Описание
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.
A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled.
Отчет
This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 5 and 6, JBoss Enterprise Web Server 1 and 2, and JBoss Application Platform 6.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | httpd | Not affected | ||
| Red Hat Directory Server 8 | httpd | Not affected | ||
| Red Hat Enterprise Linux 4 | httpd | Not affected | ||
| Red Hat Enterprise Linux 5 | httpd | Not affected | ||
| Red Hat Enterprise Linux 6 | httpd | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | httpd | Not affected | ||
| Red Hat JBoss Enterprise Web Server 1 | httpd | Not affected | ||
| Red Hat JBoss Enterprise Web Server 1 | inktank-httpd | Not affected | ||
| Red Hat JBoss Enterprise Web Server 2 | httpd | Not affected | ||
| Red Hat Enterprise Linux 7 | httpd | Fixed | RHSA-2015:0325 | 05.03.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
2.6 Low
CVSS2
Связанные уязвимости
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.
The cache_merge_headers_out function in modules/cache/cache_util.c in ...
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.
ELSA-2015-0325: httpd security, bug fix, and enhancement update (LOW)
EPSS
2.6 Low
CVSS2