ModSecurity: Denial of service — GLSA 200907-02

Two vulnerabilities in ModSecurity might lead to a Denial of Service.

Affected packages

www-apache/mod_security on all architectures
Affected versions < 2.5.9
Unaffected versions >= 2.5.9

Background

ModSecurity is a popular web application firewall for the Apache HTTP server.

Description

Multiple vulnerabilities were discovered in ModSecurity:

  • Juan Galiana Lara of ISecAuditors discovered a NULL pointer dereference when processing multipart requests without a part header name (CVE-2009-1902).
  • Steve Grubb of Red Hat reported that the "PDF XSS protection" feature does not properly handle HTTP requests to a PDF file that do not use the GET method (CVE-2009-1903).

Impact

A remote attacker might send requests containing specially crafted multipart data or send certain requests to access a PDF file, possibly resulting in a Denial of Service (crash) of the Apache HTTP daemon. NOTE: The PDF XSS protection is not enabled by default.

Workaround

There is no known workaround at this time.

Resolution

All ModSecurity users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apache/mod_security-2.5.9"

References

Release date
July 02, 2009

Latest revision
July 02, 2009: 01

Severity
normal

Exploitable
remote

Bugzilla entries