| Descripción: | Summary:
The remote host is missing an update for the 'apache' package(s) announced via the MGASA-2014-0527 advisory.
Vulnerability Insight:
Updated apache packages fix security vulnerabilities:
A NULL pointer dereference flaw was found in the way the mod_cache httpd
module handled Content-Type headers. A malicious HTTP server could cause
the httpd child process to crash when the Apache HTTP server was configured
to proxy to a server with caching enabled (CVE-2014-3581).
A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could use
Trailer headers to set additional HTTP headers after header processing was
performed by other modules. This could, for example, lead to a bypass of
header restrictions defined with mod_headers (CVE-2013-5704).
Note: With this update, httpd has been modified to not merge HTTP Trailer
headers with other HTTP request headers. A newly introduced configuration
directive MergeTrailers can be used to re-enable the old method of
processing Trailer headers, which also re-introduces the aforementioned
flaw.
This update also fixes the following bug:
Prior to this update, the mod_proxy_wstunnel module failed to set up an
SSL connection when configured to use a back end server using the 'wss:'
URL scheme, causing proxied connections to fail. In these updated packages,
SSL is used when proxying to 'wss:' back end servers (rhbz#1141950).
Affected Software/OS:
'apache' package(s) on Mageia 4.
Solution:
Please install the updated package(s).
CVSS Score:
5.4
CVSS Vector:
AV:A/AC:M/Au:N/C:P/I:P/A:P
|
