Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276792 (CVE-2009-1891) - <www-servers/apache-2.2.11-r2 [apache2_modules_deflate]: DoS (CVE-2009-1891)
Summary: <www-servers/apache-2.2.11-r2 [apache2_modules_deflate]: DoS (CVE-2009-1891)
Status: RESOLVED FIXED
Alias: CVE-2009-1891
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://svn.apache.org/viewvc?view=re...
Whiteboard: A3 [glsa]
Keywords:
Depends on: 276589
Blocks:
  Show dependency tree
 
Reported: 2009-07-06 16:48 UTC by Alex Legler (RETIRED)
Modified: 2009-07-12 15:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
apache-CVE-2009-1891.patch (apache-CVE-2009-1891.patch,1.02 KB, patch)
2009-07-06 16:49 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-06 16:48:38 UTC
SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other 
modules, by forcing the server to consume CPU time in compressing a 
large file after a client disconnects.  [Joe Orton, Ruediger Pluem]

More details:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-06 16:49:57 UTC
Created attachment 196924 [details, diff]
apache-CVE-2009-1891.patch

Patch as applied to trunk in upstream SVN rev 791454.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-07 09:51:09 UTC
fixed in 2.2.11-r2, ready for stabilization, bug 276589 should probably be closed in favor of this one.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-10 16:36:03 UTC
CVE-2009-1891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1891):
  The mod_deflate module in Apache httpd 2.2.11 and earlier compresses
  large files until completion even after the associated network
  connection is closed, which allows remote attackers to cause a denial
  of service (CPU consumption).

Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-12 15:23:55 UTC
GLSA 200907-04, thanks everyone.