SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects. [Joe Orton, Ruediger Pluem]
Created attachment 196924 [details, diff]
Patch as applied to trunk in upstream SVN rev 791454.
fixed in 2.2.11-r2, ready for stabilization, bug 276589 should probably be closed in favor of this one.
The mod_deflate module in Apache httpd 2.2.11 and earlier compresses
large files until completion even after the associated network
connection is closed, which allows remote attackers to cause a denial
of service (CPU consumption).
GLSA 200907-04, thanks everyone.