Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 506458 (CVE-2013-5704) - <www-servers/apache-2.2.31: bypass of mod_headers rules via chunked requests (CVE-2013-5704)
Summary: <www-servers/apache-2.2.31: bypass of mod_headers rules via chunked requests ...
Status: RESOLVED FIXED
Alias: CVE-2013-5704
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-01 12:56 UTC by Agostino Sarubbo
Modified: 2016-06-21 08:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-01 12:56:25 UTC
From ${URL} :

Martin Holst Swende discovered a flaw in the way mod_headers handled chunked requests. A remote attacker 
could use this flaw to bypass intended mod_headers restrictions, allowing them to send requests to 
applications that include headers that should have been removed by mod_headers.

Discussion and a possible patch is available from the following thread:

http://marc.info/?t=138219209900002&r=1&w=2

References:

http://martin.swende.se/blog/HTTPChunked.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 15:27:55 UTC
CVE-2013-5704 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5704):
  The mod_headers module in the Apache HTTP Server 2.2.22 allows remote
  attackers to bypass "RequestHeader unset" directives by placing a header in
  the trailer portion of data sent with chunked transfer coding.  NOTE: the
  vendor states "this is not a security issue in httpd as such."
Comment 2 Pacho Ramos gentoo-dev 2016-02-08 19:00:31 UTC
this should be already fixed in current versions in the tree:
https://bugzilla.redhat.com/show_bug.cgi?id=1082903#c8
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-21 08:42:47 UTC
Current versions in tree are not vulnerable.

GLSA Vote: No