Re: About apache2 vulnerability with apr and apr-utils. How bad is it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Greetings William,

On Thu, Sep 10, 2009 at 8:18 PM, William A. Rowe, Jr. <wrowe@xxxxxxxxxxxxx> wrote:


No, you misinterpreted; the application developer must expose a DoS/memory
exhaustion vector; where that exists, and the affected version of APR
is used, and the information written to the never-allocated buffer just
happens to overlap some predictable, current allocations, then the external
user may trigger a segfault but possibly worse, depending ENTIRELY on
the code in the application.


It is to my understanding this is all based on the amount of input and how it is sanitized.   We appreciate if for the sake of the users that cannot upgrade at this moment you could kindly provide a source or example of what would constitute an open  "DoS/memory
exhaustion vector" so that we may evaluate our code at the instances it recieves user input. Thank you

David
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux