A vulnerability has been reported in the Apache mod_proxy module, which can be exploited by malicious people to potentially cause a DoS (Denial of Service).
An error exists in the mod_proxy module when functioning in reverse proxy mode. This can be exploited to consume large amounts of CPU in an affected proxy process via specially crafted proxy requests.
Created attachment 196584 [details, diff]
Changeset as applied to trunk in upstream SVN, rev 790587.
patch added to 2.2.11-r1, stabilization should probably be done in a new bug, since multiple issues have been fixed with 2.2.11-r1
Thanks, stabilization handled in 276589.
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
module in the Apache HTTP Server before 2.3.3, when a reverse proxy
is configured, does not properly handle an amount of streamed data
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests.
GLSA 200907-04, thanks everyone.