Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 640281 - (CVE-2010-1623) CVE-2010-1623 apr-util: high memory consumption in apr_brigade_split_line()
CVE-2010-1623 apr-util: high memory consumption in apr_brigade_split_line()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20101001,repor...
: Security
Depends On: 659249 659250 659251 659252 659253 659254 663967 795923
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-05 09:00 EDT by Jan Lieskovsky
Modified: 2015-11-24 09:35 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-31 15:13:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0950 normal SHIPPED_LIVE Moderate: apr-util security update 2010-12-07 19:25:07 EST
Red Hat Product Errata RHSA-2011:0896 normal SHIPPED_LIVE Moderate: JBoss Enterprise Web Server 1.0.2 update 2011-06-22 19:16:28 EDT
Red Hat Product Errata RHSA-2011:0897 normal SHIPPED_LIVE Moderate: JBoss Enterprise Web Server 1.0.2 update 2011-06-22 19:38:13 EDT

  None (edit)
Description Jan Lieskovsky 2010-10-05 09:00:46 EDT 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1623 to
the following vulnerability:

The apr_brigade_split_line function in buckets/apr_brigade.c in the
Apache Portable Runtime Utility library (aka APR-util) before 1.3.10,
as used in the mod_reqtimeout module in the Apache HTTP Server and
other software, allows remote attackers to cause a denial of service
(memory consumption) via unspecified vectors.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623
[2] http://security-tracker.debian.org/tracker/CVE-2010-1623
[3] http://svn.apache.org/viewvc?view=revision&revision=1003492
[4] http://svn.apache.org/viewvc?view=revision&revision=1003493
[5] http://svn.apache.org/viewvc?view=revision&revision=1003494
[6] http://svn.apache.org/viewvc?view=revision&revision=1003495
[7] http://svn.apache.org/viewvc?view=revision&revision=1003626
[8] http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
[9] http://www.mandriva.com/security/advisories?name=MDVSA-2010:192
[10] http://www.securityfocus.com/bid/43673
[11] http://secunia.com/advisories/41701
[12] http://www.vupen.com/english/advisories/2010/2556
[13] http://www.vupen.com/english/advisories/2010/2557
Comment 1 Jan Lieskovsky 2010-10-05 09:03:59 EDT 
This issue affects the version of the httpd package, as shipped with
Red Hat Enterprise Linux 3.

This issue affects the versions of the apr-util package, as shipped
with Red Hat Enterprise Linux 4 and 5.

--

This issue affects the versions of the apr-util package, as shipped
with Fedora release of 12 and 13.
Comment 9 Tomas Hoger 2010-11-26 12:36:04 EST 
(In reply to comment #0)
> The apr_brigade_split_line function in buckets/apr_brigade.c in the
> Apache Portable Runtime Utility library (aka APR-util) before 1.3.10,
> as used in the mod_reqtimeout module in the Apache HTTP Server

The "as used in" part of the description is not correct.  The confusion is probably caused by upstream using CVE-2010-1623 CVE id in commits fixing apr_brigade_split_line() issue in apr-util as well as similar flaw in the mod_reqtimeout module.  mod_reqtimeout was not using apr_brigade_split_line().

mod_reqtimeout module was introduced in httpd version 2.2.15:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?revision=917876&view=markup#l26

Vulnerable code was never part of released 2.2.x version, the issue only affected development versions:
http://svn.apache.org/viewvc?view=revision&revision=1005957

that corrects previous commit:
http://svn.apache.org/viewvc?view=revision&revision=1005669
Comment 12 errata-xmlrpc 2010-12-07 19:25:19 EST 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 6

Via RHSA-2010:0950 https://rhn.redhat.com/errata/RHSA-2010-0950.html
Comment 14 errata-xmlrpc 2011-06-22 19:17:32 EDT 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html
Comment 15 errata-xmlrpc 2011-06-22 19:39:12 EDT 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 4
  JBEWS 1 for RHEL 6

Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.