Package: libapr1
Version: 1.4.2-8
Severity: important
Tags: upstream
Hello,
We have found that the last security update (1.4.2-6+squeeze1, 1.2.12-5+lenny3)
causes apr_fnmatch to enter an infinite loop, on particular patters.
For instance, with the following configuration directive:
<Location "/*/WEB-INF/">
deny from all
</Location>
if someone visits any URL, an apache2 thread will start consuming 100% CPU.
This is introduced by the backport
debian/patches/028_fnmatch_CVE-2011-0419.dpatch, but it can be reproduced with the vanilla apr.
Regards,
--
,--.
: /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu> <irc://irc.oftc.net/Elessar>
| `-' Debian Maintainer
\_
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapr1 depends on:
ii libc6 2.13-4 Embedded GNU C Library: Shared lib
ii libuuid1 2.17.2-9.1 Universally Unique ID library
libapr1 recommends no packages.
libapr1 suggests no packages.
-- no debconf information
Attachment:
signature.asc
Description: Digital signature