Debian DSA-2117-1 : apr-util - denial of service
Medium Nessus Plugin ID 49767
SynopsisThe remote Debian host is missing a security-related update.
DescriptionAPR-util is part of the Apache Portable Runtime library which is used by projects such as Apache httpd and Subversion.
Jeff Trawick discovered a flaw in the apr_brigade_split_line() function in apr-util. A remote attacker could send crafted http requests to cause a greatly increased memory consumption in Apache httpd, resulting in a denial of service.
SolutionUpgrade the apr-util packages.
This upgrade fixes this issue. After the upgrade, any running apache2 server processes need to be restarted.
For the stable distribution (lenny), this problem has been fixed in version 1.2.12+dfsg-8+lenny5.