RedHat has issued an advisory for this today (July 23):
https://rhn.redhat.com/errata/RHSA-2014-0921.html

URL: (none) => http://lwn.net/Vulnerabilities/606294/

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory (Mageia 3):
========================

Updated apache packages fix security vulnerabilities:

A race condition flaw, leading to heap-based buffer overflows, was found in
the mod_status httpd module. A remote attacker able to access a status page
served by mod_status on a server using a threaded Multi-Processing Module
(MPM) could send a specially crafted request that would cause the httpd
child process to crash or, possibly, allow the attacker to execute
arbitrary code with the privileges of the "apache" user (CVE-2014-0226).

A denial of service flaw was found in the way httpd's mod_deflate module
handled request body decompression (configured via the "DEFLATE" input
filter). A remote attacker able to send a request whose body would be
decompressed could use this flaw to consume an excessive amount of system
memory and CPU on the target system (CVE-2014-0118).

A denial of service flaw was found in the way httpd's mod_cgid module
executed CGI scripts that did not read data from the standard input.
A remote attacker could submit a specially crafted request that would cause
the httpd child process to hang indefinitely (CVE-2014-0231).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
http://httpd.apache.org/security/vulnerabilities_24.html
https://rhn.redhat.com/errata/RHSA-2014-0921.html


Advisory (Mageia 4):
========================

Updated apache packages fix security vulnerabilities:

A race condition flaw, leading to heap-based buffer overflows, was found in
the mod_status httpd module. A remote attacker able to access a status page
served by mod_status on a server using a threaded Multi-Processing Module
(MPM) could send a specially crafted request that would cause the httpd
child process to crash or, possibly, allow the attacker to execute
arbitrary code with the privileges of the "apache" user (CVE-2014-0226).

A denial of service flaw was found in the mod_proxy httpd module. A remote
attacker could send a specially crafted request to a server configured as a
reverse proxy using a threaded Multi-Processing Modules (MPM) that would
cause the httpd child process to crash (CVE-2014-0117).

A denial of service flaw was found in the way httpd's mod_deflate module
handled request body decompression (configured via the "DEFLATE" input
filter). A remote attacker able to send a request whose body would be
decompressed could use this flaw to consume an excessive amount of system
memory and CPU on the target system (CVE-2014-0118).

A denial of service flaw was found in the way httpd's mod_cgid module
executed CGI scripts that did not read data from the standard input.
A remote attacker could submit a specially crafted request that would cause
the httpd child process to hang indefinitely (CVE-2014-0231).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
http://httpd.apache.org/security/vulnerabilities_24.html
https://rhn.redhat.com/errata/RHSA-2014-0921.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.4-7.8.mga3
apache-mod_dav-2.4.4-7.8.mga3
apache-mod_ldap-2.4.4-7.8.mga3
apache-mod_cache-2.4.4-7.8.mga3
apache-mod_proxy-2.4.4-7.8.mga3
apache-mod_proxy_html-2.4.4-7.8.mga3
apache-mod_suexec-2.4.4-7.8.mga3
apache-mod_userdir-2.4.4-7.8.mga3
apache-mod_ssl-2.4.4-7.8.mga3
apache-mod_dbd-2.4.4-7.8.mga3
apache-htcacheclean-2.4.4-7.8.mga3
apache-devel-2.4.4-7.8.mga3
apache-doc-2.4.4-7.8.mga3
apache-2.4.7-5.3.mga4
apache-mod_dav-2.4.7-5.3.mga4
apache-mod_ldap-2.4.7-5.3.mga4
apache-mod_session-2.4.7-5.3.mga4
apache-mod_cache-2.4.7-5.3.mga4
apache-mod_proxy-2.4.7-5.3.mga4
apache-mod_proxy_html-2.4.7-5.3.mga4
apache-mod_suexec-2.4.7-5.3.mga4
apache-mod_userdir-2.4.7-5.3.mga4
apache-mod_ssl-2.4.7-5.3.mga4
apache-mod_dbd-2.4.7-5.3.mga4
apache-htcacheclean-2.4.7-5.3.mga4
apache-devel-2.4.7-5.3.mga4
apache-doc-2.4.7-5.3.mga4

from SRPMS:
apache-2.4.4-7.8.mga3.src.rpm
apache-2.4.7-5.3.mga4.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => critical

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.6.mga3.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.4-7.6.mga3.i586 is already installed
http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

install apache & apache-mod_userdir from updates_testing
Stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.8.mga3.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.4-7.8.mga3.i586 is already installed

http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.6.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.4-7.6.mga3.x86_64 is already installed

http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

install apache & apache-mod_userdir from updates_testing
Stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.8.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.4-7.8.mga3.x86_64 is already installed

http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.1.mga4.i586 is already installed

http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

install apache & apache-mod_userdir from updates_testing
Stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.3.mga4.i586 is already installed

http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.1.mga4.x86_64 is already installed

http://localhost/~wilcal/ works
192.168.1.91/~wilcal/ local LAN IP works

install apache & apache-mod_userdir from updates_testing
Stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.3.mga4.x86_64 is already installed

http://localhost/~wilcal/ works
192.168.1.91/~wilcal/ local LAN IP works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

I'm gonna leave this alone for a couple days. These
are the only packages I am familiar with. Others may
want to test some of the other parts of this before
pushing it on. For me it works.

No on else has tested this.
For me this update works fine.
Lets push it.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Advisories uploaded (13788.mga3.adv and 13788.mga4.adv).

CC: (none) => remi
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

Updates Pushed.

MGA3: http://advisories.mageia.org/MGASA-2014-0304.html
MGA4: http://advisories.mageia.org/MGASA-2014-0305.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED