Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276426 (CVE-2009-1890) - <www-servers/apache-2.2.11-r1 [apache2_modules_proxy_http]: Reverse Proxy DoS (CVE-2009-1890)
Summary: <www-servers/apache-2.2.11-r1 [apache2_modules_proxy_http]: Reverse Proxy DoS...
Alias: CVE-2009-1890
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 276589
  Show dependency tree
Reported: 2009-07-04 07:56 UTC by Alex Legler (RETIRED)
Modified: 2009-07-12 15:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

apache-CVE-2009-1890.patch (apache-CVE-2009-1890.patch,1.54 KB, patch)
2009-07-04 07:58 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-04 07:56:47 UTC
From Secunia:

A vulnerability has been reported in the Apache mod_proxy module, which can be exploited by malicious people to potentially cause a DoS (Denial of Service).

An error exists in the mod_proxy module when functioning in reverse proxy mode. This can be exploited to consume large amounts of CPU in an affected proxy process via specially crafted proxy requests.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-04 07:58:59 UTC
Created attachment 196584 [details, diff]

Changeset as applied to trunk in upstream SVN, rev 790587.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-05 16:12:53 UTC
patch added to 2.2.11-r1, stabilization should probably be done in a new bug, since multiple issues have been fixed with 2.2.11-r1
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-05 16:35:20 UTC
Thanks, stabilization handled in 276589.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-10 16:35:50 UTC
CVE-2009-1890 (
  The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
  module in the Apache HTTP Server before 2.3.3, when a reverse proxy
  is configured, does not properly handle an amount of streamed data
  that exceeds the Content-Length value, which allows remote attackers
  to cause a denial of service (CPU consumption) via crafted requests.

Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-12 15:23:43 UTC
GLSA 200907-04, thanks everyone.