Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1623 to the following vulnerability: The apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623 [2] http://security-tracker.debian.org/tracker/CVE-2010-1623 [3] http://svn.apache.org/viewvc?view=revision&revision=1003492 [4] http://svn.apache.org/viewvc?view=revision&revision=1003493 [5] http://svn.apache.org/viewvc?view=revision&revision=1003494 [6] http://svn.apache.org/viewvc?view=revision&revision=1003495 [7] http://svn.apache.org/viewvc?view=revision&revision=1003626 [8] http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3 [9] http://www.mandriva.com/security/advisories?name=MDVSA-2010:192 [10] http://www.securityfocus.com/bid/43673 [11] http://secunia.com/advisories/41701 [12] http://www.vupen.com/english/advisories/2010/2556 [13] http://www.vupen.com/english/advisories/2010/2557
This issue affects the version of the httpd package, as shipped with Red Hat Enterprise Linux 3. This issue affects the versions of the apr-util package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue affects the versions of the apr-util package, as shipped with Fedora release of 12 and 13.
(In reply to comment #0) > The apr_brigade_split_line function in buckets/apr_brigade.c in the > Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, > as used in the mod_reqtimeout module in the Apache HTTP Server The "as used in" part of the description is not correct. The confusion is probably caused by upstream using CVE-2010-1623 CVE id in commits fixing apr_brigade_split_line() issue in apr-util as well as similar flaw in the mod_reqtimeout module. mod_reqtimeout was not using apr_brigade_split_line(). mod_reqtimeout module was introduced in httpd version 2.2.15: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?revision=917876&view=markup#l26 Vulnerable code was never part of released 2.2.x version, the issue only affected development versions: http://svn.apache.org/viewvc?view=revision&revision=1005957 that corrects previous commit: http://svn.apache.org/viewvc?view=revision&revision=1005669
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 6 Via RHSA-2010:0950 https://rhn.redhat.com/errata/RHSA-2010-0950.html
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0 Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 4 JBEWS 1 for RHEL 6 Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html