Date: Wed, 3 Jun 2009 16:07:43 +0100 From: Joe Orton <jorton@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE request: "billion laughs" attack against Apache APR Hi, could a CVE name be allocated for this issue: The expat XML parser is vulnerable to the "billion laughs" entity expansion attack. This results in a denial of service vulnerability in any network-facing service which uses the Apache "APR-util" library's wrapper interface for expat to parse untrusted XML documents. The Apache httpd WebDAV module "mod_dav" is such a service. References: http://milw0rm.com/exploits/8842 http://marc.info/?l=apr-dev&m=124396021826125&w=2 http://svn.apache.org/viewvc?rev=781403&view=rev Affected versions: APR-util <= 1.3.4
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.