Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: apr - Hash DoS vulnerability
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 08 Feb 2012 17:08:06 -0700

On 02/08/2012 10:26 AM, Moritz Muehlenhoff wrote:
Hi,
APR (Apache Portable Runtime) is affected by the hash collision DoS 
class, please assign a CVE ID:

The upstream discussion can be found here:
http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html

Cheers,
        Moritz

Please use CVE-2012-0840 for this issue.

They posted a first attempt at a fix:
http://www.mail-archive.com/dev%40apr.apache.org/msg24473.html

Actual commit:
http://mail-archives.apache.org/mod_mbox/apr-commits/201201.mbox/%3C20120115003715.071D423888FD () eris apache org%3E

Reply about this commit:
r1231605 and r1231858 cause massive regressions and test case failures
in httpd.

so probably not the final fix.

If someone could reply to this with the final fix that'd be helpful.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault