Apache HTTP Server Multiple Vulnerabilities (Sep 2014) - Linux

Apache HTTP Server is prone to multiple vulnerabilities.

The following vulnerabilities exist: - CVE-2013-5704: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the 'MergeTrailers' directive to restore legacy behavior. - CVE-2014-0118: A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the 'DEFLATE' input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration. - CVE-2014-0226: A race condition was found in mod_status. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessible server status page. - CVE-2014-0231: A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service.

Apache HTTP Server version 2.2.0 through 2.2.27 and 2.4.1 through 2.4.10.

Checks if a vulnerable version is present on the target host.

Update to version 2.2.29, 2.4.12 or later.