Amazon Linux 1 Security Advisory: ALAS-2015-483
Advisory Release Date: 2015-02-12 10:57 Pacific
Advisory Updated Date: 2015-02-12 11:32 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. (CVE-2014-8109)
A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. (CVE-2013-5704)
A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled. (CVE-2014-3581)
The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers. (CVE-2014-3583)
Affected Packages:
httpd24
Issue Correction:
Run yum update httpd24 to update your system.
i686:
mod24_proxy_html-2.4.10-15.58.amzn1.i686
httpd24-tools-2.4.10-15.58.amzn1.i686
httpd24-devel-2.4.10-15.58.amzn1.i686
mod24_ssl-2.4.10-15.58.amzn1.i686
mod24_ldap-2.4.10-15.58.amzn1.i686
mod24_session-2.4.10-15.58.amzn1.i686
httpd24-2.4.10-15.58.amzn1.i686
httpd24-debuginfo-2.4.10-15.58.amzn1.i686
noarch:
httpd24-manual-2.4.10-15.58.amzn1.noarch
src:
httpd24-2.4.10-15.58.amzn1.src
x86_64:
mod24_session-2.4.10-15.58.amzn1.x86_64
httpd24-tools-2.4.10-15.58.amzn1.x86_64
mod24_ldap-2.4.10-15.58.amzn1.x86_64
httpd24-debuginfo-2.4.10-15.58.amzn1.x86_64
mod24_ssl-2.4.10-15.58.amzn1.x86_64
mod24_proxy_html-2.4.10-15.58.amzn1.x86_64
httpd24-devel-2.4.10-15.58.amzn1.x86_64
httpd24-2.4.10-15.58.amzn1.x86_64