apr_fnmatch() function of <dev-libs/apr-1.4.4 is vulnerable to Denial of Service. This vulnerability affects e.g. mod_autoindex from www-servers/apache.
Stabilize: dev-libs/apr-1.4.4 dev-libs/apr-util-1.3.11
amd64 ok
amd64 done. Thanks Agostino
x86 stable
Like this: Arch teams, please test and mark stable: =dev-libs/apr-1.4.4 =dev-libs/apr-util-1.3.11 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Thank you.
Stable for HPPA.
ppc/ppc64 stable
alpha/arm/ia64/s390/sh/sparc stable
Thanks, folks. GLSA request filed.
CVE-2011-0419 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0419): Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.
The problem is solved in the released apr-1.4.5 . Please, put it in portage .
i have finally gdb-identified this as being source of my apache worker endless loop cpu hogging behavior. any reason why these packages aren't marked stable yet?
This issue was resolved and addressed in GLSA 201405-24 at http://security.gentoo.org/glsa/glsa-201405-24.xml by GLSA coordinator Sean Amoss (ackle).