CVE-2014-0226

Published: 20 July 2014

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

Priority

Medium

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian 		Upstream
Released (2.4.10)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.4.7-1ubuntu4.1)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1610499 (2.4.x)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1610515 (2.2.x)

Notes

AuthorNote
mdeslaur PoC: http://seclists.org/fulldisclosure/2014/Jul/114

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

Further reading