Apache regression

2009-08-19T00:00:00
ID USN-802-2
Type ubuntu
Reporter Ubuntu
Modified 2009-08-19T00:00:00

Description

USN-802-1 fixed vulnerabilities in Apache. The upstream fix for
CVE-2009-1891 introduced a regression that would cause Apache children to
occasionally segfault when mod_deflate is used. This update fixes the
problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that mod_proxy_http did not properly handle a large
amount of streamed data when used as a reverse proxy. A remote attacker
could exploit this and cause a denial of service via memory resource
consumption. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04.
(CVE-2009-1890)

It was discovered that mod_deflate did not abort compressing large files
when the connection was closed. A remote attacker could exploit this and
cause a denial of service via CPU resource consumption. (CVE-2009-1891)