You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2009/07/03 12:00:48 UTC

Re: mod_deflate DoS

On Sun, Jun 28, 2009 at 08:20:20PM +0200, Stefan Fritsch wrote:
> we have received a bug report [1] that a DoS is possible with 
> mod_deflate since it does not stop to compress large files even after 
> the network connection has been closed. This allows to use large 
> amounts of CPU if there is a largish (>10 MB) file available that has 
> mod_deflate enabled.

Thanks for posting the report.  This issue has been assigned 
CVE-2009-1891.

On the security list, Ruediger suggested these fixes, which I've 
proposed for inclusion in 2.2.x:

http://people.apache.org/~jorton/CVE-2009-1891.1.diff
http://people.apache.org/~jorton/CVE-2009-1891.2.diff

along with a third fix which concerned event MPM write completion - 
AFAICT that is not relevant on the 2.2.x branch.

Regards, Joe