Re: CVE request: "billion laughs" attack against Apache APR

[Joe Orton <jorton () apache org>]

On Sat, Jun 06, 2009 at 08:00:20PM +0400, Eygene Ryabinkin wrote:
> Please, note that these two issues and CVE-2009-0023 seem to be
> applicable to Apache 2.2.11 and Apache 2.0.63 (latest 2.x versions),
> since they have bundled apr-util inside.  At least both have the
> vulnerable code and I had verified the "billion laughs" attack against
> Apache 2.2.11 with Subversion mod_dav_svn that uses internal Apache
> libaprutil.  OS for testing was FreeBSD, but I think that others are
> affected as well.
>
> CC'ing Apache security contacts in case they aren't informed about this
> issue yet.  Folks, may be I am wrong in my assertions?

It is correct to say that installations of current releases of Apache 
httpd - versions <= 2.0.63 and <= 2.2.11 - which are built using the 
bundled copy of APR-util, may be affected by the three APR-util issues, 
depending on the configuration and set of modules used.  Note that 
Apache httpd 2.x can also be built using standalone installations of APR 
and APR-util.

We're not aware of any way to trigger CVE-2009-0023 remotely using the 
set of modules included in httpd itself.  It may be possible to trigger 
both CVE-2009-1956 and CVE-2009-1955 if mod_dav is configured.

Regards, Joe