Bug#536718: apache2: CVE-2009-1890 denial-of-service vulnerability

To: submit@bugs.debian.org
Subject: Bug#536718: apache2: CVE-2009-1890 denial-of-service vulnerability
From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Sun, 12 Jul 2009 16:22:52 -0400
Message-id: <[🔎] 20090712162252.c062c4dc.michael.s.gilbert@gmail.com>
Reply-to: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 536718@bugs.debian.org

Package: apache2
Version: 2.2.3-4+etch6
Severity: serious
Tags: security , patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for apache2.

CVE-2009-1890[0]:
| The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
| module in the Apache HTTP Server before 2.3.3, when a reverse proxy is
| configured, does not properly handle an amount of streamed data that
| exceeds the Content-Length value, which allows remote attackers to
| cause a denial of service (CPU consumption) via crafted requests.

Patches are available [0].  Please coordinate with the security team to
prepare updates for the stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
    http://security-tracker.debian.net/tracker/CVE-2009-1890

Reply to:

Follow-Ups:
- Bug#536718: marked as done (apache2: CVE-2009-1890 denial-of-service vulnerability)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: apr 1.3.5-2 MIGRATED to testing
Next by Date: hipsterism
Previous by thread: apr 1.3.5-2 MIGRATED to testing
Next by thread: Bug#536718: marked as done (apache2: CVE-2009-1890 denial-of-service vulnerability)
Index(es):
- Date
- Thread