[v2.3] CVE-2013-1896 apache2: mod_dav DoS (httpd child process crash) via a URI MERGE request with source URI not handled by mod_dav

references:
http://s.apache.org/H1a
https://access.redhat.com/security/cve/CVE-2013-1896

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.

(from redmine: issue id 2217, created on 2013-08-06, closed on 2013-08-30)

Relations:
- parent #2214 (closed)
Changesets:
- Revision 4b8d261b by Natanael Copa on 2013-08-08T10:52:47Z:

main/apache2: security upgrade to 2.2.25 (CVE-2013-1896)

fixes #2217

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information