1
Candidate: CVE-2009-1890
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
5
https://usn.ubuntu.com/usn/usn-802-1
7
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module
8
in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured,
9
does not properly handle an amount of streamed data that exceeds the
10
Content-Length value, which allows remote attackers to cause a denial of
11
service (CPU consumption) via crafted requests.
14
mdeslaur> couldn't reproduce on dapper, code is different
16
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1890
22
upstream: http://svn.apache.org/viewvc?view=rev&revision=790587
23
upstream: http://svn.apache.org/viewvc?view=rev&revision=790589 (test case)
24
upstream_apache2: released (2.3.3)
25
dapper_apache2: not-affected
26
hardy_apache2: released (2.2.8-1ubuntu0.10)
27
intrepid_apache2: released (2.2.9-7ubuntu3.2)
28
jaunty_apache2: released (2.2.11-2ubuntu2.2)
29
devel_apache2: not-affected (2.2.11-7ubuntu1)