On Sun, Jun 28, 2009 at 08:20:20PM +0200, Stefan Fritsch wrote: > we have received a bug report [1] that a DoS is possible with > mod_deflate since it does not stop to compress large files even after > the network connection has been closed. This allows to use large > amounts of CPU if there is a largish (>10 MB) file available that has > mod_deflate enabled.
Thanks for posting the report. This issue has been assigned CVE-2009-1891. On the security list, Ruediger suggested these fixes, which I've proposed for inclusion in 2.2.x: http://people.apache.org/~jorton/CVE-2009-1891.1.diff http://people.apache.org/~jorton/CVE-2009-1891.2.diff along with a third fix which concerned event MPM write completion - AFAICT that is not relevant on the 2.2.x branch. Regards, Joe