You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2009/07/06 14:07:39 UTC
Re: svn commit: r791454 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS server/core_filters.c
On Mon, Jul 6, 2009 at 8:03 AM, <tr...@apache.org> wrote:
> Author: trawick
> Date: Mon Jul 6 12:03:20 2009
> New Revision: 791454
>
> URL: http://svn.apache.org/viewvc?rev=791454&view=rev
> Log:
> SECURITY: CVE-2009-1891 (cve.mitre.org)
> Fix a potential Denial-of-Service attack against mod_deflate or other
> modules, by forcing the server to consume CPU time in compressing a
> large file after a client disconnects. [Joe Orton, Ruediger Pluem]
One of the patches was for
https://issues.apache.org/bugzilla/show_bug.cgi?id=39605, although that has
a different symptom. (See comment in
http://svn.apache.org/viewvc?view=rev&revision=521681.) 39605 isn't marked
complete or listed in CHANGES. Perhaps this is because more fixes are
needed to address that problem?
Re: svn commit: r791454 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS server/core_filters.c
Posted by Joe Orton <jo...@redhat.com>.
On Mon, Jul 06, 2009 at 08:07:39AM -0400, Jeff Trawick wrote:
> On Mon, Jul 6, 2009 at 8:03 AM, <tr...@apache.org> wrote:
> > URL: http://svn.apache.org/viewvc?rev=791454&view=rev
> > Log:
> > SECURITY: CVE-2009-1891 (cve.mitre.org)
> > Fix a potential Denial-of-Service attack against mod_deflate or other
> > modules, by forcing the server to consume CPU time in compressing a
> > large file after a client disconnects. [Joe Orton, Ruediger Pluem]
>
> One of the patches was for
> https://issues.apache.org/bugzilla/show_bug.cgi?id=39605, although that has
> a different symptom. (See comment in
> http://svn.apache.org/viewvc?view=rev&revision=521681.) 39605 isn't marked
> complete or listed in CHANGES. Perhaps this is because more fixes are
> needed to address that problem?
Ah, thanks, I meant to add that in but forgot. Yes, PR 39605 should be
fixed by these patches. I've updated CHANGES to reflect that now.
Regards, Joe
RE: svn commit: r791454 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS server/core_filters.c
Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
IMHO 39605 is fixed by the patches in 2.2.x as well.
So we should close it and add its number to the comment.
Regards
Rüdiger
________________________________
From: Jeff Trawick
Sent: Montag, 6. Juli 2009 14:08
To: dev@httpd.apache.org
Subject: Re: svn commit: r791454 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS server/core_filters.c
On Mon, Jul 6, 2009 at 8:03 AM, <tr...@apache.org> wrote:
Author: trawick
Date: Mon Jul 6 12:03:20 2009
New Revision: 791454
URL: http://svn.apache.org/viewvc?rev=791454&view=rev
Log:
SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects. [Joe Orton, Ruediger Pluem]
One of the patches was for https://issues.apache.org/bugzilla/show_bug.cgi?id=39605, although that has a different symptom. (See comment in http://svn.apache.org/viewvc?view=rev&revision=521681.) 39605 isn't marked complete or listed in CHANGES. Perhaps this is because more fixes are needed to address that problem?