CVE-2012-0840

tables/apr_hash.c in the Apache Portable Runtime (APR) library through 1.4.5 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
apr	15.04 vivid	Not affected
	14.10 utopic	Not affected
	14.04 LTS trusty	Not affected
	13.10 saucy	Not affected
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	11.10 oneiric	Ignored end of life
	11.04 natty	Ignored end of life
	10.10 maverick	Ignored end of life
	10.04 LTS lucid	Ignored end of life
	8.04 LTS hardy	Ignored end of life

Notes

mdeslaur

from oss-security: "r1231605 and r1231858 cause massive regressions and test case failures in httpd." (These were subsequently reverted) CVE was asked to be cancelled: http://www.mail-archive.com/dev%40apr.apache.org/msg24609.html "After extensive consultation with the security projects of various APR consumers, it's apparent that there are no actual vulnerabilities to be exploited here." "These changes do not represent either a security DEFECT nor any actual security FIX. The APR Project dis-acknowledges the assignment of CVE-2012-0840 as erroneous, and invalid." Downgrading priority to "low".

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
apr	Upstream: http://svn.apache.org/viewvc?view=revision&revision=1236970 Upstream: http://svn.apache.org/viewvc?view=revision&revision=1237078 Upstream: http://svn.apache.org/viewvc?view=revision&revision=1237507

Status

Notes

mdeslaur

Patch details

References

Other references