Jump to content

Security Advisory 2013-07-22


Recommended Posts

Mod_Security was found to have a Remote Null Pointer Dereference vulnerability that could cause it to crash.

The cPanel Security Team has rated this update has having moderate security impact.
Information on security ratings is available at: http://go.cpanel.net/securitylevels.

CVE-2013-2765 states: “When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security
will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL.”

All versions of mod_security before 2.7.4.

cPanel, Inc has released EasyApache 3.20.4 which includes mod_security version 2.7.4 to correct this issue. To update, rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea)

EasyApache v3.20.4 addresses the mod_security vulnerability.
Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually.

CVE-2013-2765 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765)
Red Hat Security Response Team (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765)
Mod_Security ChangeLog (https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES)

For the PGP signed message, please go here.

View the full article
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...