Your submission was sent successfully! Close

CVE-2013-5704

Published: 15 April 2014

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

Notes

AuthorNote
mdeslaur
check for r1610814, r1610686, r1610707
Priority

Low

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
lucid
Released (2.2.14-5ubuntu8.15)
precise
Released (2.2.22-1ubuntu1.8)
quantal Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty
Released (2.4.7-1ubuntu4.4)
upstream
Released (2.2.29,2.4.11)
utopic
Released (2.4.10-1ubuntu1.1)
Patches:
upstream: https://github.com/apache/httpd/commit/bd34b9d92894b7fc01810fc11a059fa30067e431#diff-381c180d963fb4507c77d80edb208224 (trunk)
upstream: https://github.com/apache/httpd/commit/6688f9d102ad29d6bb4167d690ee495d709e47b6 (2.4.x)
upstream: https://github.com/apache/httpd/commit/16e241ed9f0482acfda30b115227101744ccbc2c (2.2.x)