Bugzilla – Bug 871310
VUL-1: CVE-2013-5704: apache2: bypass of mod_headers rules via chunked requests
Last modified: 2015-07-26 19:08:19 UTC
Via rh#1082903: Martin Holst Swende discovered a flaw in the way mod_headers handled chunked requests. A remote attacker could use this flaw to bypass intended mod_headers restrictions, allowing them to send requests to applications that include headers that should have been removed by mod_headers. Discussion and a possible patch is available from the following thread: http://marc.info/?t=138219209900002&r=1&w=2 CVE-2013-5704 was assigned to this issue. References: http://martin.swende.se/blog/HTTPChunked.html https://bugzilla.redhat.com/show_bug.cgi?id=1082903 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5704
bugbot adjusting priority
Affected packages: SLE-11-SP3: apache2
Apache2 on OpenSuSE 12.3 (apache2-2.2.22-10.12.1) is also affected and given high severity by nessus. Will there be work done on this vulnerability?
This is an autogenerated message for OBS integration: This bug (871310) was mentioned in https://build.opensuse.org/request/show/263358 12.3 / apache2
The CVE-2013-5704 was fixed in Apache httpd 2.2.29. So I have prepared an update for openSUSE 12.3.
upstream fix in git https://github.com/apache/httpd/commit/bd34b9d92894b7fc01810fc11a059fa30067e431 or svn http://svn.apache.org/viewvc?view=revision&revision=1610814 introduces a new option to readd back legacy behaviuour
if we do fix apache2 on 12.3, we also need to fix apache2 on 13.1 and 13.2 (fix is in 2.4.11 or backportable)
You've right, thank you. I will add the fix from git to the next 13.1 and 13.2 update.
openSUSE-SU-2014:1647-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 871310 CVE References: CVE-2011-3368,CVE-2012-2687,CVE-2013-1862,CVE-2013-1896,CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231 Sources used: openSUSE 12.3 (src): apache2-2.2.29-10.16.1
Will a fix be provided for SLE as well (I am working with a customer needing it for SLES11SP3). Thanks, Jim
The maintenance/submit requests for openSUSE and Factory have been created. | Package | #sr/#mr | |===============|=========| | openSUSE 12.3 | 263358 | version bump | openSUSE 13.1 | 265405 | | openSUSE 13.2 | 265405 | | Factory | 265358 | The upstream patches can be found here: * Upstream trunk: https://github.com/apache/httpd/commit/bd34b9d92894b7fc01810fc11a059fa30067e431#diff-381c180d963fb4507c77d80edb208224 * Upstream 2.4.x: https://github.com/apache/httpd/commit/6688f9d102ad29d6bb4167d690ee495d709e47b6 * Upstream 2.2.x: https://github.com/apache/httpd/commit/16e241ed9f0482acfda30b115227101744ccbc2c
Created attachment 617651 [details] apache patches for 2.2.x and 2.4.x I adapted the upstream patches for our use in apache 2.2.x (SLE11SP3) and 2.4.x. Ready for the maintenance update.
Any update on this?
openSUSE-SU-2014:1726-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 792309,842377,849445,864166,871310,909715 CVE References: CVE-2013-5704,CVE-2014-8109 Sources used: openSUSE 13.2 (src): apache2-2.4.10-4.1 openSUSE 13.1 (src): apache2-2.4.6-6.37.1 openSUSE 12.3 (src): apache2-2.2.29-10.20.1
(In reply to Richard Hamilton from comment #17) > Any update on this? This bug is marked as "planned maintenance update" so we are waiting till the security team gives instruction to submit.
*** Bug 914535 has been marked as a duplicate of this bug. ***
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-04-08. https://swamp.suse.de/webswamp/wf/61064
Submitted to: - SLE10SP3: https://build.suse.de/request/show/54652 - SLE11SP1: https://build.suse.de/request/show/53778 - SLE12: https://build.suse.de/request/show/54654 I'm reassigning it back to security-team.
SUSE-SU-2015:0689-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 713970,871310,899836,904427,907339,907477 CVE References: Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): apache2-2.2.12-1.51.52.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): apache2-2.2.12-1.51.52.1 SUSE Linux Enterprise Server 11 SP3 (src): apache2-2.2.12-1.51.52.1
SUSE-SU-2015:0974-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 792309,871310,899836,909715,918352,923090 CVE References: CVE-2013-5704,CVE-2014-3581,CVE-2014-8109,CVE-2015-0228 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): apache2-2.4.10-12.1 SUSE Linux Enterprise Server 12 (src): apache2-2.4.10-12.1
fixed, released and closed.