apache-2.2.29 fixes some bugs and known CVEs and should be stabilized asap. At least stable for me at amd64. Reproducible: Always
Fixed in Apache httpd 2.2.29 important: mod_cgid denial of service CVE-2014-0231 A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service. Acknowledgements: This issue was reported by Rainer Jung of the ASF Reported to security team: 16th June 2014 Issue public: 14th July 2014 Update Released: 3rd September 2014 Affects: 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 low: HTTP Trailers processing bypass CVE-2013-5704 HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior. Acknowledgements: This issue was reported by Martin Holst Swende. Reported to security team: 6th September 2013 Issue public: 19th October 2013 Update Released: 3rd September 2014 Affects: 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 moderate: mod_deflate denial of service CVE-2014-0118 A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the "DEFLATE" input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration. Acknowledgements: This issue was reported by Giancarlo Pellegrino and Davide Balzarotti Reported to security team: 19th February 2014 Issue public: 14th July 2014 Update Released: 3rd September 2014 Affects: 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 moderate: mod_status buffer overflow CVE-2014-0226 A race condition was found in mod_status. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessible server status page. Acknowledgements: This issue was reported by Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 via HP ZDI Reported to security team: 30th May 2014 Issue public: 14th July 2014 Update Released: 3rd September 2014 Affects: 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0
The 2.4 branch should be bumped as well. Fixed in Apache httpd 2.4.11-dev low: mod_proxy_fcgi out-of-bounds memory read CVE-2014-3583 An out-of-bounds memory read was found in mod_proxy_fcgi. A malicious FastCGI server could send a carefully crafted response which could lead to a crash when reading past the end of a heap memory or stack buffer. This issue affects version 2.4.10 only. Acknowledgements: This issue was reported by Teguh P. Alko. Reported to security team: 17th September 2014 Issue public: 12th November 2014 Affects: 2.4.10 low: mod_cache crash with empty Content-Type header CVE-2014-3581 A NULL pointer deference was found in mod_cache. A malicious HTTP server could cause a crash in a caching forward proxy configuration. This crash would only be a denial of service if using a threaded MPM. Issue public: 8th September 2014 Affects: 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1 low: HTTP Trailers processing bypass CVE-2013-5704 HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior. Acknowledgements: This issue was reported by Martin Holst Swende. Reported to security team: 6th September 2013 Issue public: 19th October 2013 Affects: 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1
Hey Lars, when do you have time for this? Do you need help here?
Sorry for the delay guys. Arches please test and mark stable the following packages: =app-admin/apache-tools-2.2.29 =www-servers/apache-2.2.29 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Stable for HPPA.
amd64 stable
x86 stable
arm stable
sparc stable
ppc64 stable
ppc stable
ia64 stable
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
ping on cleanup.
+ 16 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> + -apache-tools-2.2.27.ebuild, -apache-tools-2.2.27-r1.ebuild, + -apache-tools-2.4.10.ebuild: + Removed vulnerable versions. + + 16 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27-r4.ebuild, + -apache-2.4.10-r1.ebuild: + Removed vulnerable versions. +
This issue was resolved and addressed in GLSA 201504-03 at https://security.gentoo.org/glsa/201504-03 by GLSA coordinator Yury German (BlueKnight).
