Apache mod_deflate模块远程拒绝服务漏洞

漏洞描述

Apache HTTP Server是一款流行的Web服务器。

Apache的mod_deflate模块中存在拒绝服务漏洞。如果使用该模块下载文件并在下载结束之前中断了连接,mod_deflate会消耗 100%的CPU占用率来压缩文件。如果同时打开多个文件请求并很快中断连接,则几十MB大小的文件就会导致Apache锁死。

 

解决方法

以下是各Linux/Unix发行版系统针对此漏洞发布的安全公告,可以参考对应系统的安全公告修复该漏洞:

Ubuntu
----------------
USN-802-1: [USN-802-1] Apache vulnerabilities
链接: https://www.ubuntu.com/usn/usn-802-1

Red Hat Enterprise Linux
----------------
链接: https://access.redhat.com/security/cve/CVE-2009-1891

CentOS
----------------
CESA-2009:1580: CESA-2009:1580 Moderate CentOS 4 i386 httpd - security update
链接: https://lists.centos.org/pipermail/centos-announce/2009-November/016318.html
CESA-2009:1580: CESA-2009:1580 Moderate CentOS 4 x86_64 httpd - security update
链接: https://lists.centos.org/pipermail/centos-announce/2009-November/016319.html
CESA-2009:1205: CESA-2009:1205 Moderate CentOS 3 i386 httpd - security and bug fix update
链接: https://lists.centos.org/pipermail/centos-announce/2009-August/016066.html
CESA-2009:1205: CESA-2009:1205 Moderate CentOS 3 x86_64 httpd - security and bug fix update
链接: https://lists.centos.org/pipermail/centos-announce/2009-August/016067.html
CESA-2009:1148: CESA-2009:1148 Important CentOS 5 i386 httpd Update
链接: https://lists.centos.org/pipermail/centos-announce/2009-July/016028.html
CESA-2009:1148: CESA-2009:1148 Important CentOS 5 x86_64 httpd Update
链接: https://lists.centos.org/pipermail/centos-announce/2009-July/016029.html

Gentoo
----------------
GLSA-200907-04: Apache: Multiple vulnerabilities
链接: https://security.gentoo.org/glsa/200907-04

FreeBSD
----------------
e15f2356-9139-11de-8f42-001aa0166822: apache22 -- several vulnerabilities
链接: http://vuxml.freebsd.org/freebsd/e15f2356-9139-11de-8f42-001aa0166822.html

Slackware
----------------
SSA:2009-214-01: [slackware-security] httpd (SSA:2009-214-01)
链接: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.566124

openSUSE
----------------
SUSE-SA:2009:050: SUSE Security Announcement: Apache and libapr (SUSE-SA:2009:050)
链接: https://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html

Fedora
----------------
FEDORA-2009-8812: Fedora 11 Update: httpd-2.2.13-1.fc11
链接: https://lists.fedoraproject.org/pipermail/package-announce/2009-August/028633.html

Oracle Linux
----------------
链接: https://linux.oracle.com/cve/CVE-2009-1891.html

Debian
----------------
DSA-1834: DSA-1834-1 apache2 -- denial of service
链接: https://www.debian.org/security/2009/dsa-1834

posted @ 2019-07-10 14:25  mrhonest  阅读(459)  评论(0)    收藏  举报