Amazon Linux 1 Security Advisory: ALAS-2014-414
Advisory Release Date: 2014-09-17 21:48 Pacific
Advisory Updated Date: 2014-09-19 12:10 Pacific
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."
Affected Packages:
httpd
Issue Correction:
Run yum update httpd to update your system.
i686:
mod_ssl-2.2.29-1.4.amzn1.i686
httpd-2.2.29-1.4.amzn1.i686
httpd-debuginfo-2.2.29-1.4.amzn1.i686
httpd-devel-2.2.29-1.4.amzn1.i686
httpd-tools-2.2.29-1.4.amzn1.i686
noarch:
httpd-manual-2.2.29-1.4.amzn1.noarch
src:
httpd-2.2.29-1.4.amzn1.src
x86_64:
httpd-debuginfo-2.2.29-1.4.amzn1.x86_64
httpd-devel-2.2.29-1.4.amzn1.x86_64
httpd-tools-2.2.29-1.4.amzn1.x86_64
httpd-2.2.29-1.4.amzn1.x86_64
mod_ssl-2.2.29-1.4.amzn1.x86_64