Simon Kappel discovered a race condition in mod_auth_digest when running in
a threaded server which could allow a user with valid credentials to
authenticate using another username, bypassing configured access control
Bernhard Lorenz of Alpha Strike Labs GmbH discovered a httpd URL
normalization inconsistincy when the path component of a request URL
contains multiple consecutive slashes ('/'), directives such as
LocationMatch and RewriteRule must account for duplicates in regular
expressions while other aspects of the servers processing will implicitly
For Debian 7 Wheezy, these problems have been fixed in version 2.2.22-13+deb7u14.
We recommend that you upgrade your apache2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.