1157954 – (CVE-2014-8567) CVE-2014-8567 mod_auth_mellon: logout processing leads to denial of service

Bug 1157954 (CVE-2014-8567) - CVE-2014-8567 mod_auth_mellon: logout processing leads to denial of service

Summary: CVE-2014-8567 mod_auth_mellon: logout processing leads to denial of service

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-8567
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1157956 1157957
Blocks:	1157286
TreeView+	depends on / blocked

Reported:	2014-10-28 06:09 UTC by Murray McAllister
Modified:	2023-05-12 05:51 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that uninitialized data could be accessed when processing a user's logout request. By attempting to log out, a user could possibly cause the Apache HTTP Server to crash.
Clone Of:
Environment:
Last Closed:	2014-11-05 13:14:01 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1803	0	normal	SHIPPED_LIVE	Important: mod_auth_mellon security update	2014-11-05 14:51:47 UTC

Description Murray McAllister 2014-10-28 06:09:29 UTC

It was reported that uninitialized data could be accessed when processing a user's log out. Logging out could result in the Apache HTTP Server crashing.

Acknowledgements:

Red Hat would like to thank the mod_auth_mellon team for reporting this issue.

Comment 2 Simo Sorce 2014-11-03 14:16:17 UTC

Issue is public now:
https://postlister.uninett.no/sympa/arc/modmellon/2014-11/msg00000.html

Comment 3 Martin Prpič 2014-11-04 08:38:59 UTC

IssueDescription:

It was found that uninitialized data could be accessed when processing a user's logout request. By attempting to log out, a user could possibly cause the Apache HTTP Server to crash.

Comment 4 errata-xmlrpc 2014-11-05 09:52:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1803 https://rhn.redhat.com/errata/RHSA-2014-1803.html

Comment 5 Huzaifa S. Sidhpurwala 2014-11-05 13:14:01 UTC

Fedora 21 already ships mod_auth_mellon-0.9.1-1.fc21 and therefore is not affected by this issue.

Note You need to log in before you can comment on or make changes to this bug.