Summary: | <www-apache/mod_rpaf-0.6 : potential Denial of Service (CVE-2012-3526) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | apache-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683984 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Security please vote Thanks, folks. GLSA Vote: yes. CVE-2012-3526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3526): The reverse proxy add forward module (mod_rpaf) 0.5 and 0.6 for the Apache HTTP Server allows remote attackers to cause a denial of service (server or application crash) via multiple X-Forwarded-For headers in a request. GLSA vote: yes. GLSA request filed. This issue was resolved and addressed in GLSA 201209-20 at http://security.gentoo.org/glsa/glsa-201209-20.xml by GLSA coordinator Sean Amoss (ackle). |
From $URL: Sébastien Bocahu reported to the security team: > (...) > A single request makes Apache segfault. On some of the environments I tested, > it even kills all Apache processes (they become zombies). > > I tested three environments, all of them running Debian squeeze with latests > Apache and mod_rpaf packages, MPM prefork only, behind haproxy. > > To what I understand, there is a bug in version 0.5 of mod_rpaf, but the IPv6 > patch that was applied by Debian exposes Apache to segfaults under specific > crafted requests. > > The magick request is the following: > curl -H "x-forwarded-for: 1'\"5000" -H "Host: a.vhost.example.com" > reverseproxy > > Apache processes will segfault, hence a potential DOS issue. > > I have taken notes for myself and people I am working with. > You can find these notes on > http://zecrazytux.net/troubleshooting/apache2-segfault-debugging-tutorial > > From my experiments, version 0.6 fixes the issue (IPv6 patched or unpatched).