Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 115324 - net-www/apache Possible DoS (CVE-2005-3357)
Summary: net-www/apache Possible DoS (CVE-2005-3357)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2005-12-12 10:15 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-02-06 10:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-12 10:15:53 UTC
It's a remotely-triggered NULL pointer dereference (so interesting only if you 
use a threaded MPM), affects server configurations with an SSL vhost 
configured with access control and a custom 400 errordocument
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-12-20 04:12:38 UTC
Apache herd, please advise/patch ?
Comment 3 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-12-20 16:39:52 UTC
The supplied patch is for the apache trunk and won't apply correctly to 2.0.55. We need a backport from upstream unless someone more knowledgable in c/c++ wants to step up to the plate.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-12-21 01:28:48 UTC
Given the very specific nature of this vulnerability I would wait for an upstream release to pick it up.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-01-13 06:06:21 UTC
Backports at :

This should be grouped with bug 118875 for a common GLSA.
Comment 6 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2006-01-16 19:03:36 UTC
fixed in CVS. see bug 118875.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2006-01-18 06:32:22 UTC
See stable marking handled on bug 118875
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-01-23 00:56:09 UTC
Common GLSA with bug 118875
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-06 10:24:00 UTC
GLSA 200602-03

Apache note that new old style versions might be flagged as vulnerable by this GLSA. So we have to update it if you put out new versions.