Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Jun 2009 16:07:43 +0100
From: Joe Orton <>
Cc: "Steven M. Christey" <>
Subject: CVE request: "billion laughs" attack against Apache APR

Hi, could a CVE name be allocated for this issue:

The expat XML parser is vulnerable to the "billion laughs" entity 
expansion attack.  This results in a denial of service vulnerability in 
any network-facing service which uses the Apache "APR-util" library's 
wrapper interface for expat to parse untrusted XML documents.  The 
Apache httpd WebDAV module "mod_dav" is such a service.


Affected versions: 
APR-util <= 1.3.4

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.