Amazon Linux AMI : httpd24 (ALAS-2015-483)

modlua.c in the modlua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access...

apache24 -- multiple vulnerabilities

Jim Jagielski reports: CVE-2015-3183 cve.mitre.org core: Fix chunk header parsing defect. Remove aprbrigadeflatten, buffering and duplicated code from the HTTPIN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized...

FreeBSD : apache24 -- several vulnerabilities (5804b9d4-a959-11e4-9363-20cf30e32f6d)

Apache HTTP SERVER PROJECT reports : modproxyfcgi: Fix a potential crash due to buffer over-read, with response headers' size above 8K. modcache: Avoid a crash when Content-Type has an empty value. PR 56924. modlua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple...

apache24 -- several vulnerabilities

Apache HTTP SERVER PROJECT reports: modproxyfcgi: Fix a potential crash due to buffer over-read, with response headers' size above 8K. modcache: Avoid a crash when Content-Type has an empty value. PR 56924. modlua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple Requi...

Internet Bug Bounty: mod_lua: Crash in websockets PING handling

A stack recursion crash in the modlua module was found. A Lua script executing the r:wsupgrade function could crash the process if a malicious client sent a carefully crafted PING request. This issue affected releases 2.4.7 through 2.4.12 inclusive...

Apache Httpd < 2.4.16 : mod_lua: Crash in websockets PING handling

A stack recursion crash in the modlua module was found. A Lua script executing the r:wsupgrade function could crash the process if a malicious client sent a carefully crafted PING request. This issue affected releases 2.4.7 through 2.4.12 inclusive...

Updated apache packages fix CVE-2014-8109

Updated apache packages fix security vulnerability: modlua.c in the modlua module in the Apache HTTP Server through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers...

MGASA-2015-0011 Updated apache packages fix CVE-2014-8109

Updated apache packages fix security vulnerability: modlua.c in the modlua module in the Apache HTTP Server through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers...

CVE-2014-8109

modlua.c in the modlua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access...

DEBIAN-CVE-2014-8109

modlua.c in the modlua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access...

Authorization

modlua.c in the modlua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access...

CVE-2014-8109

modlua.c in the modlua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access...

CVE-2014-8109

modlua.c in the modlua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access...

CVE-2014-8109

CVE-2014-8109 affects the Apache HTTP Server 2.3.x and 2.4.x up to 2.4.10, where mod_lua.c does not properly handle an httpd configuration using the same Lua authorization provider with different arguments across contexts. This can allow remote attackers to bypass access restrictions via multiple...

CVE-2014-8109

modlua.c in the modlua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access...

Apache Httpd < 2.4.12 : mod_lua multiple "Require" directive handling is broken

Fix handling of the Require line in modlua when a LuaAuthzProvider is used in multiple Require directives with different arguments. This could lead to different authentication rules than expected...