RealTime IT News

Apache HTTP Server 2.4.12 Patches 4 Vulnerabilities (GHOST need not Apply)

From the 'Real Updates' files:

While some in the security community are chasing GHOSTs this week, there is another update that needs attention. The widely deployed Apache HTTP Server (httpd) is being updated to version 2.4.12 fixing at least four publicly identified CVEs.

and for those of you keeping score at home, there was no 2.4.11 update, devs just jumped from 2.4.10 to 2.4.12.

The security update are as follows:

CVE-2014-3583 (cve.mitre.org)
 mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
 response headers' size above 8K.

CVE-2014-3581 (cve.mitre.org)
 mod_cache: Avoid a crash when Content-Type has an empty value.
 PR 56924.

CVE-2014-8109 (cve.mitre.org)
 mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
 used in multiple Require directives with different arguments.

CVE-2013-5704 (cve.mitre.org)
 core: HTTP trailers could be used to replace HTTP headers
 late during request processing, potentially undoing or
 otherwise confusing modules that examined or modified
 request headers earlier.  Adds "MergeTrailers" directive to restore
 legacy behavior.

The Apache 2.4.12 update isn't just about security updates though there are improvements for larger shared memory in mod_socache_shmcb and there are also improvements to mod_ssl.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist