From $URL: Sébastien Bocahu reported to the security team: > (...) > A single request makes Apache segfault. On some of the environments I tested, > it even kills all Apache processes (they become zombies). > > I tested three environments, all of them running Debian squeeze with latests > Apache and mod_rpaf packages, MPM prefork only, behind haproxy. > > To what I understand, there is a bug in version 0.5 of mod_rpaf, but the IPv6 > patch that was applied by Debian exposes Apache to segfaults under specific > crafted requests. > > The magick request is the following: > curl -H "x-forwarded-for: 1'\"5000" -H "Host: a.vhost.example.com" > reverseproxy > > Apache processes will segfault, hence a potential DOS issue. > > I have taken notes for myself and people I am working with. > You can find these notes on > http://zecrazytux.net/troubleshooting/apache2-segfault-debugging-tutorial > > From my experiments, version 0.6 fixes the issue (IPv6 patched or unpatched).
Security please vote
Thanks, folks. GLSA Vote: yes.
CVE-2012-3526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3526): The reverse proxy add forward module (mod_rpaf) 0.5 and 0.6 for the Apache HTTP Server allows remote attackers to cause a denial of service (server or application crash) via multiple X-Forwarded-For headers in a request.
GLSA vote: yes. GLSA request filed.
This issue was resolved and addressed in GLSA 201209-20 at http://security.gentoo.org/glsa/glsa-201209-20.xml by GLSA coordinator Sean Amoss (ackle).
