MDVSA-2009:184

Package name

apache-mod_security

Date

2009-07-31

Advisory ID

MDVSA-2009:184

Affected versions

MES5 i586 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in mod_security:

The multipart processor in ModSecurity before 2.5.9 allows remote
attackers to cause a denial of service (crash) via a multipart form
datapost request with a missing part header name, which triggers a
NULL pointer dereference (CVE-2009-1902).

The PDF XSS protection feature in ModSecurity before 2.5.8 allows
remote attackers to cause a denial of service (Apache httpd crash)
via a request for a PDF file that does not use the GET method
(CVE-2009-1903).

This update provides mod_security 2.5.9, which is not vulnerable to
these issues.

Updated packages

MES5 i586

 3ee426768772f50c01a52698259225ab  mes5/i586/apache-mod_security-2.5.9-0.1mdvmes5.i586.rpm
 f6f45fd22e8011ff5f1eb477ebdae070  mes5/i586/mlogc-2.5.9-0.1mdvmes5.i586.rpm 
 ce34b40bf2105728f8991ab997e1e8be  mes5/SRPMS/apache-mod_security-2.5.9-0.1mdvmes5.src.rpm

MES5 x86_64

 942b15cdf81d21097efa3a5d77bc68e0  mes5/x86_64/apache-mod_security-2.5.9-0.1mdvmes5.x86_64.rpm
 7541b1c3e055d5dac628ca0999811a25  mes5/x86_64/mlogc-2.5.9-0.1mdvmes5.x86_64.rpm 
 ce34b40bf2105728f8991ab997e1e8be  mes5/SRPMS/apache-mod_security-2.5.9-0.1mdvmes5.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1903
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1902