From ${URL} : Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1896 to the following vulnerability: mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI. References: http://www.apache.org/dist/httpd/Announcement2.2.html http://svn.apache.org/viewvc?view=revision&revision=1485668 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
+*apache-tools-2.2.25 (18 Jul 2013) + + 18 Jul 2013; Lars Wendler <polynomial-c@gentoo.org> + +apache-tools-2.2.25.ebuild: + Security bump (permission granted by bonsaikitten). + +*apache-2.2.25 (18 Jul 2013) + + 18 Jul 2013; Lars Wendler <polynomial-c@gentoo.org> +apache-2.2.25.ebuild: + Security bump (permission granted by bonsaikitten). +
Arches, please test and mark stable: =app-admin/apache-tools-2.2.25 =www-servers/apache-2.2.25 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 stable
x86 stable
ppc stable
ppc64 stable
Stable for HPPA.
arm stable
alpha stable
sparc stable
ia64 stable
s390 stable
sh stable
Added to existing GLSA draft.
CVE-2013-1896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1896): mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
This issue was resolved and addressed in GLSA 201309-12 at http://security.gentoo.org/glsa/glsa-201309-12.xml by GLSA coordinator Sean Amoss (ackle).
