Sébastien Bocahu reported to the security team:
> A single request makes Apache segfault. On some of the environments I tested,
> it even kills all Apache processes (they become zombies).
> I tested three environments, all of them running Debian squeeze with latests
> Apache and mod_rpaf packages, MPM prefork only, behind haproxy.
> To what I understand, there is a bug in version 0.5 of mod_rpaf, but the IPv6
> patch that was applied by Debian exposes Apache to segfaults under specific
> crafted requests.
> The magick request is the following:
> curl -H "x-forwarded-for: 1'\"5000" -H "Host: a.vhost.example.com"
> Apache processes will segfault, hence a potential DOS issue.
> I have taken notes for myself and people I am working with.
> You can find these notes on
> From my experiments, version 0.6 fixes the issue (IPv6 patched or unpatched).
Security please vote
Thanks, folks. GLSA Vote: yes.
The reverse proxy add forward module (mod_rpaf) 0.5 and 0.6 for the Apache
HTTP Server allows remote attackers to cause a denial of service (server or
application crash) via multiple X-Forwarded-For headers in a request.
GLSA vote: yes.
GLSA request filed.
This issue was resolved and addressed in
GLSA 201209-20 at http://security.gentoo.org/glsa/glsa-201209-20.xml
by GLSA coordinator Sean Amoss (ackle).