from URL: Changes with Apache 2.2.27 *) SECURITY: CVE-2014-0098 (cve.mitre.org) Clean up cookie logging with fewer redundant string parsing passes. Log only cookies with a value assignment. Prevents segfaults when logging truncated cookies. [William Rowe, Ruediger Pluem, Jim Jagielski] *) SECURITY: CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track of length of cdata properly when removing leading spaces. Eliminates a potential denial of service from specifically crafted DAV WRITE requests [Amin Tora <Amin.Tora neustar.biz>]
Arches please test and mark stable the following packages: =app-admin/apache-tools-2.2.27 =www-servers/apache-2.2.27 Target keywords: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
amd64 stable
Stable for HPPA.
x86 stable
arm stable
CVE-2014-0098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0098): The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
CVE-2013-6438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6438): The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.
ppc stable
ppc64 stable
ia64 stable
sparc stable
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. New GLSA Request filed.
(In reply to Yury German from comment #13) > Maintainer(s), please drop the vulnerable version. > Done.
(In reply to Lars Wendler (Polynomial-C) from comment #14) > (In reply to Yury German from comment #13) > > Maintainer(s), please drop the vulnerable version. > > > Done. Thank you for cleanup.
This issue was resolved and addressed in GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml by GLSA coordinator Kristian Fiskerstrand (K_F).