Ubuntu
apache2 package

mod_headers CVE-2013-5704

Bug #1425141 reported by Gerald Drouillard
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Low
Unassigned
Precise
Fix Released
Low
Unassigned
Trusty
Fix Released
Low
Unassigned
Utopic
Fix Released
Low
Unassigned
Vivid
Fix Released
Undecided
Unassigned

Bug Description

The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.

Nothing in the 14.04 LTS apache2 2.4.7-1ubuntu4.1 changelog shows that this has been address:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581

Looks like it is fixed in apache2 (2.4.10-2) unstable; urgency=medium

  * Pull changes from upstream 2.4.x branch up to r1626207
    + Security Fix for CVE-2013-5704: HTTP trailers could be used to
      replace HTTP headers late during request processing, potentially
      undoing or otherwise confusing modules that examined or modified
      request headers earlier.
      Adds "MergeTrailers" directive to restore legacy behavior.

Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Changed in apache2 (Ubuntu Lucid):
status: New → Confirmed
Changed in apache2 (Ubuntu Vivid):
status: New → Fix Released
Changed in apache2 (Ubuntu Utopic):
status: New → Confirmed
Changed in apache2 (Ubuntu Trusty):
status: New → Confirmed
Changed in apache2 (Ubuntu Precise):
status: New → Confirmed
Changed in apache2 (Ubuntu Lucid):
importance: Undecided → Low
Changed in apache2 (Ubuntu Precise):
importance: Undecided → Low
Changed in apache2 (Ubuntu Trusty):
importance: Undecided → Low
Changed in apache2 (Ubuntu Utopic):
importance: Undecided → Low
Revision history for this message
Gerald Drouillard (gerald-drouillard) wrote :

If you must use the mod, it looks like a good work around until this is fixed, is to install Ondřej Surý PPA for Apache2.x. The PPA has apache 2.4.12 for ubuntu trusty and other versions.
https://launchpad.net/~ondrej/+archive/ubuntu/apache2
I have been running 2.4.12 for a few days now on trusty with no issues and the PCI scanners are happy.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.10-1ubuntu1.1

---------------
apache2 (2.4.10-1ubuntu1.1) utopic-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
  * SECURITY UPDATE: mod_proxy_fcgi deial of service via long response
    headers
    - debian/patches/CVE-2014-3583.patch: properly handle length in
      modules/aaa/mod_authnz_fcgi.c, modules/proxy/mod_proxy_fcgi.c.
    - CVE-2014-3583
  * SECURITY UPDATE: restriction bypass in mod_lua via multiple Require
    directives
    - debian/patches/CVE-2014-8109.patch: handle multiple Require
      directives with different arguments in modules/lua/mod_lua.c.
    - CVE-2014-8109
  * SECURITY UPDATE: denial of service in mod_lua via websockets PING
    - debian/patches/CVE-2015-0228.patch: fix logic in
      modules/lua/lua_request.c.
    - CVE-2015-0228
 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:05:47 -0500

Changed in apache2 (Ubuntu Utopic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.15

---------------
apache2 (2.2.14-5ubuntu8.15) lucid-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.dpatch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704
 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:45:09 -0500

Changed in apache2 (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.7-1ubuntu4.4

---------------
apache2 (2.4.7-1ubuntu4.4) trusty-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, server/core.c, server/protocol.c.
    - CVE-2013-5704
  * SECURITY UPDATE: mod_cache denial of service via empty HTTP
    Content-Type header
    - debian/patches/CVE-2014-3581.patch: check for NULL in
      modules/cache/cache_util.c.
    - CVE-2014-3581
 -- Marc Deslauriers <email address hidden> Tue, 10 Mar 2015 07:42:50 -0400

Changed in apache2 (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.22-1ubuntu1.8

---------------
apache2 (2.2.22-1ubuntu1.8) precise-security; urgency=medium

  * SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
    - debian/patches/CVE-2013-5704.patch: don't merge trailers by default
      and add a "MergeTrailers" directive to revert to previous behaviour
      to include/http_core.h, include/httpd.h, modules/http/http_filters.c,
      modules/http/http_request.c, modules/loggers/mod_log_config.c,
      modules/proxy/mod_proxy_http.c, modules/proxy/proxy_util.c,
      server/core.c, server/protocol.c.
    - CVE-2013-5704
 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2015 12:40:00 -0500

Changed in apache2 (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.