Oracle Solaris Third-Party Patch Update : apache (multiple_input_validation_vulnerabilities_in1)
Medium Nessus Plugin ID 80588
SynopsisThe remote Solaris system is missing a security patch for third-party software.
DescriptionThe remote Solaris system is missing necessary patches to address security updates :
- The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request. (CVE-2013-6438)
- The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation. (CVE-2014-0098)
SolutionUpgrade to Solaris 220.127.116.11.0.