Newsroom

Security Advisory 2013-07-23

July 24, 2013

SUMMARY

The Apache HTTPD Server Project have released httpd-2.2.25 and httpd-2.4.6 to correct multiple vulnerabilities that were issues CVE’s.

Apache HTTP Server 2.2.25

CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML)
pointing to a URI that is not configured for DAV will trigger a segfault.

CVE-2013-1862 mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file.

AFFECTED VERSIONS

All versions of Apache 2.2 before 2.2.25.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-1896 – MEDIUM
CVE-2013-1862 – MEDIUM

Apache HTTP Server 2.4.6

CVE-2013-2249 mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session
without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.

CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML)
pointing to a URI that is not configured for DAV will trigger a segfault.

AFFECTED VERSIONS

All versions of Apache 2.4 before 2.4.6.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-2249 – HIGH
CVE-2013-1896 – MEDIUM

SOLUTION

cPanel, Inc. has released EasyApache 3.20.6 with updated versions of Apache 2.2 and 2.4 to correct these issues. To update, please rebuild your EasyApache
profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea).

Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that
EasyApache updates must be done manually.

REFERENCES

CVE-2013-1862 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1862)
CVE-2013-2249 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2249)
CVE-2013-1896 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1896)

Apache 2.2.25 Announcement (http://www.apache.org/dist/httpd/Announcement2.2.html)
Apache 2.4.6 Announcement (http://www.apache.org/dist/httpd/Announcement2.4.html)

For the PGP Signed message, please go here.