[ MDVSA-2009:183 ] apache-mod_security

[dude67]

_______________________________________________________________________

Package : apache-mod_security
Date : July 31, 2009
Affected: Corporate 4.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in mod_security:

Multiple unspecified vulnerabilities in the ModSecurity (aka
mod_security) module 2.5.0 through 2.5.5 for the Apache HTTP Server,
when SecCacheTransformations is enabled, allow remote attackers to
cause a denial of service (daemon crash) or bypass the product's
functionality via unknown vectors related to transformation
caching. (CVE-2008-5676)

The multipart processor in ModSecurity before 2.5.9 allows remote
attackers to cause a denial of service (crash) via a multipart form
datapost request with a missing part header name, which triggers a
NULL pointer dereference (CVE-2009-1902).

The PDF XSS protection feature in ModSecurity before 2.5.8 allows
remote attackers to cause a denial of service (Apache httpd crash)
via a request for a PDF file that does not use the GET method
(CVE-2009-1903).

This update provides mod_security 2.5.9, which is not vulnerable to
these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-5676
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1902
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1903
_______________________________________________________________________