CVE-2011-0419

Publication date 16 May 2011

Last updated 24 July 2024

Ubuntu priority

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
apache2	11.04 natty	Not affected
	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	8.04 LTS hardy	Not affected
	6.06 LTS dapper	Fixed 2.0.55-4ubuntu2.13
apr	11.04 natty	Fixed 1.4.2-7ubuntu2.1
	10.10 maverick	Fixed 1.4.2-3ubuntu1.1
	10.04 LTS lucid	Fixed 1.3.8-1ubuntu0.3
	8.04 LTS hardy	Fixed 1.2.11-1ubuntu0.2
	6.06 LTS dapper	Not in release

Notes

jdstrand

TODO: also check apr-util

sbeattie

update for apr-util is not needed.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
apr	Vendor: http://www.debian.org/security/2011/dsa-2237 Vendor: https://rhn.redhat.com/errata/RHSA-2011-0507.html

CVE-2011-0419

Status

Notes

jdstrand

sbeattie

Patch details

References

Related Ubuntu Security Notices (USN)

Other references