CVE-2013-6438

Published: 18 March 2014

The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.

Priority

Status

Package	Release	Status
apache2 Launchpad, Ubuntu, Debian	lucid	Released (2.2.14-5ubuntu8.13)
	precise	Released (2.2.22-1ubuntu1.5)
	quantal	Released (2.2.22-6ubuntu2.4)
	saucy	Released (2.4.6-2ubuntu2.2)
	upstream	Released (2.4.8)
	Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1556428 upstream: http://svn.apache.org/viewvc?view=revision&revision=1556816 upstream: http://svn.apache.org/viewvc?view=revision&revision=1576706

References

http://httpd.apache.org/security/vulnerabilities_24.html
https://ubuntu.com/security/notices/USN-2152-1
https://www.cve.org/CVERecord?id=CVE-2013-6438
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.