Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 432406 (CVE-2012-3526) - <www-apache/mod_rpaf-0.6 : potential Denial of Service (CVE-2012-3526)
Summary: <www-apache/mod_rpaf-0.6 : potential Denial of Service (CVE-2012-3526)
Status: RESOLVED FIXED
Alias: CVE-2012-3526
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-23 10:48 UTC by Agostino Sarubbo
Modified: 2012-09-27 20:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-08-23 10:48:28 UTC
From $URL:

Sébastien Bocahu reported to the security team:
> (...) 
> A single request makes Apache segfault. On some of the environments I tested,
> it even kills all Apache processes (they become zombies).
> 
> I tested three environments, all of them running Debian squeeze with latests
> Apache and mod_rpaf packages, MPM prefork only, behind haproxy.
> 
> To what I understand, there is a bug in version 0.5 of mod_rpaf, but the IPv6
> patch that was applied by Debian exposes Apache to segfaults under specific
> crafted requests.
> 
> The magick request is the following:
>   curl -H "x-forwarded-for: 1'\"5000" -H "Host: a.vhost.example.com"
>   reverseproxy
> 
> Apache processes will segfault, hence a potential DOS issue.
> 
> I have taken notes for myself and people I am working with.
> You can find these notes on
> http://zecrazytux.net/troubleshooting/apache2-segfault-debugging-tutorial
> 
> From my experiments, version 0.6 fixes the issue (IPv6 patched or unpatched).
Comment 1 Agostino Sarubbo gentoo-dev 2012-08-23 10:48:41 UTC
Security please vote
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-09-04 16:21:23 UTC
Thanks, folks. GLSA Vote: yes.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:43:44 UTC
CVE-2012-3526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3526):
  The reverse proxy add forward module (mod_rpaf) 0.5 and 0.6 for the Apache
  HTTP Server allows remote attackers to cause a denial of service (server or
  application crash) via multiple X-Forwarded-For headers in a request.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-19 10:41:14 UTC
GLSA vote: yes.

GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-09-27 20:16:13 UTC
This issue was resolved and addressed in
 GLSA 201209-20 at http://security.gentoo.org/glsa/glsa-201209-20.xml
by GLSA coordinator Sean Amoss (ackle).