Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 543
Alerts This Week
Warning Icon 1 543

Ubuntu 14.10 USN-2523-1 Critical: Apache HTTP Server DoS Issues

ubuntu
Calendar Grey March 10, 2015
Dist Ubuntu Esm H88
Numerous vulnerabilities addressed in Apache HTTP Server across different Ubuntu releases. Users are advised to perform an update promptly.
Several security issues were fixed in the Apache HTTP Server.

Summary

Several security issues were fixed in the Apache HTTP Server.

Software Description:

- apache2: Apache HTTP server

Details:

Martin Holst Swende discovered that the mod_headers module allowed HTTP

trailers to replace HTTP headers during request processing. A remote

attacker could possibly use this issue to bypass RequestHeaders directives.

(CVE-2013-5704)

Mark Montague discovered that the mod_cache module incorrectly handled

empty HTTP Content-Type headers. A remote attacker could use this issue to

cause the server to stop responding, leading to a denial of service. This

issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-3581)

Teguh P. Alko discovered that the mod_proxy_fcgi module incorrectly

handled long response headers. A remote attacker could use this issue to

cause the server to stop responding, leading to a denial of service. This

issue only affected Ubuntu 14.10. (CVE-2014-3583)

It was discovered that the mod_lua module incorrectly h...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  apache2.2-bin                   2.4.10-1ubuntu1.1

Ubuntu 14.04 LTS:
  apache2.2-bin                   2.4.7-1ubuntu4.4

Ubuntu 12.04 LTS:
  apache2.2-bin                   2.2.22-1ubuntu1.8

Ubuntu 10.04 LTS:
  apache2.2-bin                   2.2.14-5ubuntu8.15

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2523-1

CVE-2013-5704, CVE-2014-3581, CVE-2014-3583, CVE-2014-8109,

CVE-2015-0228

Severity
critical
Lowest
Low
Medium
High
Critical

March 10, 2015

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.