CVE-2013-1896
Published: 10 July 2013
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
Priority
Status
Package | Release | Status |
---|---|---|
apache2 Launchpad, Ubuntu, Debian |
upstream |
Released
(2.2.25)
|
lucid |
Released
(2.2.14-5ubuntu8.12)
|
|
precise |
Released
(2.2.22-1ubuntu1.4)
|
|
quantal |
Released
(2.2.22-6ubuntu2.3)
|
|
raring |
Released
(2.2.22-6ubuntu5.1)
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1497101 (2.2) upstream: http://svn.apache.org/viewvc?view=revision&revision=1497212 (2.2) upstream: http://svn.apache.org/viewvc?view=revision&revision=1486461 (2.4) upstream: http://svn.apache.org/viewvc?view=revision&revision=1485668 (trunk) |