CVE-2011-1928 in Ubuntu

CVE-2011-1928

Priority

Description

The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime
(APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows
remote attackers to cause a denial of service (infinite loop) via a URI
that does not match unspecified types of wildcard patterns, as demonstrated
by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration
pattern is used. NOTE: this issue exists because of an incorrect fix for
CVE-2011-0419.

Ubuntu-Description

Is was discovered that the fix for CVE-2011-0419 introduced a different
flaw in the fnmatch() implementation that could also result in a
denial of service. (CVE-2011-1928)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1928
http://mail-archives.apache.org/mod_mbox/httpd-announce/201105.mbox/%3C4DD55092.3030403@apache.org%3E
https://ubuntu.com/security/notices/USN-1134-1

Notes

Package

Source: apache2 (LP Ubuntu Debian)

Upstream:	pending
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (uses system apr)

Patches:

Package

Source: apr (LP Ubuntu Debian)

Upstream:	released (1.4.5-1)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (1.4.5-1)

Patches:

More Information

Updated: 2022-02-10 23:52:45 UTC (commit acb3d89ab51f1d5e5543fa993969c0eb13c71f04)