A DoS flaw was fixed in httpd's mod_proxy. Problem affects httpd 2.2.x+ and mod_proxy in reverse proxy setups. Upstream commit: http://svn.apache.org/viewvc?view=rev&revision=790587 Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. Upstream test case: http://svn.apache.org/viewvc?view=rev&revision=790589
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1890 to the following vulnerability: Name: CVE-2009-1890 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890 Assigned: 20090602 Reference: CONFIRM: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587 Reference: CONFIRM: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?revision=790587 Reference: CONFIRM: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587 Reference: CONFIRM: http://svn.apache.org/viewvc?view=rev&revision=790587 Reference: SECUNIA:35691 Reference: URL: http://secunia.com/advisories/35691 The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1148 https://rhn.redhat.com/errata/RHSA-2009-1148.html
This issue has been addressed in following products: JBEWS 1.0.0 for RHEL 5 Via RHSA-2009:1155 https://rhn.redhat.com/errata/RHSA-2009-1155.html
This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2009:1156 https://rhn.redhat.com/errata/RHSA-2009-1156.html
This issue has been addressed in following products: JBEWS 1.0.0 for RHEL 4 Via RHSA-2009:1160 https://rhn.redhat.com/errata/RHSA-2009-1160.html
httpd-2.2.13-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.