Administrator Posted July 22, 2013 Share Posted July 22, 2013 SUMMARYMod_Security was found to have a Remote Null Pointer Dereference vulnerability that could cause it to crash. SECURITY RATINGThe cPanel Security Team has rated this update has having moderate security impact.Information on security ratings is available at: http://go.cpanel.net/securitylevels. DETAILCVE-2013-2765 states: “When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_securitywill crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL.” AFFECTED VERSIONSAll versions of mod_security before 2.7.4. SOLUTIONcPanel, Inc has released EasyApache 3.20.4 which includes mod_security version 2.7.4 to correct this issue. To update, rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea) RELEASESEasyApache v3.20.4 addresses the mod_security vulnerability.Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually. REFERENCESCVE-2013-2765 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765)Red Hat Security Response Team (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765)Mod_Security ChangeLog (https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES) For the PGP signed message, please go here. View the full article Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now