CVE-2013-5705 — modsecurity-apache - security update

Description

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

How to fix CVE-2013-5705

To remediate CVE-2013-5705, upgrade the affected package to a fixed version below.

Debian/libapache-mod-security—upgrade to 2.5.12-1+squeeze4 or later
Debian/modsecurity-apache—upgrade to 2.7.7-1 or later
Debian/modsecurity-apache—upgrade to 2.6.6-6+deb7u2 or later

Is CVE-2013-5705 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.5.12-1+squeeze4
from 0, < 2.7.7-1
from 0, < 2.6.6-6+deb7u2

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-5705