CVE-2014-8109 in Ubuntu

CVE-2014-8109

Priority

Low

Description

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x
through 2.4.10 does not support an httpd configuration in which the same
Lua authorization provider is used with different arguments within
different contexts, which allows remote attackers to bypass intended access
restrictions in opportunistic circumstances by leveraging multiple Require
directives, as demonstrated by a configuration that specifies authorization
for one group to access a certain directory, and authorization for a second
group to access a second directory.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109
https://usn.ubuntu.com/usn/usn-2523-1

Bugs

https://bz.apache.org/bugzilla/show_bug.cgi?id=56924

Notes

mdeslaur> mod_lua is in 2.4.x only
mdeslaur> mod_lua isn't built in trusty

Assigned-to

mdeslaur

Package

Source: apache2 (LP Ubuntu Debian)

Upstream:	released (2.4.10-9)
Ubuntu 14.04 LTS (Trusty Tahr):	not-affected (code not built)

Patches:

Upstream:

https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb (2.4.x)

More Information

Updated: 2017-12-15 20:33:51 UTC (commit 13913)