Debian Security Advisory

DLA-71-1 apache2 -- LTS security update

Date Reported:
16 Oct 2014
Affected Packages:
apache2
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2013-5704, CVE-2014-3581.
More information:

This update fixes two security issues with apache2.

  • CVE-2013-5704

    Disable the possibility to replace HTTP headers with HTTP trailers as this could be used to circumvent earlier header operations made by other modules. This can be restored with a new MergeTrailers directive.

  • CVE-2014-3581

    Fix denial of service where Apache can segfault when mod_cache is used and when the cached request contains an empty Content-Type header.

For Debian 6 Squeeze, these issues have been fixed in apache2 version 2.2.16-6+squeeze14