SB2014041715 - Input validation error in apache2 (Alpine package)
Published: April 17, 2014
Security Bulletin ID
SB2014041715
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2013-6438)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=83628e2c6a82bbb3e9b36cec3d903d7004e90c5d
- https://git.alpinelinux.org/aports/commit/?id=78e0a593413a5ed7449a690ec8c07fc81cf48362
- https://git.alpinelinux.org/aports/commit/?id=6499c73a4c09c49fabf2c744656defc5b0f7aa96
- https://git.alpinelinux.org/aports/commit/?id=96c84fd65048e19eb1259c5a8d21225029386f7d