oss-sec mailing list archives

Re: CVE request: "billion laughs" attack against Apache APR

From: "Steven M. Christey" <coley () linus mitre org>
Date: Sat, 6 Jun 2009 13:47:45 -0400 (EDT)


======================================================
Name: CVE-2009-1955
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
Reference: MILW0RM:8842
Reference: URL:http://www.milw0rm.com/exploits/8842
Reference: MLIST:[apr-dev] 20090602 [PATCH] prevent "billion laughs" attack against expat
Reference: URL:http://marc.info/?l=apr-dev&m=124396021826125&w=2
Reference: MLIST:[oss-security] 20090603 CVE request: "billion laughs" attack against Apache APR
Reference: URL:http://www.openwall.com/lists/oss-security/2009/06/03/4
Reference: CONFIRM:http://svn.apache.org/viewvc?view=rev&revision=781403
Reference: CONFIRM:http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
Reference: DEBIAN:DSA-1812
Reference: URL:http://www.debian.org/security/2009/dsa-1812
Reference: SECUNIA:35284
Reference: URL:http://secunia.com/advisories/35284
Reference: SECUNIA:35360
Reference: URL:http://secunia.com/advisories/35360

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
modules in the Apache HTTP Server, allows remote attackers to cause a
denial of service (memory consumption) via a crafted XML document
containing a large number of nested entity references, as demonstrated
by a PROPFIND request, a similar issue to CVE-2003-1564.

Current thread:

CVE request: "billion laughs" attack against Apache APR Joe Orton (Jun 03)
- Re: CVE request: "billion laughs" attack against Apache APR Eygene Ryabinkin (Jun 06)
  - Re: CVE request: "billion laughs" attack against Apache APR Joe Orton (Jun 11)
- Re: CVE request: "billion laughs" attack against Apache APR Steven M. Christey (Jun 06)