CVE-2009-1891

Published: Jul 10, 2009Modified: Apr 23, 2026

7.1

Vector

AV:N/AC:M/Au:N/C:N/I:N/A:C

Exploitability: 8.6 / Impact: 6.9

Source: NVD

Description

The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption).

Affected (15)

Products: Apache: Http Server · Debian: Debian Linux · Fedoraproject: Fedora · +2 more

Show all products

Apache: Http Server · Debian: Debian Linux · Fedoraproject: Fedora · Canonical: Ubuntu Linux · Redhat: Enterprise Linux Desktop, Enterprise Linux Eus, Enterprise Linux Server, Enterprise Linux Server Aus, Enterprise Linux Workstation

1 product

1 product

1 product

1 product

5 products

Enterprise Linux Desktop

Enterprise Linux Eus

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Workstation

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Http Server	From 2.0.35 to 2.0.64
Apache Http Server	From 2.2.0 to 2.2.12

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 4.0
Debian Debian Linux	Version 5.0
Debian Debian Linux	Version 6.0

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 11

Configuration D

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 6.06
Canonical Ubuntu Linux	Version 8.04
Canonical Ubuntu Linux	Version 8.10
Canonical Ubuntu Linux	Version 9.04

Configuration E

5 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 5.0
Redhat Enterprise Linux Eus	Version 5.3
Redhat Enterprise Linux Server	Version 5.0
Redhat Enterprise Linux Server Aus	Version 5.3
Redhat Enterprise Linux Workstation	Version 5.0

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (110)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712

Source: secalert@redhat.com

Exploit

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

Source: secalert@redhat.com

Broken LinkMailing List

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://marc.info/?l=apache-httpd-dev&m=124621326524824&w=2

Source: secalert@redhat.com

ExploitIssue TrackingMailing ListThird Party Advisory

http://marc.info/?l=apache-httpd-dev&m=124661528519546&w=2

Source: secalert@redhat.com

Issue TrackingMailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=129190899612998&w=2

Source: secalert@redhat.com

Issue TrackingMailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=130497311408250&w=2

Source: secalert@redhat.com

Issue TrackingMailing ListThird Party Advisory

http://osvdb.org/55782

Source: secalert@redhat.com

Broken Link

http://secunia.com/advisories/35721

Source: secalert@redhat.com

Not ApplicableVendor Advisory

http://secunia.com/advisories/35781

Source: secalert@redhat.com

Not ApplicableVendor Advisory

http://secunia.com/advisories/35793

Source: secalert@redhat.com

Not ApplicableVendor Advisory

http://secunia.com/advisories/35865

Source: secalert@redhat.com

Not ApplicableVendor Advisory

http://secunia.com/advisories/37152

Source: secalert@redhat.com

Not ApplicableVendor Advisory

http://secunia.com/advisories/37221

Source: secalert@redhat.com

Not ApplicableVendor Advisory

http://security.gentoo.org/glsa/glsa-200907-04.xml

Source: secalert@redhat.com

Third Party Advisory

http://support.apple.com/kb/HT3937

Source: secalert@redhat.com

Broken Link

http://wiki.rpath.com/Advisories:rPSA-2009-0142

Source: secalert@redhat.com

Broken Link

http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0142

Source: secalert@redhat.com

Broken Link

http://www-01.ibm.com/support/docview.wss?uid=swg1PK91361

Source: secalert@redhat.com

Third Party Advisory

http://www-01.ibm.com/support/docview.wss?uid=swg1PK99480

Source: secalert@redhat.com

Third Party Advisory

http://www.debian.org/security/2009/dsa-1834

Source: secalert@redhat.com

Third Party Advisory

http://www.mandriva.com/security/advisories?name=MDVSA-2009:149

Source: secalert@redhat.com

Broken LinkPatch

http://www.redhat.com/support/errata/RHSA-2009-1156.html

Source: secalert@redhat.com

Third Party Advisory

http://www.securityfocus.com/archive/1/507857/100/0/threaded

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id?1022529

Source: secalert@redhat.com

Broken LinkThird Party AdvisoryVDB Entry

http://www.ubuntu.com/usn/USN-802-1

Source: secalert@redhat.com

Third Party Advisory

http://www.vupen.com/english/advisories/2009/1841

Source: secalert@redhat.com

Permissions RequiredVendor Advisory

http://www.vupen.com/english/advisories/2009/3184

Source: secalert@redhat.com

Permissions RequiredVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=509125

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12361

Source: secalert@redhat.com

Third Party Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8632

Source: secalert@redhat.com

Third Party Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9248

Source: secalert@redhat.com

Third Party Advisory

https://rhn.redhat.com/errata/RHSA-2009-1148.html

Source: secalert@redhat.com

Third Party Advisory

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01363.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712