Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2010-1623: CVE-2010-1623

Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.

CVE
#web#ubuntu#debian#red_hat#dos#apache#git

Name

CVE-2010-1623

Description

Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.

Source

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

References

DSA-2117-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package

Release

Version

Status

apache2 (PTS)

buster

2.4.38-3+deb10u8

fixed

buster (security)

2.4.38-3+deb10u10

fixed

bullseye

2.4.56-1~deb11u2

fixed

bullseye (security)

2.4.56-1~deb11u1

fixed

bookworm

2.4.57-2

fixed

sid, trixie

2.4.57-3

fixed

apr-util (PTS)

buster

1.6.1-4

fixed

buster (security)

1.6.1-4+deb10u1

fixed

bullseye (security), bullseye

1.6.1-5+deb11u1

fixed

bookworm, sid, trixie

1.6.3-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

apache2

source

lenny

(not affected)

apache2

source

(unstable)

2.2.16-3

apr-util

source

lenny

1.2.12+dfsg-8+lenny5

DSA-2117-1

apr-util

source

(unstable)

1.3.9+dfsg-4

medium

Notes

[lenny] - apache2 <not-affected> (vulnerable code introduced in 2.2.15-2 or -3)

Related news

CVE-2012-0053: Apache HTTP Server 2.2 vulnerabilities

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907