httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: mod_deflate DoS
Date Fri, 03 Jul 2009 10:00:48 GMT
On Sun, Jun 28, 2009 at 08:20:20PM +0200, Stefan Fritsch wrote:
> we have received a bug report [1] that a DoS is possible with 
> mod_deflate since it does not stop to compress large files even after 
> the network connection has been closed. This allows to use large 
> amounts of CPU if there is a largish (>10 MB) file available that has 
> mod_deflate enabled.

Thanks for posting the report.  This issue has been assigned 
CVE-2009-1891.

On the security list, Ruediger suggested these fixes, which I've 
proposed for inclusion in 2.2.x:

http://people.apache.org/~jorton/CVE-2009-1891.1.diff
http://people.apache.org/~jorton/CVE-2009-1891.2.diff

along with a third fix which concerned event MPM write completion - 
AFAICT that is not relevant on the 2.2.x branch.

Regards, Joe

Mime
View raw message