunked.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 15:27:55 UTC
CVE-2013-5704 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5704):
  The mod_headers module in the Apache HTTP Server 2.2.22 allows remote
  attackers to bypass "RequestHeader unset" directives by placing a header in
  the trailer portion of data sent with chunked transfer coding.  NOTE: the
  vendor states "this is not a security issue in httpd as such."
Comment 2 Pacho Ramos gentoo-dev 2016-02-08 19:00:31 UTC
this should be already fixed in current versions in the tree:
https://bugzilla.redhat.com/show_bug.cgi?id=1082903#c8
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-21 08:42:47 UTC
Current versions in tree are not vulnerable.

GLSA Vote: No