FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2011-0419

This CVE name corresponds to:

Entered Topic
2011-11-13 Apache APR -- DoS vulnerabilities
2011-05-23 Apache APR -- DoS vulnerabilities
2011-05-12 Apache APR -- DoS vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2011-0419 at cve.mitre.org

Details

Type Candidate
Name CVE-2011-0419
Phase Assigned(20110111)

Description

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

References

Source Reference
SREASONRES 20110512 Multiple Vendors libc/fnmatch(3) DoS (incl apache)
MLIST [dev] 20110510 Re: Apache Portable Runtime 1.4.4 [...] Released
MLIST [dev] 20110510 Re: fnmatch rewrite in apr, apr 1.4.3
MLIST [dev] 20110511 Re: Apache Portable Runtime 1.4.4 [...] Released
MISC http://cxib.net/stuff/apache.fnmatch.phps
MISC http://cxib.net/stuff/apr_fnmatch.txts
CONFIRM http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22
CONFIRM http://httpd.apache.org/security/vulnerabilities_22.html
CONFIRM http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902
CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1098188
CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1098799
CONFIRM http://www.apache.org/dist/apr/Announcement1.x.html
CONFIRM http://www.apache.org/dist/apr/CHANGES-APR-1.4
CONFIRM http://www.apache.org/dist/httpd/Announcement2.2.html
CONFIRM http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=703390
CONFIRM http://support.apple.com/kb/HT5002
CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
APPLE APPLE-SA-2011-10-12-3
DEBIAN DSA-2237
HP HPSBUX02702
HP HPSBUX02707
HP SSRT100606
HP SSRT100626
HP HPSBMU02704
HP HPSBOV02822
HP SSRT100966
MANDRIVA MDVSA-2011:084
MANDRIVA MDVSA-2013:150
REDHAT RHSA-2011:0507
REDHAT RHSA-2011:0896
REDHAT RHSA-2011:0897
SUSE SUSE-SU-2011:1229
OVAL oval:org.mitre.oval:def:14638
OVAL oval:org.mitre.oval:def:14804
SECTRACK 1025527
SECUNIA 44490
SECUNIA 44564
SECUNIA 44574
SREASON 8246

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.