Mod_Security was found to have a Remote Null Pointer Dereference vulnerability that could cause it to crash.
The cPanel Security Team has rated this update has having moderate security impact.
Information on security ratings is available at: http://go.cpanel.net/securitylevels.
CVE-2013-2765 states: “When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security
will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL.”
All versions of mod_security before 2.7.4.
cPanel, Inc has released EasyApache 3.20.4 which includes mod_security version 2.7.4 to correct this issue. To update, rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea)
EasyApache v3.20.4 addresses the mod_security vulnerability.
Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually.
Red Hat Security Response Team (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765)
Mod_Security ChangeLog (https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES)
For the PGP signed message, please go here.