A race condition in apache's mod_status can lead to a buffer overflow. Source: http://www.zerodayinitiative.com/advisories/ZDI-14-236/ Fix is in upstream's apache 2.4.10 which is not yet released but a pre-release package is available and release should be ready within the next days: https://mail-archives.apache.org/mod_mbox/httpd-dev/201407.mbox/%3C81300987-8AB3-4364-81F5-53F803B39DA4%40jaguNET.com%3E I don't know about the status in apache 2.2.
(In reply to Hanno Boeck from comment #0) > I don't know about the status in apache 2.2. Seems to be fixed in 2.2.28, but also not released yet: http://mail-archives.apache.org/mod_mbox/httpd-cvs/201407.mbox/%3C20140714203433.31B4D23889D5@eris.apache.org%3E
Finally apache 2.4.10 has been released. 2.2.28 not yet.
CVE-2014-0226 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0226): Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
Ebuilds for 2.4.10 have been committed
Maintainer(s): please let us know when the ebuild is ready for stabilization.
(In reply to Yury German from comment #5) > Maintainer(s): please let us know when the ebuild is ready for > stabilization. Unfortunately not yet. Patrick added the ebuilds without my permission omitting all the changes I wanted to incorporate in a new patchset. So please wait for apache-2.4.10-r1.
Please advise or call for stabilization when ready.
+*apache-2.4.10-r1 (31 Jul 2014) +*apache-2.2.27-r4 (31 Jul 2014) + + 31 Jul 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27-r3.ebuild, + +apache-2.2.27-r4.ebuild, -apache-2.4.10.ebuild, +apache-2.4.10-r1.ebuild: + Revbumps to fix security bugs (see #517298). Removed old. + I've added apache-2.2.27-r4 which fixes the following security bugs: CVE-2014-0118, CVE-2014-0226 and CVE-2014-0231 apache-2.4.x still isn't stable and I prefer to not stbilize it yet. Arches please test and mark stable =www-server/apache-2.2.27-r4 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Stabilized www-servers/apache-2.2.27-r4 on alpha.
Stabilizing only: apache-2.2.27-r4 Please do not close bug at the end, we will wait for apache-2.4.x to stabilize.
amd64 stable
x86 stable
arm stable
Stable for HPPA.
ppc stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
+ 16 Aug 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27.ebuild, + -apache-2.4.9-r3.ebuild, -files/00_systemd.conf, + -files/httpd-2.4.3-mod_systemd.patch, -files/2.2.22-envvars-std.in, + -files/apache2.4.service, -files/gentoo-apache-2.2.23-initd_fixups.patch: + Removed vulnerable versions. +
Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml by GLSA coordinator Kristian Fiskerstrand (K_F).