1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
Candidate: CVE-2011-4415
PublicDate: 2011-11-08
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415
http://www.gossamer-threads.com/lists/apache/dev/403775
http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46783
Description:
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x
through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is
enabled, does not restrict the size of values of environment variables,
which allows local users to cause a denial of service (memory consumption
or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf
directive, in conjunction with a crafted HTTP request header, related to
(1) the "len +=" statement and (2) the apr_pcalloc function call, a
different vulnerability than CVE-2011-3607.
Ubuntu-Description:
Notes:
mdeslaur> Apache doesn't consider this to be a security issue. Ignoring.
Bugs:
Priority: low
Discovered-by:
Assigned-to: mdeslaur
Patches_apache2:
upstream_apache2: ignored
hardy_apache2: ignored
lucid_apache2: ignored
maverick_apache2: ignored
natty_apache2: ignored
oneiric_apache2: ignored
devel_apache2: ignored
|