ALAS-2014-414

Amazon Linux 1 Security Advisory: ALAS-2014-414
Advisory Release Date: 2014-09-17 21:48 Pacific
Advisory Updated Date: 2014-09-19 12:10 Pacific

Severity: Low

References: CVE-2013-5704
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

Affected Packages:

httpd

Issue Correction:
Run yum update httpd to update your system.

New Packages:

i686:
    mod_ssl-2.2.29-1.4.amzn1.i686
    httpd-2.2.29-1.4.amzn1.i686
    httpd-debuginfo-2.2.29-1.4.amzn1.i686
    httpd-devel-2.2.29-1.4.amzn1.i686
    httpd-tools-2.2.29-1.4.amzn1.i686

noarch:
    httpd-manual-2.2.29-1.4.amzn1.noarch

src:
    httpd-2.2.29-1.4.amzn1.src

x86_64:
    httpd-debuginfo-2.2.29-1.4.amzn1.x86_64
    httpd-devel-2.2.29-1.4.amzn1.x86_64
    httpd-tools-2.2.29-1.4.amzn1.x86_64
    httpd-2.2.29-1.4.amzn1.x86_64
    mod_ssl-2.2.29-1.4.amzn1.x86_64

Additional References

Red Hat: CVE-2013-5704

Mitre: CVE-2013-5704