oss-sec mailing list archives
Re: CVE request: apr - Hash DoS vulnerability
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 08 Feb 2012 17:08:06 -0700
On 02/08/2012 10:26 AM, Moritz Muehlenhoff wrote:
Hi, APR (Apache Portable Runtime) is affected by the hash collision DoS class, please assign a CVE ID: The upstream discussion can be found here: http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html Cheers, Moritz
Please use CVE-2012-0840 for this issue. They posted a first attempt at a fix: http://www.mail-archive.com/dev%40apr.apache.org/msg24473.html Actual commit: http://mail-archives.apache.org/mod_mbox/apr-commits/201201.mbox/%3C20120115003715.071D423888FD () eris apache org%3E Reply about this commit: r1231605 and r1231858 cause massive regressions and test case failures in httpd. so probably not the final fix. If someone could reply to this with the final fix that'd be helpful. -- Kurt Seifried Red Hat Security Response Team (SRT)
Current thread:
- CVE request: apr - Hash DoS vulnerability Moritz Muehlenhoff (Feb 08)
- Re: CVE request: apr - Hash DoS vulnerability Kurt Seifried (Feb 08)