Date: Wed, 3 Jun 2009 12:24:40 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: OSS Security List <oss-security@...ts.openwall.com> Subject: Re: CVE Request: ModSecurity / apache2 mod_security 2.5.9 ====================================================== Name: CVE-2009-1902 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1902 Reference: BUGTRAQ:20090319 [ISecAuditors Security Advisories] ModSecurity < 2.5.9 remote Denial of Service Reference: URL:http://www.securityfocus.com/archive/1/501968 Reference: MILW0RM:8241 Reference: URL:http://www.milw0rm.com/exploits/8241 Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846 Reference: FEDORA:FEDORA-2009-2654 Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00487.html Reference: FEDORA:FEDORA-2009-2686 Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00529.html Reference: BID:34096 Reference: URL:http://www.securityfocus.com/bid/34096 Reference: OSVDB:52553 Reference: URL:http://www.osvdb.org/52553 Reference: SECUNIA:34256 Reference: URL:http://secunia.com/advisories/34256 Reference: SECUNIA:34311 Reference: URL:http://secunia.com/advisories/34311 Reference: VUPEN:ADV-2009-0703 Reference: URL:http://www.vupen.com/english/advisories/2009/0703 Reference: XF:modsecurity-multipart-dos(49212) Reference: URL:http://xforce.iss.net/xforce/xfdb/49212 The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.