Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 476568 (CVE-2013-1896) - <www-servers/apache-2.2.25: mod_dav crash via a URI MERGE request with source URI not handled by mod_dav (CVE-2013-1896)
Summary: <www-servers/apache-2.2.25: mod_dav crash via a URI MERGE request with source...
Status: RESOLVED FIXED
Alias: CVE-2013-1896
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2013-1862 unit-in-stable
  Show dependency tree
 
Reported: 2013-07-11 19:42 UTC by Agostino Sarubbo
Modified: 2013-09-23 23:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-11 19:42:01 UTC
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1896 to the following 
vulnerability:

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is 
enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) 
via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a 
certain href attribute in XML data refers to a non-DAV URI.

References:
http://www.apache.org/dist/httpd/Announcement2.2.html
http://svn.apache.org/viewvc?view=revision&revision=1485668


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2013-07-18 13:29:41 UTC
+*apache-tools-2.2.25 (18 Jul 2013)
+
+  18 Jul 2013; Lars Wendler <polynomial-c@gentoo.org>
+  +apache-tools-2.2.25.ebuild:
+  Security bump (permission granted by bonsaikitten).
+


+*apache-2.2.25 (18 Jul 2013)
+
+  18 Jul 2013; Lars Wendler <polynomial-c@gentoo.org> +apache-2.2.25.ebuild:
+  Security bump (permission granted by bonsaikitten).
+
Comment 2 Agostino Sarubbo gentoo-dev 2013-07-22 12:05:20 UTC
Arches, please test and mark stable:
=app-admin/apache-tools-2.2.25
=www-servers/apache-2.2.25
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-07-22 13:16:59 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-07-22 13:17:15 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-22 13:17:31 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-22 13:17:44 UTC
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-22 13:44:25 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-07-23 20:02:24 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-07-30 12:21:15 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-08-03 07:45:23 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-08-04 11:43:09 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-08-06 12:35:57 UTC
s390 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-08-08 12:37:07 UTC
sh stable
Comment 14 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-23 14:48:21 UTC
Added to existing GLSA draft.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 03:21:05 UTC
CVE-2013-1896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1896):
  mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly
  determine whether DAV is enabled for a URI, which allows remote attackers to
  cause a denial of service (segmentation fault) via a MERGE request in which
  the URI is configured for handling by the mod_dav_svn module, but a certain
  href attribute in XML data refers to a non-DAV URI.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-09-23 23:43:57 UTC
This issue was resolved and addressed in
 GLSA 201309-12 at http://security.gentoo.org/glsa/glsa-201309-12.xml
by GLSA coordinator Sean Amoss (ackle).