Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276792 (CVE-2009-1891) - <www-servers/apache-2.2.11-r2 [apache2_modules_deflate]: DoS (CVE-2009-1891)
Summary: <www-servers/apache-2.2.11-r2 [apache2_modules_deflate]: DoS (CVE-2009-1891)
Alias: CVE-2009-1891
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on: 276589
  Show dependency tree
Reported: 2009-07-06 16:48 UTC by Alex Legler (RETIRED)
Modified: 2009-07-12 15:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

apache-CVE-2009-1891.patch (apache-CVE-2009-1891.patch,1.02 KB, patch)
2009-07-06 16:49 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-06 16:48:38 UTC
SECURITY: CVE-2009-1891 (
Fix a potential Denial-of-Service attack against mod_deflate or other 
modules, by forcing the server to consume CPU time in compressing a 
large file after a client disconnects.  [Joe Orton, Ruediger Pluem]

More details:
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-06 16:49:57 UTC
Created attachment 196924 [details, diff]

Patch as applied to trunk in upstream SVN rev 791454.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-07 09:51:09 UTC
fixed in 2.2.11-r2, ready for stabilization, bug 276589 should probably be closed in favor of this one.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-10 16:36:03 UTC
CVE-2009-1891 (
  The mod_deflate module in Apache httpd 2.2.11 and earlier compresses
  large files until completion even after the associated network
  connection is closed, which allows remote attackers to cause a denial
  of service (CPU consumption).

Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-12 15:23:55 UTC
GLSA 200907-04, thanks everyone.