CVE-2010-1623: CVE-2010-1623

Name

CVE-2010-1623

Description

Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.

Source

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

References

DSA-2117-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package

Release

Version

Status

apache2 (PTS)

buster

2.4.38-3+deb10u8

fixed

buster (security)

2.4.38-3+deb10u10

fixed

bullseye

2.4.56-1~deb11u2

fixed

bullseye (security)

2.4.56-1~deb11u1

fixed

bookworm

2.4.57-2

fixed

sid, trixie

2.4.57-3

fixed

apr-util (PTS)

buster

1.6.1-4

fixed

buster (security)

1.6.1-4+deb10u1

fixed

bullseye (security), bullseye

1.6.1-5+deb11u1

fixed

bookworm, sid, trixie

1.6.3-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

apache2

source

lenny

(not affected)

apache2

source

(unstable)

2.2.16-3

apr-util

source

lenny

1.2.12+dfsg-8+lenny5

DSA-2117-1

apr-util

source

(unstable)

1.3.9+dfsg-4

medium

Notes

[lenny] - apache2 <not-affected> (vulnerable code introduced in 2.2.15-2 or -3)