apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] About apache2 vulnerability with apr and apr-utils. How bad is it?
Date Thu, 10 Sep 2009 23:54:57 GMT
David Taveras wrote:
> I run apache 2.2.9 & apache 2.2.11 both with  apr-1.2.11p2   & 
> apr-util-1.2.10p2
> According to the CVE at
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412  only  0.9.x
> and 1.3.x are affected .  Could anybody confirm that this is so? If
> not.. how bad is this vulnerability to a user? Would mod_security help
> for this?

[cc'ing dev@ to point out this error]

The description of the CVE is wildly wrong.

There is no known exploit of these flaws relative to Apache httpd itself.
The version numbers you reference refer to APR, so this is applicable to
all distributions of httpd 2.x (2.0 included 0.9, 2.2 included 1.3).

Third party modules might be affected; Other projects or products using APR
may be affected; one project is known to be affected.

However, any code which is affected remains vulnerable, in that these
bugs would only be triggered by using untainted/untrusted input as the
memory allocation size.  Any affected application would be subject to
memory exhaustion DoS vectors until the code properly detaints the input
which determines the size of memory allocations.

This was granted a CVE strictly on the basis that the effects of the flaw
may unexpectedly be worse than expected; the affected code may unexpectedly
continue, rather than failing or segfaulting as expected, based on design.

Finally, mod_security is very unlikely to have any effect whatsoever on
this group of issues.  Input into httpd is already constrained in terms
of size before these calls to APR occur, so this is unlikely to affect
typical httpd modules.  Non-HTTP protocols, or HTTP implementations other
than httpd are more likely to be affected, again depending upon the code
used and caution exercised by the developer.

View raw message