Another DoS fix for Apache HTTP server
The update of the Apache HTTP Server (httpd) to version 2.2.18 earlier this month to close a denial of service (DoS) problem appears to have exposed a related DoS vulnerability. The developers have now released httpd 2.2.19 to fix this new problem which has been rated as moderately critical; however, as with the previous DoS vulnerability, it requires that mod_autoindex is enabled in the web server.
It appears that the updated Apache Portable Runtime (APR) 1.4.4 – which was bundled with the server to correct the denial of service vulnerability – could cause httpd workers to enter a 100% CPU utilising hung state when calling
apr_fnmatch. An update to APR, version 1.4.5, which resolves the issue has been released by the APR developers and is bundled with Apache HTTP Server 2.2.19. Users can upgrade to httpd 2.2.19 or, if running httpd 2.2.17 or earlier, work around the denial of service problem by using the "IgnoreClient" option of the "IndexOptions". The problem was first noted and tracked on Debian mailing lists.
The developers also took the opportunity to fix an inadvertently changed function signature for
ap_unescape_url_keep2f which had broken binary compatibility with some third party modules. The 2.2.19 update to httpd is available to download from the project's download page. The updated APR 1.4.5 is also available for download for developers who use the library in other projects.