FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2011-1928

This CVE name corresponds to:

Entered Topic
2011-05-23 Apache APR -- DoS vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2011-1928 at cve.mitre.org

Details

Type Candidate
Name CVE-2011-1928
Phase Assigned(20110509)

Description

The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.

References

Source Reference
MLIST [httpd-announce] 20110519 Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11
MLIST [oss-security] 20110519 CVE request: DoS in apr due to CVE-2011-0419 fix
MLIST [oss-security] 20110519 Re: CVE request: DoS in apr due to CVE-2011-0419 fix
MLIST [www-announce] 20110519 Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11
CONFIRM http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627182
CONFIRM https://issues.apache.org/bugzilla/show_bug.cgi?id=51219
HP HPSBOV02822
HP SSRT100966
MANDRIVA MDVSA-2011:095
REDHAT RHSA-2011:0844
SUSE SUSE-SU-2011:1229
SECUNIA 44558
SECUNIA 44661
SECUNIA 44780
SECUNIA 44613
VUPEN ADV-2011-1289
VUPEN ADV-2011-1290

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.