CVE-2009-1890

Properties

Published:
04.07.2009
Updated:
31.10.2009
Patch available:
Severity:
Medium
CVSS vector:
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Product:
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server
apache: http_server

Vulnerability description

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.

References:

CONFIRM: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587
FEDORA: https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01363.html
REDHAT: https://rhn.redhat.com/errata/RHSA-2009-1148.html
UBUNTU: http://www.ubuntu.com/usn/USN-802-1
SECTRACK: http://www.securitytracker.com/id?1022509
BID: http://www.securityfocus.com/bid/35565
REDHAT: http://www.redhat.com/support/errata/RHSA-2009-1156.html
MANDRIVA: http://www.mandriva.com/security/advisories?name=MDVSA-2009:149
DEBIAN: http://www.debian.org/security/2009/dsa-1834
CONFIRM: http://svn.apache.org/viewvc?view=rev&revision=790587
CONFIRM: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?revision=790587
CONFIRM: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587
GENTOO: http://security.gentoo.org/glsa/glsa-200907-04.xml
SECUNIA: http://secunia.com/advisories/37152
SECUNIA: http://secunia.com/advisories/35865
SECUNIA: http://secunia.com/advisories/35793
SECUNIA: http://secunia.com/advisories/35721
SECUNIA: http://secunia.com/advisories/35691
OSVDB: http://osvdb.org/55553
SUSE: http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html