Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-71-1 apache2

Debian Security Advisory

DLA-71-1 apache2 -- LTS security update

Date Reported:

16 Oct 2014

Affected Packages:

apache2

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2013-5704, CVE-2014-3581.

More information:

This update fixes two security issues with apache2.

• CVE-2013-5704

  Disable the possibility to replace HTTP headers with HTTP trailers as this could be used to circumvent earlier header operations made by other modules. This can be restored with a new MergeTrailers directive.

• CVE-2014-3581

  Fix denial of service where Apache can segfault when mod_cache is used and when the cached request contains an empty Content-Type header.

For Debian 6 Squeeze, these issues have been fixed in apache2 version 2.2.16-6+squeeze14