CVE-2014-0226

Published: 20 July 2014

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

Priority

Medium

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian 		Upstream
Released (2.4.10)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.4.7-1ubuntu4.1)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1610499 (2.4.x)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1610515 (2.2.x)

Notes

AuthorNote
mdeslaur 
PoC: http://seclists.org/fulldisclosure/2014/Jul/114

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading