Newsroom

Security Advisory 2013-07-22

SUMMARY
Mod_Security was found to have a Remote Null Pointer Dereference vulnerability that could cause it to crash.

SECURITY RATING
The cPanel Security Team has rated this update has having moderate security impact.
Information on security ratings is available at: http://go.cpanel.net/securitylevels.

DETAIL
CVE-2013-2765 states: “When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security
will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL.”

AFFECTED VERSIONS
All versions of mod_security before 2.7.4.

SOLUTION
cPanel, Inc has released EasyApache 3.20.4 which includes mod_security version 2.7.4 to correct this issue. To update, rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea)

RELEASES
EasyApache v3.20.4 addresses the mod_security vulnerability.
Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually.

REFERENCES
CVE-2013-2765 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765)
Red Hat Security Response Team (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765)
Mod_Security ChangeLog (https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES)

For the PGP signed message, please go here.