ModSecurity: Denial of Service
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 200907-02 / mod_security |
| Release Date |
July 02, 2009 |
| Latest Revision |
July 02, 2009: 01 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| www-apache/mod_security |
<
2.5.9 |
>=
2.5.9 |
All supported architectures
|
Related bugreports:
#262302
Synopsis
Two vulnerabilities in ModSecurity might lead to a Denial of Service.
2.
Impact Information
Background
ModSecurity is a popular web application firewall for the Apache HTTP
server.
Description
Multiple vulnerabilities were discovered in ModSecurity:
- Juan Galiana Lara of ISecAuditors discovered a NULL pointer
dereference when processing multipart requests without a part header
name (CVE-2009-1902).
- Steve Grubb of Red Hat reported that the
"PDF XSS protection" feature does not properly handle HTTP requests to
a PDF file that do not use the GET method (CVE-2009-1903).
Impact
A remote attacker might send requests containing specially crafted
multipart data or send certain requests to access a PDF file, possibly
resulting in a Denial of Service (crash) of the Apache HTTP daemon.
NOTE: The PDF XSS protection is not enabled by default.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All ModSecurity users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apache/mod_security-2.5.9"
|
4.
References
|
