Bug 714182 - apache-2.2.17 vulnerable to local DoS
apache-2.2.17 vulnerable to local DoS
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
14
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-17 10:49 EDT by Dave
Modified: 2011-11-09 20:30 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-11-09 20:30:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dave 2011-06-17 10:49:18 EDT
Description of problem:
The latest version of apache with f14 does not seem to contain a fix for the DoS that was addressed in apache-2.2.18

http://httpd.apache.org/security/vulnerabilities_22.html

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Dave 2011-06-29 11:13:50 EDT
What is the status of this? f15 appears to use the same version of apache, so not sure what's going on. Is there a more appropriate place to investigate this?
Comment 2 Tom 2011-07-18 11:10:00 EDT
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0419 is being a pain, an update for Fedora would be greatly appreciated.
Comment 3 Tom 2011-07-18 11:30:58 EDT
This is related to if not a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0419 but that issue seems to only be addressed in RHEL.  At least one security company (Security Metrics) considers 2.2.17 by itself enough of an issue to fail customers, even if updating other packages solves the issue.
Comment 4 Tom 2011-07-18 12:53:53 EDT
Correction, our security company says we need > 2.2.18, so I guess only 2.2.9 would pass.
Comment 5 Tomas Hoger 2011-09-08 03:20:29 EDT
CVE-2011-0419 (and related CVE-2011-1928) affected apr library used by httpd.  While httpd source embed copy of the apr library sources, Fedora httpd packages do not use embedded apr and link against system apr package.  apr update fixing this flaw was pushed to stable before this bug was created:

https://admin.fedoraproject.org/updates/apr-1.4.5-1.fc14
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061177.html

Does anyone disagree with closing this notabug?
Comment 6 Joe Orton 2011-11-09 20:30:16 EST
I agree; closing out.

Note You need to log in before you can comment on or make changes to this bug.