CVE-2011-0419

Name of the Vulnerable Software and Affected Versions Apache Portable Runtime (APR) library versions prior to 1.4.3 Apache HTTP Server versions prior to 2.2.18 NetBSD version 5.1 OpenBSD version 4.8 FreeBSD (affected versions not specified) Apple Mac OS X version 10.6 Oracle Solaris version 10 Android (affected versions not specified)

Description A stack consumption issue in the fnmatch implementation allows context-dependent attackers to cause a denial of service via *? sequences in the first argument, potentially leading to CPU and memory consumption. This issue can be exploited by sending carefully crafted requests, particularly against mod autoindex in httpd, when it is enabled and a directory contains files with sufficiently long names.

Recommendations For Apache Portable Runtime (APR) library versions prior to 1.4.3, update to release 1.4.5 or later. For Apache HTTP Server versions prior to 2.2.18, update to release 2.2.19 or later, which bundles APR 1.4.5, or update to release 2.0.65, which bundles APR 0.9.20. As a temporary workaround, consider setting the 'IgnoreClient' option to the 'IndexOptions' directive to disable processing of client-supplied request query arguments and prevent this attack.