From secunia security advisory at $URL: Description: The vulnerability is caused due to the "apr_pregsub()" function (server/utils.c) not properly limiting the maximum size of environment variable values, which can be exploited to e.g. cause a huge memory consumption via a specially crafted ".htaccess" file. The vulnerability is reported in versions 2.0.64 and 2.2.21. Other versions may also be affected. Solution: Not patched atm. NOTE: this bug is different from bug 389353 (CVE-2011-3607)
CVE-2011-4415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4415): The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607.
Additional info: https://bugzilla.novell.com/show_bug.cgi?id=729183 I'd vote NO here and simply close it.
Vote: NO. Closing noglsa.
