oss-sec mailing list archives
Re: CVE request: "billion laughs" attack against Apache APR
From: Joe Orton <jorton () apache org>
Date: Thu, 11 Jun 2009 12:24:29 +0100
On Sat, Jun 06, 2009 at 08:00:20PM +0400, Eygene Ryabinkin wrote:
Please, note that these two issues and CVE-2009-0023 seem to be applicable to Apache 2.2.11 and Apache 2.0.63 (latest 2.x versions), since they have bundled apr-util inside. At least both have the vulnerable code and I had verified the "billion laughs" attack against Apache 2.2.11 with Subversion mod_dav_svn that uses internal Apache libaprutil. OS for testing was FreeBSD, but I think that others are affected as well. CC'ing Apache security contacts in case they aren't informed about this issue yet. Folks, may be I am wrong in my assertions?
It is correct to say that installations of current releases of Apache httpd - versions <= 2.0.63 and <= 2.2.11 - which are built using the bundled copy of APR-util, may be affected by the three APR-util issues, depending on the configuration and set of modules used. Note that Apache httpd 2.x can also be built using standalone installations of APR and APR-util. We're not aware of any way to trigger CVE-2009-0023 remotely using the set of modules included in httpd itself. It may be possible to trigger both CVE-2009-1956 and CVE-2009-1955 if mod_dav is configured. Regards, Joe
Current thread:
- CVE request: "billion laughs" attack against Apache APR Joe Orton (Jun 03)
- Re: CVE request: "billion laughs" attack against Apache APR Eygene Ryabinkin (Jun 06)
- Re: CVE request: "billion laughs" attack against Apache APR Joe Orton (Jun 11)
- Re: CVE request: "billion laughs" attack against Apache APR Steven M. Christey (Jun 06)
- Re: CVE request: "billion laughs" attack against Apache APR Eygene Ryabinkin (Jun 06)