Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 506454 (CVE-2013-5705) - <www-apache/mod_security-2.7.7: HTTP Requests Chunked Encoding Security Bypass Vulnerability (CVE-2013-5705)
Summary: <www-apache/mod_security-2.7.7: HTTP Requests Chunked Encoding Security Bypas...
Alias: CVE-2013-5705
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on:
Reported: 2014-04-01 12:52 UTC by Agostino Sarubbo
Modified: 2016-07-17 22:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-01 12:52:12 UTC
From ${URL} :


Martin Holst Swende has reported a vulnerability in ModSecurity, which can be exploited by malicious 
people to bypass certain security restrictions.

The vulnerability is caused due to an error in the "modsecurity_tx_init()" function 
(apache2/modsecurity.c), which can be exploited to bypass the HTTP request body processing via a specially 
crafted request using chunked encoding.

The vulnerability is reported in versions prior to 2.7.6.

Update to version 2.7.6 or later.

Provided and/or discovered by:
Martin Holst Swende

Original Advisory:

Martin Holst Swende:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Pacho Ramos gentoo-dev 2014-12-17 16:30:42 UTC
2.7.7 in the tree... maybe should be stabilized
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 16:08:30 UTC
CVE-2013-5705 (
  apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to
  bypass rules by using chunked transfer coding with a capitalized Chunked
  value in the Transfer-Encoding HTTP header.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-21 08:38:42 UTC
@arches, please stabilize the following:

Comment 4 Agostino Sarubbo gentoo-dev 2016-06-27 08:24:04 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-06-27 08:48:25 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-07-08 07:54:53 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-07-08 10:03:05 UTC
sparc stable.

Maintainer(s), please cleanup.