CVE-2013-5704
Published: 15 April 2014
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."
Notes
Author | Note |
---|---|
mdeslaur | check for r1610814, r1610686, r1610707 |
Priority
Status
Package | Release | Status |
---|---|---|
apache2 Launchpad, Ubuntu, Debian |
lucid |
Released
(2.2.14-5ubuntu8.15)
|
precise |
Released
(2.2.22-1ubuntu1.8)
|
|
quantal |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Released
(2.4.7-1ubuntu4.4)
|
|
upstream |
Released
(2.2.29,2.4.11)
|
|
utopic |
Released
(2.4.10-1ubuntu1.1)
|
|
Patches: upstream: https://github.com/apache/httpd/commit/bd34b9d92894b7fc01810fc11a059fa30067e431#diff-381c180d963fb4507c77d80edb208224 upstream: https://github.com/apache/httpd/commit/6688f9d102ad29d6bb4167d690ee495d709e47b6 upstream: https://github.com/apache/httpd/commit/16e241ed9f0482acfda30b115227101744ccbc2c |
References
- http://martin.swende.se/blog/HTTPChunked.html
- http://marc.info/?l=apache-httpd-dev&m=139636309822854&w=2
- http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES
- https://ubuntu.com/security/notices/USN-2523-1
- https://www.cve.org/CVERecord?id=CVE-2013-5704
- NVD
- Launchpad
- Debian