5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.425 Medium
EPSS
Percentile
97.3%
Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c
in the Apache Portable Runtime Utility library (aka APR-util) before
1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and
other software, allows remote attackers to cause a denial of service
(memory consumption) via unspecified vectors related to the destruction of
an APR bucket.
Author | Note |
---|---|
mdeslaur | will be fixed in apache2 2.2.17. apache2 has an embedded code copy of apr-util. Dapper uses the embedded version, hardy+ uses the system apr-util. apache2 2.2.15+ also use the code in mod_reqtimeout lucid mod_reqtimeout backport already contains this fix |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 6.06 | noarch | apache2 | < 2.0.55-4ubuntu2.12 | UNKNOWN |
ubuntu | 10.10 | noarch | apache2 | < 2.2.16-1ubuntu3.1 | UNKNOWN |
ubuntu | 8.04 | noarch | apr-util | < 1.2.12+dfsg-3ubuntu0.3 | UNKNOWN |
ubuntu | 9.10 | noarch | apr-util | < 1.3.9+dfsg-1ubuntu1.1 | UNKNOWN |
ubuntu | 10.04 | noarch | apr-util | < 1.3.9+dfsg-3ubuntu0.10.04.1 | UNKNOWN |
ubuntu | 10.10 | noarch | apr-util | < 1.3.9+dfsg-3ubuntu0.10.10.1 | UNKNOWN |