Bug 1120604 (CVE-2013-4352) - CVE-2013-4352 httpd: mod_cache NULL pointer dereference crash
Summary: CVE-2013-4352 httpd: mod_cache NULL pointer dereference crash
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4352
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1120607 1120608 1120614 1121037 1121038
Blocks: 1120610 1120623
TreeView+ depends on / blocked
 
Reported: 2014-07-17 09:18 UTC by Murray McAllister
Modified: 2021-02-17 06:23 UTC (History)
38 users (show)

Fixed In Version: httpd 2.4.7
Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching.
Clone Of:
Environment:
Last Closed: 2014-11-21 20:24:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0921 0 normal SHIPPED_LIVE Important: httpd security update 2014-07-23 14:00:19 UTC
Red Hat Product Errata RHSA-2014:0922 0 normal SHIPPED_LIVE Important: httpd24-httpd security update 2014-07-23 14:00:09 UTC

Description Murray McAllister 2014-07-17 09:18:30 UTC
The following flaw has been fixed in the Apache HTTP Server:

"A NULL pointer dereference was found in mod_cache. A malicious HTTP server could cause a crash in a caching forward proxy configuration."

External References:

http://httpd.apache.org/security/vulnerabilities_24.html

Comment 2 Murray McAllister 2014-07-17 09:41:40 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1120614]

Comment 4 Vincent Danen 2014-07-18 13:19:29 UTC
Statement:

This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 5 and 6 as only httpd version 2.4.6 included the vulnerable code.

Comment 5 Tomas Hoger 2014-07-23 07:07:26 UTC
Upstream commit:
http://svn.apache.org/viewvc?view=revision&revision=1523235

Comment 6 errata-xmlrpc 2014-07-23 10:01:06 UTC
This issue has been addressed in following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7

Via RHSA-2014:0922 https://rhn.redhat.com/errata/RHSA-2014-0922.html

Comment 7 errata-xmlrpc 2014-07-23 10:01:52 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0921 https://rhn.redhat.com/errata/RHSA-2014-0921.html

Comment 8 Martin Prpič 2014-07-28 11:28:40 UTC
IssueDescription:

A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching.


Note You need to log in before you can comment on or make changes to this bug.