Release date: 2011-11-10
Updated on:
Affected Systems:
Apache Group Apache 2.2.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 50639
Cve id: CVE-2011-4415
Apache HTTP Server is an open-source Web Server of the Apache Software Foundation and can be run in most computer operating systems.
Apache HTTP Server 2.0.x to 2.0.64 and server/util within 2.2.x to 2.2.21. the ap_pregsub function in c does not limit the value of environment variables after the mod_setenvif module is enabled. the htaccess file and HTTP request header cause denial of service (memory corruption or NULL pointer reference ).
<* Source: halfdog
Link: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
Http://www.gossamer-threads.com/lists/apache/dev/403775
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Apache Group
------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.apache.org