Hello William.
You mentioned as far as APR causing a DoS, how about the execution of arbitrary code through apache as the CVE says..? Thank you Daniel On Thu, Sep 10, 2009 at 6:54 PM, William A. Rowe, Jr. <wr...@rowe-clan.net>wrote: > David Taveras wrote: > > > > I run apache 2.2.9 & apache 2.2.11 both with apr-1.2.11p2 & > > apr-util-1.2.10p2 > > > > According to the CVE at > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 only 0.9.x > > and 1.3.x are affected . Could anybody confirm that this is so? If > > not.. how bad is this vulnerability to a user? Would mod_security help > > for this? > > [cc'ing dev@ to point out this error] > > The description of the CVE is wildly wrong. > > There is no known exploit of these flaws relative to Apache httpd itself. > The version numbers you reference refer to APR, so this is applicable to > all distributions of httpd 2.x (2.0 included 0.9, 2.2 included 1.3). > > Third party modules might be affected; Other projects or products using APR > may be affected; one project is known to be affected. > > However, any code which is affected remains vulnerable, in that these > bugs would only be triggered by using untainted/untrusted input as the > memory allocation size. Any affected application would be subject to > memory exhaustion DoS vectors until the code properly detaints the input > which determines the size of memory allocations. > > This was granted a CVE strictly on the basis that the effects of the flaw > may unexpectedly be worse than expected; the affected code may unexpectedly > continue, rather than failing or segfaulting as expected, based on design. > > Finally, mod_security is very unlikely to have any effect whatsoever on > this group of issues. Input into httpd is already constrained in terms > of size before these calls to APR occur, so this is unlikely to affect > typical httpd modules. Non-HTTP protocols, or HTTP implementations other > than httpd are more likely to be affected, again depending upon the code > used and caution exercised by the developer. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
