Debian: DSA-2237-2 Urgent: Resolution for APR Denial Of Service Issue
debian
May 21, 2011
The recent APR update DSA-2237-1 introduced a regression that could lead to an endless loop in the apr_fnmatch() function, causing a denial of service
Topics Covered
Summary
The recent APR update DSA-2237-1 introduced a regression that could
lead to an endless loop in the apr_fnmatch() function, causing a
denial of service. This update fixes this problem (CVE-2011-1928).
For reference, the description of the original DSA, which fixed
CVE-2011-0419:
A flaw was found in the APR library, which could be exploited through
Apache HTTPD's mod_autoindex. If a directory indexed by mod_autoindex
contained files with sufficiently long names, a remote attacker could
send a carefully crafted request which would cause excessive CPU
usage. This could be used in a denial of service attack.
For the oldstable distribution (lenny), this problem has been fixed in
version 1.2.12-5+lenny4.
For the stable distribution (squeeze), this problem has been fixed in
version 1.4.2-6+squeeze2.
For the testing distribution (wheezy), this problem will be fixed in
version 1.4.5-1.
For the unstable distribution (sid), this problem will be fixed in
version 1.4.5-1.
We recommend that you upgrade your apr pa...
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: apr
CVE ID: CVE-2011-0419 CVE-2011-1928
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!