CVE-2008-2364
Published: 13 June 2008
The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.
Notes
| Author | Note |
|---|---|
| kees | only a problem when the server being proxied is untrusted |
| jdstrand | PoC: http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2008-2364.t?revision=666283&view=markup |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
apache2 Launchpad, Ubuntu, Debian |
dapper |
Released
(2.0.55-4ubuntu2.4)
|
| feisty |
Needed
(reached end-of-life)
|
|
| gutsy |
Released
(2.2.4-3ubuntu0.2)
|
|
| hardy |
Released
(2.2.8-1ubuntu0.4)
|
|
| intrepid |
Released
(2.2.9-1)
|
|
| upstream |
Released
(2.2.9)
|
|
|
Patches: upstream: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154 upstream: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666180 other: http://archive.apache.org/dist/httpd/patches/apply_to_2.0.63/CVE-2008-2364-patch-2.0.txt debdiff: http://launchpad.net/bugs/239894 |
||