CVE-2014-0098

Priority
Medium
Description
The log_cookie function in mod_log_config.c in the mod_log_config module in
the Apache HTTP Server before 2.4.8 allows remote attackers to cause a
denial of service (segmentation fault and daemon crash) via a crafted
cookie that is not properly handled during truncation.
References
Notes
mdeslaur> lucid has different code and doesn't look vulnerable
Assigned-to
mdeslaur
Package
Upstream:released (2.4.8)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (code not present)
Ubuntu 12.04 LTS (Precise Pangolin):released (2.2.22-1ubuntu1.5)
Ubuntu 12.10 (Quantal Quetzal):released (2.2.22-6ubuntu2.4)
Ubuntu 13.10 (Saucy Salamander):released (2.4.6-2ubuntu2.2)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.4.7-1ubuntu3)
Patches:
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1575400 (trunk)
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1575904 (2.4)
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1374538 (2.2 bp)
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1576716 (2.2)
More Information

Valid XHTML 1.0 Strict

Updated: 2014-03-24 20:14:39 UTC (commit 7870)