Bugzilla – Bug 743744
VUL-1: CVE-2012-0021: apache2: crash in mod_log_config due to specially crafted cookies
Last modified: 2017-10-25 15:19:37 UTC
A flaw [1] was found in mod_log_config. If an administrator configured the "%{cookiename}C" log format string to be used, a remote attacker could send a specific cookie which would cause a crash. This crash would only be a denial of service if using a threaded MPM (such as event or worker). Note that Red Hat Enterprise Linux and Fedora use the prefork MPM by default. This will be fixed upstream [2] in 2.2.22 and affects versions 2.2.17 up to and including 2.2.21. [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=52256 [2] http://svn.apache.org/viewvc?view=revision&revision=1227292
As the original description says, it only affects Apache2 between 2.2.17 and 2.2.21. => Statement: This only affects Apache2 versions after 2.2.17. SUSE Linux Enterprise products currently ship 2.2.12 and older Apache2 versions and so are not affected by this problem. openSUSE 11.4 and 12.1 will receive fixes.
This one was on the agenda for the February update already; the bug was known to me by xmas 2011. However, we have determined that the bug doesn't qualify for a fix due to the rather exotic circumstances under which it becomes evident. I'll take the fix into the list for the next update, as it doesn't really expose a threat that justifies an own update. If you agree, of course. Thanks, Roman.
perl bin/addnote CVE-2012-0021 "This Apache2 security problem only existed in versions 2.2.17 up to 2.2.22. Earlier versions were not affected, so SUSE Linux Enterprise 11 and previous products are not affected by this problem." Only openSUSE 12.1 is affected by this, as it has 2.1.21.
lets close as 12.1 is nearing EOL