Univention Bugzilla – Bug 33286
apache2: Multiple issues (3.2)
Last modified: 2015-09-09 11:31:14 CEST
+++ This bug was initially created as a clone of Bug #31300 +++ mod_write doesn't filter log file data for non-printable character (CVE-2013-1862) Denial of service in mod_dav (CVE-2013-1896)
Denial of service in mod_log_config (CVE-2014-0098) Denial of service in mod_dav (CVE-2013-6438)
(In reply to Moritz Muehlenhoff from comment #0) > +++ This bug was initially created as a clone of Bug #31300 +++ > > mod_write doesn't filter log file data for non-printable character > (CVE-2013-1862) > > Denial of service in mod_dav (CVE-2013-1896) These two issues were fixed with the update to Squeeze 6.0.9 (Bug 34588), the other issues remain unfixed.
(In reply to Moritz Muehlenhoff from comment #1) > Denial of service in mod_log_config (CVE-2014-0098) The vulnerable code isn't present yet in the version in UCS 3.x
Currrently only this issue is open: Denial of service in mod_dav (CVE-2013-6438)
Denial of service in mod_proxy (CVE-2014-0117) Heap overflow in mod_status scoreboard handling (CVE-2014-0226) Denial of service in mod_deflate (CVE-2014-0118) Denial of service in mod_cgid (CVE-2014-0231)
Denial of service in mod_cache (CVE-2014-3581)
Denial of service through malicious fcgi scripts (CVE-2014-3583)
Incorrect handling of chunked trailer fields in mod_headers (CVE-2013-5704)
(In reply to Moritz Muehlenhoff from comment #5) > Denial of service in mod_proxy (CVE-2014-0117) This doesn't affect UCS 3.x
(In reply to Moritz Muehlenhoff from comment #7) > Denial of service through malicious fcgi scripts (CVE-2014-3583) This only affects Apache 2.4
* HTTP request smuggling attack against chunked request parser, allowing cache poisoning or credential hijacking if an intermediary proxy is in use (CVE-2015-3183) Fixed upstream in Debian package version 2.2.16-6+squeeze15
2.2.16-6+squeeze15 has been imported. YAML: 2015-08-29-apache2.yaml
My tests were successful.
Advisory: OK Changelog: OK Tests (amd64): OK
<http://errata.software-univention.de/ucs/3.2/365.html>