Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 504990 (CVE-2013-6438) - <www-servers/apache-{2.4.9,2.2.27-r4}: two DoS (CVE-2013-6438, CVE-2014-0098)
Summary: <www-servers/apache-{2.4.9,2.2.27-r4}: two DoS (CVE-2013-6438, CVE-2014-0098)
Status: RESOLVED FIXED
Alias: CVE-2013-6438
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-18 16:45 UTC by Nilesh Govindrajan
Modified: 2014-08-31 11:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Agostino Sarubbo gentoo-dev 2014-03-18 17:03:13 UTC
Changelog:

CVE-2014-0098 (cve.mitre.org)
 Segfaults with truncated cookie logging.
 mod_log_config: Prevent segfaults when logging truncated
 cookies. Clean up the cookie logging parser to recognize
 only the cookie=value pairs, not valueless cookies.

CVE-2013-6438 (cve.mitre.org)
 mod_dav: Keep track of length of cdata properly when removing
 leading spaces. Eliminates a potential denial of service from
 specifically crafted DAV WRITE requests
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2014-03-18 18:49:59 UTC
+*apache-2.4.9 (18 Mar 2014)
+
+  18 Mar 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.4.6-r2.ebuild,
+  +apache-2.4.9.ebuild:
+  Security bump (bug #504990). Removed old.
+
Comment 3 Agostino Sarubbo gentoo-dev 2014-03-18 19:56:02 UTC
Patrick, do you know if those vulnerabilities affect 2.2.x too?
Comment 4 Sergey Popov gentoo-dev Security 2014-04-28 12:57:39 UTC
Reopening, as according to RHSA about those CVEs[1], 2.2 branch is also vulnerable

[1] - https://rhn.redhat.com/errata/RHSA-2014-0369.html
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-26 14:26:01 UTC
These two CVE's are fixed in the 2.2 branch in 2.2.27, which is currently stable. 

Adding to an existing GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-08-26 14:51:46 UTC
CVE-2014-0098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0098):
  The log_cookie function in mod_log_config.c in the mod_log_config module in
  the Apache HTTP Server before 2.4.8 allows remote attackers to cause a
  denial of service (segmentation fault and daemon crash) via a crafted cookie
  that is not properly handled during truncation.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-08-26 14:52:12 UTC
CVE-2013-6438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6438):
  The dav_xml_get_cdata function in main/util.c in the mod_dav module in the
  Apache HTTP Server before 2.4.8 does not properly remove whitespace
  characters from CDATA sections, which allows remote attackers to cause a
  denial of service (daemon crash) via a crafted DAV WRITE request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-08-29 11:13:12 UTC
This issue was resolved and addressed in
 GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:18:23 UTC
This issue was resolved and addressed in
 GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).