Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 471690 (CVE-2013-2765) - <www-apache/mod_security-2.7.4 : "forceRequestBodyVariable" NULL Pointer Dereference Vulnerability (CVE-2013-2765)
Summary: <www-apache/mod_security-2.7.4 : "forceRequestBodyVariable" NULL Pointer Dere...
Alias: CVE-2013-2765
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2013-05-29 12:25 UTC by Agostino Sarubbo
Modified: 2014-01-27 13:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-29 12:25:49 UTC
From ${URL} :

A vulnerability has been reported in ModSecurity, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when processing the "forceRequestBodyVariable" action and can be exploited to cause a NULL pointer 
dereference via specially crafted HTTP requests.

The vulnerability is reported in versions prior to 2.7.4.

Update to version 2.7.4.

Provided and/or discovered by
The vendor credits Younes Jaaidi.

Original Advisory

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2013-05-29 12:57:49 UTC
Okay this is ready in tree for stabilization IMHO.
Comment 2 Agostino Sarubbo gentoo-dev 2013-05-29 13:20:31 UTC
Arches, please test and mark stable:
Target keywords : "amd64 ppc sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-06-04 12:27:47 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-06-04 12:31:12 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-06-09 12:13:05 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-06-09 12:13:14 UTC
ppc stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 18:11:41 UTC
CVE-2013-2765 (
  The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote
  attackers to cause a denial of service (NULL pointer dereference, process
  crash, and disk consumption) via a POST request with a large body and a
  crafted Content-Type header.
Comment 8 Sergey Popov gentoo-dev 2013-08-30 10:31:45 UTC
Thanks for your work

GLSA vote: no
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-27 13:41:34 UTC
GLSA vote: no.

Closing as [noglsa]