Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4F330E66.4030507@redhat.com>
Date: Wed, 08 Feb 2012 17:08:06 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Moritz Muehlenhoff <jmm@...ian.org>
Subject: Re: CVE request: apr - Hash DoS vulnerability

On 02/08/2012 10:26 AM, Moritz Muehlenhoff wrote:
> Hi,
> APR (Apache Portable Runtime) is affected by the hash collision DoS 
> class, please assign a CVE ID:
> 
> The upstream discussion can be found here:
> http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html
> 
> Cheers,
>         Moritz

Please use CVE-2012-0840 for this issue.

They posted a first attempt at a fix:
http://www.mail-archive.com/dev%40apr.apache.org/msg24473.html

Actual commit:
http://mail-archives.apache.org/mod_mbox/apr-commits/201201.mbox/%3C20120115003715.071D423888FD@eris.apache.org%3E

Reply about this commit:
r1231605 and r1231858 cause massive regressions and test case failures
in httpd.

so probably not the final fix.

If someone could reply to this with the final fix that'd be helpful.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.