[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [Notification] CVE-2013-2765 mod_security: NULL pointer dereference (DoS, crash) when
From: Jan Lieskovsky <jlieskov () redhat ! com>
Date: 2013-05-28 10:14:32
Message-ID: 1338782267.8755963.1369736072304.JavaMail.root () redhat ! com
[Download RAW message or body]
Hello Steve, vendors,
as brought to me by Athmane, ModSecurity upstream has release v2.7.4 version:
[1] http://sourceforge.net/mailarchive/message.php?msg_id=30900019
correcting one security NULL pointer dereference flaw (CVE-2013-2765) - from [2]:
* Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable
action is triggered and a unknown Content-Type is used, mod_security will crash
trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks
is NULL. (Thanks Younes JAAIDI).
References:
[2] https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES
[3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765
Relevant upstream patch (seems to be the following):
[4] https://github.com/SpiderLabs/ModSecurity/commit/0840b13612a0b7ef1ce7441cf811dcfc6b463fba
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
P.S.: Thanks goes to Athmane for bringing this to our attention.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic