GLSA 200907-02: ModSecurity: Denial of Service
| Severity: | normal |
| Title: | ModSecurity: Denial of Service |
| Date: | 07/02/2009 |
| Bugs: | |
| ID: | 200907-02 |
Synopsis
Two vulnerabilities in ModSecurity might lead to a Denial of Service.Background
ModSecurity is a popular web application firewall for the Apache HTTP server.
Affected packages
| Package | Vulnerable | Unaffected | Architecture(s) |
|---|---|---|---|
| www-apache/mod_security | < 2.5.9 | >= 2.5.9 | All supported architectures |
Description
Multiple vulnerabilities were discovered in ModSecurity:
- Juan Galiana Lara of ISecAuditors discovered a NULL pointer dereference when processing multipart requests without a part header name (CVE-2009-1902).
- Steve Grubb of Red Hat reported that the "PDF XSS protection" feature does not properly handle HTTP requests to a PDF file that do not use the GET method (CVE-2009-1903).
Impact
A remote attacker might send requests containing specially crafted multipart data or send certain requests to access a PDF file, possibly resulting in a Denial of Service (crash) of the Apache HTTP daemon. NOTE: The PDF XSS protection is not enabled by default.
Workaround
There is no known workaround at this time.
Resolution
All ModSecurity users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apache/mod_security-2.5.9"
References
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.