PublicDateAtUSN: 2014-07-20
Candidate: CVE-2014-0226
PublicDate: 2014-07-20 11:12:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
 https://ubuntu.com/security/notices/USN-2299-1
Description:
 Race condition in the mod_status module in the Apache HTTP Server before
 2.4.10 allows remote attackers to cause a denial of service (heap-based
 buffer overflow), or possibly obtain sensitive credential information or
 execute arbitrary code, via a crafted request that triggers improper
 scoreboard handling within the status_handler function in
 modules/generators/mod_status.c and the lua_ap_scoreboard_worker function
 in modules/lua/lua_request.c.
Ubuntu-Description:
Notes:
 mdeslaur> PoC: http://seclists.org/fulldisclosure/2014/Jul/114
Bugs:
Priority: medium
Discovered-by: Marek Kroemeke and others
Assigned-to: mdeslaur
CVSS: 

Patches_apache2:
 upstream: http://svn.apache.org/viewvc?view=revision&revision=1610499 (2.4.x)
 upstream: http://svn.apache.org/viewvc?view=revision&revision=1610515 (2.2.x)
upstream_apache2: released (2.4.10)
lucid_apache2: released (2.2.14-5ubuntu8.14)
precise_apache2: released (2.2.22-1ubuntu1.7)
trusty_apache2: released (2.4.7-1ubuntu4.1)
trusty/esm_apache2: released (2.4.7-1ubuntu4.1)
devel_apache2: released (2.4.10-1ubuntu1)