Package: libapr1 Version: 1.4.2-8 Severity: important Tags: upstream Hello, We have found that the last security update (1.4.2-6+squeeze1, 1.2.12-5+lenny3) causes apr_fnmatch to enter an infinite loop, on particular patters. For instance, with the following configuration directive: <Location "/*/WEB-INF/"> deny from all </Location> if someone visits any URL, an apache2 thread will start consuming 100% CPU. This is introduced by the backport debian/patches/028_fnmatch_CVE-2011-0419.dpatch, but it can be reproduced with the vanilla apr. Regards, -- ,--. : /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu> <irc://irc.oftc.net/Elessar> | `-' Debian Maintainer \_ -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libapr1 depends on: ii libc6 2.13-4 Embedded GNU C Library: Shared lib ii libuuid1 2.17.2-9.1 Universally Unique ID library libapr1 recommends no packages. libapr1 suggests no packages. -- no debconf information
Attachment:
signature.asc
Description: Digital signature