A race condition in apache's mod_status can lead to a buffer overflow.
Fix is in upstream's apache 2.4.10 which is not yet released but a pre-release package is available and release should be ready within the next days:
I don't know about the status in apache 2.2.
(In reply to Hanno Boeck from comment #0)
> I don't know about the status in apache 2.2.
Seems to be fixed in 2.2.28, but also not released yet:
Finally apache 2.4.10 has been released. 2.2.28 not yet.
Race condition in the mod_status module in the Apache HTTP Server before
2.4.10 allows remote attackers to cause a denial of service (heap-based
buffer overflow), or possibly obtain sensitive credential information or
execute arbitrary code, via a crafted request that triggers improper
scoreboard handling within the status_handler function in
modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in
Ebuilds for 2.4.10 have been committed
Maintainer(s): please let us know when the ebuild is ready for stabilization.
(In reply to Yury German from comment #5)
> Maintainer(s): please let us know when the ebuild is ready for
Unfortunately not yet. Patrick added the ebuilds without my permission omitting all the changes I wanted to incorporate in a new patchset. So please wait for apache-2.4.10-r1.
Please advise or call for stabilization when ready.
+*apache-2.4.10-r1 (31 Jul 2014)
+*apache-2.2.27-r4 (31 Jul 2014)
+ 31 Jul 2014; Lars Wendler <email@example.com> -apache-2.2.27-r3.ebuild,
+ +apache-2.2.27-r4.ebuild, -apache-2.4.10.ebuild, +apache-2.4.10-r1.ebuild:
+ Revbumps to fix security bugs (see #517298). Removed old.
I've added apache-2.2.27-r4 which fixes the following security bugs:
CVE-2014-0118, CVE-2014-0226 and CVE-2014-0231
apache-2.4.x still isn't stable and I prefer to not stbilize it yet.
Arches please test and mark stable =www-server/apache-2.2.27-r4 with target KEYWORDS:
alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Stabilized www-servers/apache-2.2.27-r4 on alpha.
Please do not close bug at the end, we will wait for apache-2.4.x to stabilize.
Stable for HPPA.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
+ 16 Aug 2014; Lars Wendler <firstname.lastname@example.org> -apache-2.2.27.ebuild,
+ -apache-2.4.9-r3.ebuild, -files/00_systemd.conf,
+ -files/httpd-2.4.3-mod_systemd.patch, -files/2.2.22-envvars-std.in,
+ -files/apache2.4.service, -files/gentoo-apache-2.2.23-initd_fixups.patch:
+ Removed vulnerable versions.
Arches and Mainter(s), Thank you for your work.
Added to an existing GLSA request.
This issue was resolved and addressed in
GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).