Two vulnerabilities in ModSecurity might lead to a Denial of Service.
|Package||www-apache/mod_security on all architectures|
|Affected versions||< 2.5.9|
|Unaffected versions||>= 2.5.9|
ModSecurity is a popular web application firewall for the Apache HTTP server.
Multiple vulnerabilities were discovered in ModSecurity:
A remote attacker might send requests containing specially crafted multipart data or send certain requests to access a PDF file, possibly resulting in a Denial of Service (crash) of the Apache HTTP daemon. NOTE: The PDF XSS protection is not enabled by default.
There is no known workaround at this time.
All ModSecurity users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-apache/mod_security-2.5.9"
July 02, 2009
July 02, 2009: 01