drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Rechteprüfung in modsecurity-apache
Name: |
Mangelnde Rechteprüfung in modsecurity-apache |
|
ID: |
DSA-2991-1 |
|
Distribution: |
Debian |
|
Plattformen: |
Debian sid, Debian wheezy, Debian jessie |
|
Datum: |
So, 27. Juli 2014, 23:31 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5705 |
|
Applikationen: |
ModSecurity |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
- ------------------------------------------------------------------------- Debian Security Advisory DSA-2991-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 27, 2014 http://www.debian.org/security/faq - -------------------------------------------------------------------------
Package : modsecurity-apache CVE ID : CVE-2013-5705
Martin Holst Swende discovered a flaw in the way chunked requests are handled in ModSecurity, an Apache module whose purpose is to tighten the Web application security. A remote attacker could use this flaw to bypass intended mod_security restrictions by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header, allowing to send requests containing content that should have been removed by mod_security.
For the stable distribution (wheezy), this problem has been fixed in version 2.6.6-6+deb7u2.
For the testing distribution (jessie), this problem has been fixed in version 2.7.7-1.
For the unstable distribution (sid), this problem has been fixed in version 2.7.7-1.
We recommend that you upgrade your modsecurity-apache packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCgAGBQJT1TyJAAoJEAVMuPMTQ89EPbcP/3Wp/A51dg7AEfLFAyJfm8lG 5/8GAIU/UuFtZfigv9yRi1d7ZkFWbihSKlAxFju2yzHP7dlFG8jawLDYT3kB0HP4 DPxDbsCXr/hxnE13sSdKOUnb2Geonpkxj9XOMoWlRy73fcBvURd/8hee1ecznP5M 5ShIh1ycKtbobFPszuohmeX02Hihgyhv1pcDM33kJhn+khHLwA8Qp3LZPdRqkxZr jn1mczla0U1mAB+ABh2/aHtIRWj5NEfaNNu5KBPzFSbYVtmtp/HfR3wh6Y/CQiNw TcYv4vXDrr0EKLQbTfdlbsnS1z1ljSUnzZXzL9dqMuJul19wyqitVQHfyKcW09Qd eXDnPO1ugTpc6OVXKwDsHYge5z5G/0oJrb+TAhwkm7OAWtRpQ9ACIq1l/Zd4y3L+ fbcrBQ70sJXnv3G9kmH/EqpRs6EfwCkoS5TQxJdqF5uagXC6t+DVrPID3/deVyoJ Rdb39EnwdLjOJQG3D2I9RBAVNyc+V92A+8LjBLBe6py0GpHaF/xza1gOtNOeDXaU sVIWovygVXS1bkTtoaTt5I8K38b3scm1CY+SrEDVbpEgmSSn/SAo+6EmSEzwuBFe dhVciIc5M1e8iUmsI3b/CKyB9BnFenEcgfUAXUT8N/hGZtNgwoMDZkGjaAMI5ZtV m9gyPKh1q8m5/qhuiXm4 =PvWw -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: https://lists.debian.org/E1XBSdm-00016H-FH@master.debian.org
|
|
|
|