|
oss-sec
mailing list archives
Re: CVE request: apr - Hash DoS vulnerability
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 08 Feb 2012 17:08:06 -0700
On 02/08/2012 10:26 AM, Moritz Muehlenhoff wrote:
Hi,
APR (Apache Portable Runtime) is affected by the hash collision DoS
class, please assign a CVE ID:
The upstream discussion can be found here:
http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html
Cheers,
Moritz
Please use CVE-2012-0840 for this issue.
They posted a first attempt at a fix:
http://www.mail-archive.com/dev%40apr.apache.org/msg24473.html
Actual commit:
http://mail-archives.apache.org/mod_mbox/apr-commits/201201.mbox/%3C20120115003715.071D423888FD () eris apache org%3E
Reply about this commit:
r1231605 and r1231858 cause massive regressions and test case failures
in httpd.
so probably not the final fix.
If someone could reply to this with the final fix that'd be helpful.
--
Kurt Seifried Red Hat Security Response Team (SRT)
 By Date 
By Thread
Current thread:
| 
