Another DoS fix for Apache HTTP server

The update of the Apache HTTP Server (httpd) to version 2.2.18 earlier this month to close a denial of service (DoS) problem appears to have exposed a related DoS vulnerability. The developers have now released httpd 2.2.19 to fix this new problem which has been rated as moderately critical; however, as with the previous DoS vulnerability, it requires that mod_autoindex is enabled in the web server.

It appears that the updated Apache Portable Runtime (APR) 1.4.4 – which was bundled with the server to correct the denial of service vulnerability – could cause httpd workers to enter a 100% CPU utilising hung state when calling apr_fnmatch. An update to APR, version 1.4.5, which resolves the issue has been released by the APR developers and is bundled with Apache HTTP Server 2.2.19.

Read more at H-online

Comments are closed.