CVE-2014-0226

Priority
Medium
Description
Race condition in the mod_status module in the Apache HTTP Server before
2.4.10 allows remote attackers to cause a denial of service (heap-based
buffer overflow), or possibly obtain sensitive credential information or
execute arbitrary code, via a crafted request that triggers improper
scoreboard handling within the status_handler function in
modules/generators/mod_status.c and the lua_ap_scoreboard_worker function
in modules/lua/lua_request.c.
References
Notes
 mdeslaur> PoC: http://seclists.org/fulldisclosure/2014/Jul/114
Assigned-to
mdeslaur
Package
Upstream:released (2.4.10)
Ubuntu 12.04 LTS (Precise Pangolin):released (2.2.22-1ubuntu1.7)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.4.7-1ubuntu4.1)
Patches:
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1610499 (2.4.x)
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1610515 (2.2.x)
More Information

Updated: 2016-03-23 03:40:59 UTC (commit 10817)