apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: fnmatch rewrite in apr, apr 1.4.3
Date Tue, 10 May 2011 18:25:49 GMT
On 5/10/2011 10:02 AM, Mark J Cox wrote:
>> httpd 2.2.18 rolls in the next six hours, so to the extent that sharing
>> issues with apr/apr-util between httpd and svn is an issue for mod_dav_svn,
>> we should be in good shape midweek to broadcast any cautions and upgrade
>> advisories.
> 
> So is the plan to have an APR security advisory timed for when httpd
> 2.2.18 is released this week?

Not certain, with respect to httpd, this short statement is probably
enough for the announcement;

  If 'Options Indexes' is configured, an untrusted adminstrator or
  user has control of the contents of the indexed directory, or there
  are very long file paths (e.g. > <n> URL characters) there is the
  possibility of excessive stack memory consumption.  Users are
  cautioned to move to apr 1.4.4 (included in httpd 2.2.18), or to
  configure 'IndexOptions IgnoreClient' in the same configuration
  contexts where 'Options Indexes' is enabled.

In conjunction with svn 1.6.9 I suspect this might demand a CVE, and
that was when I intended that we make plain what APR 1.4.4 corrects, in
conjunction with their other announcement.

> Note that the reporter separately contacted Red Hat yesterday and
> reported the issue (since our site happens to have directories/files
> served by autoindex long enough for it to matter). We'd want to hold
> off updates until the ASF announcement.

I was under the impression this was sensitive to the number of path
components as opposed to the length of the resource name.

In your estimation, does this demand a CVE?  Is there a relevant CVE
already assigned to the BSD operating system?

I was never able to trigger this using win32 default thread stack size.

Mime
View raw message