Your submission was sent successfully! Close

CVE-2010-1623

Published: 4 October 2010

Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.

Priority

Medium

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
dapper
Released (2.0.55-4ubuntu2.12)
hardy Not vulnerable
(2.2.8-1ubuntu0.18)
jaunty Not vulnerable
(2.2.11-2ubuntu2.7)
karmic Not vulnerable
(2.2.12-1ubuntu2.3)
lucid Not vulnerable
(2.2.14-5ubuntu8.2)
maverick
Released (2.2.16-1ubuntu3.1)
upstream
Released (2.2.16-3)
apr-util
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy
Released (1.2.12+dfsg-3ubuntu0.3)
jaunty Ignored
(reached end-of-life)
karmic
Released (1.3.9+dfsg-1ubuntu1.1)
lucid
Released (1.3.9+dfsg-3ubuntu0.10.04.1)
maverick
Released (1.3.9+dfsg-3ubuntu0.10.10.1)
upstream
Released (1.3.9+dfsg-4)

Notes

AuthorNote
mdeslaur
will be fixed in apache2 2.2.17.
apache2 has an embedded code copy of apr-util. Dapper uses
the embedded version, hardy+ uses the system apr-util.
apache2 2.2.15+ also use the code in mod_reqtimeout
lucid mod_reqtimeout backport already contains this fix

References