[<prev] [next>] [<thread-prev] [month] [year] [list]
Date: Thu, 11 Jun 2009 12:24:29 +0100
From: Joe Orton <jorton@...che.org>
To: Eygene Ryabinkin <rea-sec@...elabs.ru>
Cc: oss-security@...ts.openwall.com,
"Steven M. Christey" <coley@...us.mitre.org>, coley@...re.org,
security@...che.org
Subject: Re: CVE request: "billion laughs" attack against
Apache APR
On Sat, Jun 06, 2009 at 08:00:20PM +0400, Eygene Ryabinkin wrote:
> Please, note that these two issues and CVE-2009-0023 seem to be
> applicable to Apache 2.2.11 and Apache 2.0.63 (latest 2.x versions),
> since they have bundled apr-util inside. At least both have the
> vulnerable code and I had verified the "billion laughs" attack against
> Apache 2.2.11 with Subversion mod_dav_svn that uses internal Apache
> libaprutil. OS for testing was FreeBSD, but I think that others are
> affected as well.
>
> CC'ing Apache security contacts in case they aren't informed about this
> issue yet. Folks, may be I am wrong in my assertions?
It is correct to say that installations of current releases of Apache
httpd - versions <= 2.0.63 and <= 2.2.11 - which are built using the
bundled copy of APR-util, may be affected by the three APR-util issues,
depending on the configuration and set of modules used. Note that
Apache httpd 2.x can also be built using standalone installations of APR
and APR-util.
We're not aware of any way to trigger CVE-2009-0023 remotely using the
set of modules included in httpd itself. It may be possible to trigger
both CVE-2009-1956 and CVE-2009-1955 if mod_dav is configured.
Regards, Joe
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux