Bug 1157954 (CVE-2014-8567) - CVE-2014-8567 mod_auth_mellon: logout processing leads to denial of service
Summary: CVE-2014-8567 mod_auth_mellon: logout processing leads to denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8567
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1157956 1157957
Blocks: 1157286
TreeView+ depends on / blocked
 
Reported: 2014-10-28 06:09 UTC by Murray McAllister
Modified: 2021-02-17 06:03 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that uninitialized data could be accessed when processing a user's logout request. By attempting to log out, a user could possibly cause the Apache HTTP Server to crash.
Clone Of:
Environment:
Last Closed: 2014-11-05 13:14:01 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1803 0 normal SHIPPED_LIVE Important: mod_auth_mellon security update 2014-11-05 14:51:47 UTC

Description Murray McAllister 2014-10-28 06:09:29 UTC
It was reported that uninitialized data could be accessed when processing a user's log out. Logging out could result in the Apache HTTP Server crashing.

Acknowledgements:

Red Hat would like to thank the mod_auth_mellon team for reporting this issue.

Comment 2 Simo Sorce 2014-11-03 14:16:17 UTC
Issue is public now:
https://postlister.uninett.no/sympa/arc/modmellon/2014-11/msg00000.html

Comment 3 Martin Prpič 2014-11-04 08:38:59 UTC
IssueDescription:

It was found that uninitialized data could be accessed when processing a user's logout request. By attempting to log out, a user could possibly cause the Apache HTTP Server to crash.

Comment 4 errata-xmlrpc 2014-11-05 09:52:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1803 https://rhn.redhat.com/errata/RHSA-2014-1803.html

Comment 5 Huzaifa S. Sidhpurwala 2014-11-05 13:14:01 UTC
Fedora 21 already ships mod_auth_mellon-0.9.1-1.fc21 and therefore is not affected by this issue.


Note You need to log in before you can comment on or make changes to this bug.