SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. [Joe Orton, Ruediger Pluem] More details: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712
Created attachment 196924 [details, diff] apache-CVE-2009-1891.patch Patch as applied to trunk in upstream SVN rev 791454.
fixed in 2.2.11-r2, ready for stabilization, bug 276589 should probably be closed in favor of this one.
CVE-2009-1891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1891): The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption).
GLSA 200907-04, thanks everyone.