httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [users@httpd] About apache2 vulnerability with apr and apr-utils. How bad is it?
Date Fri, 11 Sep 2009 01:18:29 GMT
David Taveras wrote:
> You mentioned as far as APR causing a DoS, how about the execution of
> arbitrary code through apache as the CVE says..?

No, you misinterpreted; the application developer must expose a DoS/memory
exhaustion vector; where that exists, and the affected version of APR
is used, and the information written to the never-allocated buffer just
happens to overlap some predictable, current allocations, then the external
user may trigger a segfault but possibly worse, depending ENTIRELY on
the code in the application.

An example is
svn's libsvn_delta library, but there may be other applications in the
wild which suffer similar, lesser or worse side effects from trusting
untained user input.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message