On 5/10/2011 10:02 AM, Mark J Cox wrote: >> httpd 2.2.18 rolls in the next six hours, so to the extent that sharing >> issues with apr/apr-util between httpd and svn is an issue for mod_dav_svn, >> we should be in good shape midweek to broadcast any cautions and upgrade >> advisories. > > So is the plan to have an APR security advisory timed for when httpd > 2.2.18 is released this week?
Not certain, with respect to httpd, this short statement is probably enough for the announcement; If 'Options Indexes' is configured, an untrusted adminstrator or user has control of the contents of the indexed directory, or there are very long file paths (e.g. > <n> URL characters) there is the possibility of excessive stack memory consumption. Users are cautioned to move to apr 1.4.4 (included in httpd 2.2.18), or to configure 'IndexOptions IgnoreClient' in the same configuration contexts where 'Options Indexes' is enabled. In conjunction with svn 1.6.9 I suspect this might demand a CVE, and that was when I intended that we make plain what APR 1.4.4 corrects, in conjunction with their other announcement. > Note that the reporter separately contacted Red Hat yesterday and > reported the issue (since our site happens to have directories/files > served by autoindex long enough for it to matter). We'd want to hold > off updates until the ASF announcement. I was under the impression this was sensitive to the number of path components as opposed to the length of the resource name. In your estimation, does this demand a CVE? Is there a relevant CVE already assigned to the BSD operating system? I was never able to trigger this using win32 default thread stack size.
