CVE-2011-4415 (retired)

Priority
Description
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x
through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is
enabled, does not restrict the size of values of environment variables,
which allows local users to cause a denial of service (memory consumption
or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf
directive, in conjunction with a crafted HTTP request header, related to
(1) the "len +=" statement and (2) the apr_pcalloc function call, a
different vulnerability than CVE-2011-3607.
Notes
 mdeslaur> Apache doesn't consider this to be a security issue. Ignoring.
Assigned-to
mdeslaur
Package
Upstream:ignored
More Information

Updated: 2019-03-26 11:59:21 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)