Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 276792 (CVE-2009-1891)

Summary: <www-servers/apache-2.2.11-r2 [apache2_modules_deflate]: DoS (CVE-2009-1891)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: apache-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://svn.apache.org/viewvc?view=rev&revision=791454
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 276589    
Bug Blocks:    
Attachments:
Description Flags
apache-CVE-2009-1891.patch none

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-06 16:48:38 UTC 
SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other 
modules, by forcing the server to consume CPU time in compressing a 
large file after a client disconnects.  [Joe Orton, Ruediger Pluem]

More details:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-06 16:49:57 UTC 
Created attachment 196924 [details, diff]
apache-CVE-2009-1891.patch

Patch as applied to trunk in upstream SVN rev 791454.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-07 09:51:09 UTC 
fixed in 2.2.11-r2, ready for stabilization, bug 276589 should probably be closed in favor of this one.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-10 16:36:03 UTC 
CVE-2009-1891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1891):
  The mod_deflate module in Apache httpd 2.2.11 and earlier compresses
  large files until completion even after the associated network
  connection is closed, which allows remote attackers to cause a denial
  of service (CPU consumption).
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-12 15:23:55 UTC 
GLSA 200907-04, thanks everyone.