Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 276792 (CVE-2009-1891)

Summary: <www-servers/apache-2.2.11-r2 [apache2_modules_deflate]: DoS (CVE-2009-1891)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: apache-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 276589    
Bug Blocks:    
Description Flags
apache-CVE-2009-1891.patch none

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-06 16:48:38 UTC
SECURITY: CVE-2009-1891 (
Fix a potential Denial-of-Service attack against mod_deflate or other 
modules, by forcing the server to consume CPU time in compressing a 
large file after a client disconnects.  [Joe Orton, Ruediger Pluem]

More details:
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-06 16:49:57 UTC
Created attachment 196924 [details, diff]

Patch as applied to trunk in upstream SVN rev 791454.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-07 09:51:09 UTC
fixed in 2.2.11-r2, ready for stabilization, bug 276589 should probably be closed in favor of this one.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-10 16:36:03 UTC
CVE-2009-1891 (
  The mod_deflate module in Apache httpd 2.2.11 and earlier compresses
  large files until completion even after the associated network
  connection is closed, which allows remote attackers to cause a denial
  of service (CPU consumption).

Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-12 15:23:55 UTC
GLSA 200907-04, thanks everyone.