PublicDateAtUSN: 2014-10-10
Candidate: CVE-2014-3581
PublicDate: 2014-10-10 10:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581
 https://ubuntu.com/security/notices/USN-2523-1
Description:
 The cache_merge_headers_out function in modules/cache/cache_util.c in the
 mod_cache module in the Apache HTTP Server before 2.4.11 allows remote
 attackers to cause a denial of service (NULL pointer dereference and
 application crash) via an empty HTTP Content-Type header.
Ubuntu-Description:
Notes:
 mdeslaur> per upstream bug, 2.2 is not affected
Bugs:
 https://issues.apache.org/bugzilla/show_bug.cgi?id=56924
Priority: low
Discovered-by: Mark Montague
Assigned-to: mdeslaur
CVSS: 

Patches_apache2:
 upstream: http://svn.apache.org/viewvc?view=revision&revision=1624234
 upstream: https://github.com/apache/httpd/commit/c164ca7383d5f204915d85a5826655d3f1557148 (2.4.x)
upstream_apache2: released (2.4.10-3)
lucid_apache2: not-affected (2.2.14-5ubuntu8.14)
precise_apache2: not-affected (2.2.22-1ubuntu1.7)
trusty_apache2: released (2.4.7-1ubuntu4.4)
trusty/esm_apache2: released (2.4.7-1ubuntu4.4)
utopic_apache2: released (2.4.10-1ubuntu1.1)
devel_apache2: not-affected (2.4.10-8ubuntu2)