Administrator Posted July 24, 2013 Share Posted July 24, 2013 SUMMARY The Apache HTTPD Server Project have released httpd-2.2.25 and httpd-2.4.6 to correct multiple vulnerabilities that were issues CVE’s. Apache HTTP Server 2.2.25 CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML)pointing to a URI that is not configured for DAV will trigger a segfault. CVE-2013-1862 mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file. AFFECTED VERSIONS All versions of Apache 2.2 before 2.2.25. SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs: CVE-2013-1896 – MEDIUMCVE-2013-1862 – MEDIUM Apache HTTP Server 2.4.6 CVE-2013-2249 mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a sessionwithout considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors. CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML)pointing to a URI that is not configured for DAV will trigger a segfault. AFFECTED VERSIONS All versions of Apache 2.4 before 2.4.6. SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs: CVE-2013-2249 – HIGHCVE-2013-1896 – MEDIUM SOLUTION cPanel, Inc. has released EasyApache 3.20.6 with updated versions of Apache 2.2 and 2.4 to correct these issues. To update, please rebuild your EasyApacheprofile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea). Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note thatEasyApache updates must be done manually. REFERENCES CVE-2013-1862 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1862)CVE-2013-2249 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2249)CVE-2013-1896 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1896) Apache 2.2.25 Announcement (http://www.apache.org/dist/httpd/Announcement2.2.html)Apache 2.4.6 Announcement (http://www.apache.org/dist/httpd/Announcement2.4.html) For the PGP Signed message, please go here. View the full article Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now