Summary: | <www-servers/apache-2.2.11-r1 [apache2_modules_proxy_http]: Reverse Proxy DoS (CVE-2009-1890) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | apache-bugs | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587 | ||||||
Whiteboard: | B3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 276589 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Alex Legler (RETIRED)
2009-07-04 07:56:47 UTC
Created attachment 196584 [details, diff]
apache-CVE-2009-1890.patch
Changeset as applied to trunk in upstream SVN, rev 790587.
patch added to 2.2.11-r1, stabilization should probably be done in a new bug, since multiple issues have been fixed with 2.2.11-r1 Thanks, stabilization handled in 276589. CVE-2009-1890 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1890): The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests. GLSA 200907-04, thanks everyone. |