Candidate: CVE-2011-4415
PublicDate: 2011-11-08 11:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415
 http://www.gossamer-threads.com/lists/apache/dev/403775
 http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46783
Description:
 The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x
 through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is
 enabled, does not restrict the size of values of environment variables,
 which allows local users to cause a denial of service (memory consumption
 or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf
 directive, in conjunction with a crafted HTTP request header, related to
 (1) the "len +=" statement and (2) the apr_pcalloc function call, a
 different vulnerability than CVE-2011-3607.
Ubuntu-Description:
Notes:
 mdeslaur> Apache doesn't consider this to be a security issue. Ignoring.
Bugs:
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_apache2:
upstream_apache2: ignored
hardy_apache2: ignored
lucid_apache2: ignored
maverick_apache2: ignored
natty_apache2: ignored
oneiric_apache2: ignored
devel_apache2: ignored