Vulnerability & Exploit Database

Back to search

RHSA-2014:0920: httpd security update

Severity CVSS Published Added Modified
7 (AV:N/AC:M/Au:N/C:P/I:P/A:P) July 20, 2014 August 22, 2014 July 04, 2017

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient,and extensible web server.A race condition flaw, leading to heap-based buffer overflows, was found inthe mod_status httpd module. A remote attacker able to access a status pageserved by mod_status on a server using a threaded Multi-Processing Module(MPM) could send a specially crafted request that would cause the httpdchild process to crash or, possibly, allow the attacker to executearbitrary code with the privileges of the "apache" user. (CVE-2014-0226)A denial of service flaw was found in the way httpd's mod_deflate modulehandled request body decompression (configured via the "DEFLATE" inputfilter). A remote attacker able to send a request whose body would bedecompressed could use this flaw to consume an excessive amount of systemmemory and CPU on the target system. (CVE-2014-0118)A denial of service flaw was found in the way httpd's mod_cgid moduleexecuted CGI scripts that did not read data from the standard input.A remote attacker could submit a specially crafted request that would causethe httpd child process to hang indefinitely. (CVE-2014-0231)All httpd users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing theupdated packages, the httpd daemon will be restarted automatically.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

redhat-upgrade-httpd

Related Vulnerabilities