The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache APR, httpd: denial of service via apr_fnmatch

Synthesis of the vulnerability 

An attacker can create an infinite loop in applications using the apr_fnmatch() function of APR.
Vulnerable products: APR-core, Apache httpd, Debian, Fedora, Mandriva Linux, NLD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity of this weakness: 3/4.
Creation date: 20/05/2011.
Références of this bulletin: 51219, CVE-2011-1928, DSA-2237-1, DSA-2237-2, FEDORA-2011-6750, FEDORA-2011-6918, FEDORA-2011-7340, MDVSA-2011:095, MDVSA-2011:095-1, openSUSE-SU-2011:0859-1, RHSA-2011:0844-01, SSA:2011-145-01, SSA:2011-145-02, SUSE-SU-2011:0763-1, SUSE-SU-2011:0763-2, SUSE-SU-2011:0797-1, SUSE-SU-2011:1229-1, VIGILANCE-VUL-10674.

Description of the vulnerability 

The APR (Apache Portable Runtime) is a software library for the Apache web server making it portable when some features are not included in the operating system.

The apr_fnmatch() function of the APR library defines in "strings/apr_fnmatch.c" permit to check if a file name contains a shell pattern, such as "file*.txt". However, if the search pattern contains "/*/", the function enters in an infinite loop, and consumes resources.

An attacker can therefore create an infinite loop in applications using the apr_fnmatch() function of APR.

This vulnerability is due to a bad correction of VIGILANCE-VUL-10645.

As Apache httpd mod_autoindex uses apr_fnmatch(), a remote attacker can use a special request in order to create a denial of service in the web server.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security announce impacts software or systems such as APR-core, Apache httpd, Debian, Fedora, Mandriva Linux, NLD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this threat is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability announce.

Solutions for this threat 

Apache APR: version 1.4.5.
The version 1.4.5 is corrected:
  http://apr.apache.org/download.cgi

Apache APR: patch.
A patch is available in information sources.

Apache httpd: version 2.2.19.
The version 2.2.19 is corrected:
  http://httpd.apache.org/download.cgi

Apache httpd: workaround for apr_fnmatch.
A workaround is to set the IgnoreClient option in the IndexOptions directive.

Debian: new apr packages.
New packages are available:
  exim4 version 1.2.12-5+lenny3
  exim4 version 1.4.2-6+squeeze2

Fedora: new apr packages.
New packages are available:
  apr-1.4.5-1.fc13
  apr-1.4.5-1.fc14
  apr-1.4.5-1.fc15

Mandriva: new apr packages.
New packages are available:
 - Mandriva Enterprise Server 5: libapr-1.3.3-2.3mdvmes5.2
 - Mandriva Corporate 4.0: libapr-1.2.7-1.3.20060mlcs4
 - Mandriva Linux 2009.0: libapr-1.3.3-2.3mdvmes5.2
 - Mandriva Linux 2010.0: libapr-1.3.9-1.2mdv2010.0
 - Mandriva Linux 2010.1: libapr-1.4.2-1.2mdv2010.2

RHEL: new apr packages.
New packages are available:
  apr-0.9.4-26.el4
  apr-1.2.7-11.el5_6.5
  apr-1.3.9-3.el6_1.2

Slackware: new apr/apr-util packages.
New packages are available:
  apr-1.4.5-i486-1
  apr-util-1.3.12

Slackware: new httpd packages.
New packages are available:
  httpd-2.2.19

Solaris: patch for Apache HTTP Server.
A patch is available:
  Solaris 8
    SPARC: 116973-10
    X86: 116974-10
  Solaris 9
    SPARC: 113146-14
     X86: 114145-13
  Solaris 10
     SPARC: 122911-26
     X86: 122912-26

Solaris: patch for APR.
A patch is available:
Solaris 10
  SPARC: 120543-24
  X86: 120544-24
Solaris 11 Express
  snv_151a + 7049240

SUSE CORE 9: new apache2 packages.
New packages are available:
  apache2-2.0.59-1.20

SUSE LE 10 SP3: new apache2 packages.
New packages are available:
  apache2-2.2.3-16.32.37.1

SUSE: new libapr packages.
New packages are available, as indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an application vulnerability bulletin. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.