CVE-2009-1955

Name of the Vulnerable Software and Affected Versions: Apache APR-util versions prior to 1.3.7 Apache HTTP Server (affected versions not specified)

Description: The issue allows remote attackers to cause a denial of service due to excessive memory consumption. This can be achieved by sending a crafted XML document containing a large number of nested entity references. For example, this could be demonstrated by a PROPFIND request. The problem is related to the expat XML parser in the apr xml * interface.

Recommendations: For Apache APR-util versions prior to 1.3.7, update to version 1.3.7 or later to resolve the issue. For the Apache HTTP Server, at the moment, there is no information about a newer version that contains a fix for this vulnerability.