oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: apr - Hash DoS vulnerability

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 08 Feb 2012 17:08:06 -0700
On 02/08/2012 10:26 AM, Moritz Muehlenhoff wrote:

Hi,
APR (Apache Portable Runtime) is affected by the hash collision DoS 
class, please assign a CVE ID:

The upstream discussion can be found here:
http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html

Cheers,
        Moritz


Please use CVE-2012-0840 for this issue.

They posted a first attempt at a fix:
http://www.mail-archive.com/dev%40apr.apache.org/msg24473.html

Actual commit:
http://mail-archives.apache.org/mod_mbox/apr-commits/201201.mbox/%3C20120115003715.071D423888FD () eris apache org%3E

Reply about this commit:
r1231605 and r1231858 cause massive regressions and test case failures
in httpd.

so probably not the final fix.

If someone could reply to this with the final fix that'd be helpful.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)
Previous By Date Next
Previous By Thread Next

Current thread: