Back to search
CVE-2011-0419
Published: May 16, 2011
Modified: Aug 6, 2024
PUBLISHED
Description
Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
44574
third-party-advisory
x_refsource_SECUNIA
HPSBUX02707
vendor-advisory
x_refsource_HP
SSRT100966
vendor-advisory
x_refsource_HP
[dev] 20110511 Re: Apache Portable Runtime 1.4.4 [...] Released
mailing-list
x_refsource_MLIST
48308
third-party-advisory
x_refsource_SECUNIA
20110512 Multiple Vendors libc/fnmatch(3) DoS (incl apache)
third-party-advisory
x_refsource_SREASONRES
HPSBUX02702
vendor-advisory
x_refsource_HP
HPSBOV02822
vendor-advisory
x_refsource_HP
SSRT100619
vendor-advisory
x_refsource_HP
oval:org.mitre.oval:def:14804
vdb-entry
signature
x_refsource_OVAL
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
x_refsource_CONFIRM
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22
x_refsource_CONFIRM
http://cxib.net/stuff/apr_fnmatch.txts
x_refsource_MISC
oval:org.mitre.oval:def:14638
vdb-entry
signature
x_refsource_OVAL
1025527
vdb-entry
x_refsource_SECTRACK
http://svn.apache.org/viewvc?view=revision&revision=1098188
x_refsource_CONFIRM
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15
x_refsource_CONFIRM
http://www.apache.org/dist/apr/CHANGES-APR-1.4
x_refsource_CONFIRM
http://www.apache.org/dist/apr/Announcement1.x.html
x_refsource_CONFIRM
http://svn.apache.org/viewvc?view=revision&revision=1098799
x_refsource_CONFIRM
APPLE-SA-2011-10-12-3
vendor-advisory
x_refsource_APPLE
http://httpd.apache.org/security/vulnerabilities_22.html
x_refsource_CONFIRM
8246
third-party-advisory
x_refsource_SREASON
DSA-2237
vendor-advisory
x_refsource_DEBIAN
RHSA-2011:0897
vendor-advisory
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=703390
x_refsource_CONFIRM
44564
third-party-advisory
x_refsource_SECUNIA
http://www.apache.org/dist/httpd/Announcement2.2.html
x_refsource_CONFIRM
SSRT100626
vendor-advisory
x_refsource_HP
http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
x_refsource_CONFIRM
44490
third-party-advisory
x_refsource_SECUNIA
http://cxib.net/stuff/apache.fnmatch.phps
x_refsource_MISC
RHSA-2011:0896
vendor-advisory
x_refsource_REDHAT
http://support.apple.com/kb/HT5002
x_refsource_CONFIRM
MDVSA-2011:084
vendor-advisory
x_refsource_MANDRIVA
[dev] 20110510 Re: Apache Portable Runtime 1.4.4 [...] Released
mailing-list
x_refsource_MLIST
MDVSA-2013:150
vendor-advisory
x_refsource_MANDRIVA
RHSA-2011:0507
vendor-advisory
x_refsource_REDHAT
SUSE-SU-2011:1229
vendor-advisory
x_refsource_SUSE
HPSBMU02704
vendor-advisory
x_refsource_HP
SSRT100606
vendor-advisory
x_refsource_HP
[dev] 20110510 Re: fnmatch rewrite in apr, apr 1.4.3
mailing-list
x_refsource_MLIST
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
mailing-list
x_refsource_MLIST
[httpd-cvs] 20210330 svn commit: r1888194 [7/13] - /httpd/site/trunk/content/security/json/
mailing-list
x_refsource_MLIST
[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/
mailing-list
x_refsource_MLIST
[httpd-cvs] 20210330 svn commit: r1073139 [7/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now