Summary
The remote host is missing an update to apache-mod_security announced via advisory MDVSA-2009:184.
Solution
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
https://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:184
Insight
Multiple vulnerabilities has been found and corrected in mod_security:
The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference (CVE-2009-1902).
The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method (CVE-2009-1903).
This update provides mod_security 2.5.9, which is not vulnerable to these issues.
Affected: Enterprise Server 5.0
Severity
Classification
-
CVE CVE-2009-1902, CVE-2009-1903 -
CVSS Base Score: 7.8
AV:N/AC:L/Au:N/C:N/I:N/A:C
Related Vulnerabilities