[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: "billion laughs" attack against
From: Joe Orton <jorton () apache ! org>
Date: 2009-06-11 11:24:29
Message-ID: 20090611112429.GA5540 () redhat ! com
[Download RAW message or body]
On Sat, Jun 06, 2009 at 08:00:20PM +0400, Eygene Ryabinkin wrote:
> Please, note that these two issues and CVE-2009-0023 seem to be
> applicable to Apache 2.2.11 and Apache 2.0.63 (latest 2.x versions),
> since they have bundled apr-util inside. At least both have the
> vulnerable code and I had verified the "billion laughs" attack against
> Apache 2.2.11 with Subversion mod_dav_svn that uses internal Apache
> libaprutil. OS for testing was FreeBSD, but I think that others are
> affected as well.
>
> CC'ing Apache security contacts in case they aren't informed about this
> issue yet. Folks, may be I am wrong in my assertions?
It is correct to say that installations of current releases of Apache
httpd - versions <= 2.0.63 and <= 2.2.11 - which are built using the
bundled copy of APR-util, may be affected by the three APR-util issues,
depending on the configuration and set of modules used. Note that
Apache httpd 2.x can also be built using standalone installations of APR
and APR-util.
We're not aware of any way to trigger CVE-2009-0023 remotely using the
set of modules included in httpd itself. It may be possible to trigger
both CVE-2009-1956 and CVE-2009-1955 if mod_dav is configured.
Regards, Joe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic