copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1240 - [Win][UNIX/Linux][Debian] modsecurity-apache: Reduced security - Remote/unauthenticated

Date: 28 July 2014
References: ESB-2014.1584  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1240
                    modsecurity-apache security update
                               28 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           modsecurity-apache
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Reduced Security -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-5705  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2991

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running modsecurity-apache check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2991-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
July 27, 2014                          http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : modsecurity-apache
CVE ID         : CVE-2013-5705

Martin Holst Swende discovered a flaw in the way chunked requests are
handled in ModSecurity, an Apache module whose purpose is to tighten the
Web application security. A remote attacker could use this flaw to
bypass intended mod_security restrictions by using chunked transfer
coding with a capitalized Chunked value in the Transfer-Encoding HTTP
header, allowing to send requests containing content that should have
been removed by mod_security.

For the stable distribution (wheezy), this problem has been fixed in
version 2.6.6-6+deb7u2.

For the testing distribution (jessie), this problem has been fixed in
version 2.7.7-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.7.7-1.

We recommend that you upgrade your modsecurity-apache packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJT1TyJAAoJEAVMuPMTQ89EPbcP/3Wp/A51dg7AEfLFAyJfm8lG
5/8GAIU/UuFtZfigv9yRi1d7ZkFWbihSKlAxFju2yzHP7dlFG8jawLDYT3kB0HP4
DPxDbsCXr/hxnE13sSdKOUnb2Geonpkxj9XOMoWlRy73fcBvURd/8hee1ecznP5M
5ShIh1ycKtbobFPszuohmeX02Hihgyhv1pcDM33kJhn+khHLwA8Qp3LZPdRqkxZr
jn1mczla0U1mAB+ABh2/aHtIRWj5NEfaNNu5KBPzFSbYVtmtp/HfR3wh6Y/CQiNw
TcYv4vXDrr0EKLQbTfdlbsnS1z1ljSUnzZXzL9dqMuJul19wyqitVQHfyKcW09Qd
eXDnPO1ugTpc6OVXKwDsHYge5z5G/0oJrb+TAhwkm7OAWtRpQ9ACIq1l/Zd4y3L+
fbcrBQ70sJXnv3G9kmH/EqpRs6EfwCkoS5TQxJdqF5uagXC6t+DVrPID3/deVyoJ
Rdb39EnwdLjOJQG3D2I9RBAVNyc+V92A+8LjBLBe6py0GpHaF/xza1gOtNOeDXaU
sVIWovygVXS1bkTtoaTt5I8K38b3scm1CY+SrEDVbpEgmSSn/SAo+6EmSEzwuBFe
dhVciIc5M1e8iUmsI3b/CKyB9BnFenEcgfUAXUT8N/hGZtNgwoMDZkGjaAMI5ZtV
m9gyPKh1q8m5/qhuiXm4
=PvWw
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU9WRvBLndAQH1ShLAQJ3+w/9FxWFITNw+vhu9iqgwVzgk5RdEK4C6eEY
ph9DlR6xgYQbCGDMIY3U4R1/oRsNXCuEXLYmcTz6ifwu65Sl90CqrbKOhNSR63fw
r85lzmISte3s0nSJ0yxIkLY6wn8XBpNnbkNPYuVbb8uzorZbrakj3VBiPLOTgBcb
u794jgdfJLpyTaEsVnV9bPDISuUu5eTI1UqhlrTqO1zwliioxMO9MVb3o7OSRsL7
6G9cQ0kX5CSlxtUvRSo5jAB+sMWUX07Y6Z8iLFlhMU9B8kcnFcB/dQuT+ycik2Vz
oVNr3JU2almQMcvRzfya/Uf4vsBg1GizjFRwtfs/w/I5afxvWUH2tIaEHmWi34cJ
m4vQmnjRqTnMT4FA2qeSd7D4LHr2RhxN9ab+vx3AbyvFSTRrmBFVR9mG83N3psYG
Uen+8HVt9amgqreU+qWOOczt0L05GqGAE6xNUwCRfI/m2RXnlyDOhXbpA6UvosL7
QH51ftW0/0ByvTeKe5yNqHV/NkBCU5BFGGGuaJk7eOSLTdxxqlwZ+zTO1+60BBrm
WHSKj2QgSWbPGGbz7asufg1xCSD7uKCDfkGYCpjjL5Qlix9720f+cZnoVOcuw8rL
1mxOKx6lncaHcwg2/xZZsOA/N01apl2E9YS6v8ecEYnZeqNzLrjDxI6VyrcTYYnP
NCF46/Dqy1A=
=t0MP
-----END PGP SIGNATURE-----