Bugzilla – Bug 869105
VUL-1: CVE-2013-6438: apache2: mod_dav denial of service
Last modified: 2014-09-02 17:04:43 UTC
CVE-2013-6438 The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6438 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/util.c?r1=1528718&r2=1556428&diff_format=h
affected code is even in sle9 sp3 2.0.59 apache2 server.
bugbot adjusting priority
Affected packages: SLE-10-SP3-TERADATA: apache2 SLE-11-SP1: apache2 SLE-11-SP2: apache2 SLE-11-SP3: apache2
*** Bug 874044 has been marked as a duplicate of this bug. ***
This is VUL-1; do we see an immediate necessity to run for an update with this bug alone?
It was a yes. :) hi-jacking already running update, revoked request ID 39577, re-submitted ID 40344 against SLE11-SP1. Re-assigning to security-team@ for further handling. Thank you!
This is an autogenerated message for OBS integration: This bug (869105) was mentioned in https://build.opensuse.org/request/show/242399 Evergreen:11.4 / apache2.openSUSE_Evergreen_11.4
SUSE-SU-2014:0967-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 859916,869105,869106,887765,887768 CVE References: CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): apache2-2.2.12-1.46.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): apache2-2.2.12-1.46.1 SUSE Linux Enterprise Server 11 SP3 (src): apache2-2.2.12-1.46.1
openSUSE-SU-2014:0969-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 859916,869105,869106,871309,887765,887768 CVE References: CVE-2013-5705,CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231 Sources used: openSUSE 11.4 (src): apache2-2.2.17-80.1, apache2-mod_security2-2.7.5-16.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-08-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58625
openSUSE-SU-2014:1044-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 869105,869106,887765,887767,887768,887771 CVE References: CVE-2013-4352,CVE-2013-6438,CVE-2014-0098,CVE-2014-0117,CVE-2014-0226,CVE-2014-0231 Sources used: openSUSE 13.1 (src): apache2-2.4.6-6.27.1
openSUSE-SU-2014:1045-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 869105,869106,887765,887768 CVE References: CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231 Sources used: openSUSE 12.3 (src): apache2-2.2.22-10.12.1
released
SUSE-SU-2014:1080-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 859916,869105,869106,887765,887768 CVE References: CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): apache2-2.2.12-1.48.1