CVE-2011-0419

Published: 16 May 2011

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

Priority

Medium

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian 		Upstream Needs triage

apr
Launchpad, Ubuntu, Debian 		Upstream
Released (1.4.4-1)
Patches:
Vendor: http://www.debian.org/security/2011/dsa-2237
Vendor: https://rhn.redhat.com/errata/RHSA-2011-0507.html

Notes

AuthorNote
jdstrand 
TODO: also check apr-util
sbeattie 
update for apr-util is not needed.

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

Further reading