CVE - CVE-2011-0419

CVE-ID
CVE-2011-0419	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
SREASONRES:20110512 Multiple Vendors libc/fnmatch(3) DoS (incl apache) URL:http://securityreason.com/achievement_securityalert/98 MLIST:[dev] 20110510 Re: Apache Portable Runtime 1.4.4 [...] Released URL:http://www.mail-archive.com/dev@apr.apache.org/msg23961.html MLIST:[dev] 20110510 Re: fnmatch rewrite in apr, apr 1.4.3 URL:http://www.mail-archive.com/dev@apr.apache.org/msg23960.html MLIST:[dev] 20110511 Re: Apache Portable Runtime 1.4.4 [...] Released URL:http://www.mail-archive.com/dev@apr.apache.org/msg23976.html MISC:http://cxib.net/stuff/apache.fnmatch.phps MISC:http://cxib.net/stuff/apr_fnmatch.txts CONFIRM:http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22 CONFIRM:http://httpd.apache.org/security/vulnerabilities_22.html CONFIRM:http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902 CONFIRM:http://svn.apache.org/viewvc?view=revision&revision=1098188 CONFIRM:http://svn.apache.org/viewvc?view=revision&revision=1098799 CONFIRM:http://www.apache.org/dist/apr/Announcement1.x.html CONFIRM:http://www.apache.org/dist/apr/CHANGES-APR-1.4 CONFIRM:http://www.apache.org/dist/httpd/Announcement2.2.html CONFIRM:http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15 CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=703390 CONFIRM:http://support.apple.com/kb/HT5002 CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html APPLE:APPLE-SA-2011-10-12-3 URL:http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html DEBIAN:DSA-2237 URL:http://www.debian.org/security/2011/dsa-2237 HP:HPSBUX02702 URL:http://marc.info/?l=bugtraq&m=131551295528105&w=2 HP:HPSBUX02707 URL:http://marc.info/?l=bugtraq&m=131731002122529&w=2 HP:SSRT100606 URL:http://marc.info/?l=bugtraq&m=131551295528105&w=2 HP:SSRT100626 URL:http://marc.info/?l=bugtraq&m=131731002122529&w=2 HP:HPSBMU02704 URL:http://marc.info/?l=bugtraq&m=132033751509019&w=2 HP:HPSBOV02822 URL:http://marc.info/?l=bugtraq&m=134987041210674&w=2 HP:SSRT100966 URL:http://marc.info/?l=bugtraq&m=134987041210674&w=2 HP:SSRT100619 URL:http://marc.info/?l=bugtraq&m=132033751509019&w=2 MANDRIVA:MDVSA-2011:084 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2011:084 MANDRIVA:MDVSA-2013:150 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 REDHAT:RHSA-2011:0507 URL:http://www.redhat.com/support/errata/RHSA-2011-0507.html REDHAT:RHSA-2011:0896 URL:http://www.redhat.com/support/errata/RHSA-2011-0896.html REDHAT:RHSA-2011:0897 URL:http://www.redhat.com/support/errata/RHSA-2011-0897.html SUSE:SUSE-SU-2011:1229 URL:http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00011.html OVAL:oval:org.mitre.oval:def:14638 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14638 OVAL:oval:org.mitre.oval:def:14804 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14804 SECTRACK:1025527 URL:http://securitytracker.com/id?1025527 SECUNIA:44490 URL:http://secunia.com/advisories/44490 SECUNIA:44564 URL:http://secunia.com/advisories/44564 SECUNIA:44574 URL:http://secunia.com/advisories/44574 SECUNIA:48308 URL:http://secunia.com/advisories/48308 SREASON:8246 URL:http://securityreason.com/securityalert/8246
Assigning CNA
N/A
Date Entry Created
20110111	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20110111)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org