Apache2::Request 未明漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196015 漏洞类型 设计错误
发布时间 2006-02-17 更新时间 2006-12-15
CVE编号 CVE-2006-0042 CNNVD-ID CNNVD-200602-279
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/16710
https://cxsecurity.com/issue/WLB-2006040065
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200602-279
|漏洞详情
Apache2::Request(Libapreq2)2.07之前版本的(1)apreq_parse_headers和(2)apreq_parse_urlencoded功能中存在未明漏洞。远程攻击者可以借助导致二次计算复杂性的未知攻击向量造成拒绝服务(CPU占用率高)。
|漏洞EXP
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200604-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
     Title: libapreq2: Denial of Service vulnerability
      Date: April 17, 2006
      Bugs: #128610
        ID: 200604-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been reported in libapreq2 which could lead to a
Denial of Service.

Background
==========

libapreq is a shared library with associated modules for manipulating
client request data via the Apache API.

Affected packages
=================

-------------------------------------------------------------------
     Package               /  Vulnerable  /                 Unaffected
    -------------------------------------------------------------------
  1  www-apache/libapreq2       < 2.07                         >= 2.07

Description
===========

A vulnerability has been reported in the apreq_parse_headers() and
apreq_parse_urlencoded() functions of Apache2::Request.

Impact
======

A remote attacker could possibly exploit the vulnerability to cause a
Denial of Service by CPU consumption.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All libapreq2 users should upgrade to the latest version:

# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apache/libapreq2-2.07"

References
==========

[ 1 ] CVE-2006-0042
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0042
  [ 2 ] libapreq2 Changes

http://svn.apache.org/viewcvs.cgi/httpd/apreq/tags/v2_07/CHANGES?rev=376
998&view=markup

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200604-08.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEQ9GYvcL1obalX08RAmcHAJ9hSMrkTH41ffB2v1Evc0LhdOwunQCeLIyy
qDiMEhlikquNRn0grDwGloU=
=X4ES
-----END PGP SIGNATURE-----
|受影响的产品
Gentoo Linux Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k
|参考资料

来源:BID
名称:16710
链接:http://www.securityfocus.com/bid/16710
来源:VUPEN
名称:ADV-2006-0645
链接:http://www.frsirt.com/english/advisories/2006/0645
来源:DEBIAN
名称:DSA-1000
链接:http://www.debian.org/security/2006/dsa-1000
来源:SECUNIA
名称:19139
链接:http://secunia.com/advisories/19139
来源:SECUNIA
名称:18846
链接:http://secunia.com/advisories/18846
来源:svn.apache.org
链接:http://svn.apache.org/viewcvs.cgi/httpd/apreq/tags/v2_07/CHANGES?rev=376998&view=markup
来源:svn.apache.org
链接:http://svn.apache.org/viewcvs.cgi/httpd/apreq/tags/v2_07/CHANGES?rev=376998&view=markup
来源:XF
名称:libapreq2-parsing-dos(24917)
链接:http://xforce.iss.net/xforce/xfdb/24917
来源:GENTOO
名称:GLSA-200604-08
链接:http://www.gentoo.org/security/en/glsa/glsa-200604-08.xml
来源:SREASON
名称:737
链接:http://securityreason.com/securityalert/737
来源:SECUNIA
名称:19658
链接:http://secunia.com/advisories/19658