Jump to content

Security Advisory 2013-07-22


Administrator

Recommended Posts

SUMMARY
Mod_Security was found to have a Remote Null Pointer Dereference vulnerability that could cause it to crash.

SECURITY RATING
The cPanel Security Team has rated this update has having moderate security impact.
Information on security ratings is available at: http://go.cpanel.net/securitylevels.

DETAIL
CVE-2013-2765 states: “When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security
will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL.”

AFFECTED VERSIONS
All versions of mod_security before 2.7.4.

SOLUTION
cPanel, Inc has released EasyApache 3.20.4 which includes mod_security version 2.7.4 to correct this issue. To update, rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea)

RELEASES
EasyApache v3.20.4 addresses the mod_security vulnerability.
Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually.

REFERENCES
CVE-2013-2765 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765)
Red Hat Security Response Team (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765)
Mod_Security ChangeLog (https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES)

For the PGP signed message, please go here.



View the full article
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...