Debians sikkerhedsbulletin

DSA-2991-1 modsecurity-apache -- sikkerhedsopdatering

Rapporteret den:
27. jul 2014
Berørte pakker:
modsecurity-apache
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2013-5705.
Yderligere oplysninger:

Martin Holst Swende discovered a flaw in the way chunked requests are handled in ModSecurity, an Apache module whose purpose is to tighten the Web application security. A remote attacker could use this flaw to bypass intended mod_security restrictions by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header, allowing to send requests containing content that should have been removed by mod_security.

I den stabile distribution (wheezy), er dette problem rettet i version 2.6.6-6+deb7u2.

For the distributionen testing (jessie), er dette problem rettet i version 2.7.7-1.

I den ustabile distribution (sid), er dette problem rettet i version 2.7.7-1.

Vi anbefaler at du opgraderer dine modsecurity-apache-pakker.