<em style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1928" target="_blank">CVE</a>)</em> : The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.

This has been fixed in the SVN repository.

Unknown or Incomplete

• CVE ID: 2011-0419 (see also: NVD) 2011-1928 (see also: NVD)
• Secunia Advisory ID: 43012 44558 44613 44661 44679 44780 44861 45280 45304 45309 45465 45954 46336 46417 46648 46734 46810 46850 48308 50614 50712 50922
• Bugtraq ID: 47820 47929
• VUPEN Advisory: ADV-2011-1289 ADV-2011-1290
• Vendor Specific News/Changelog Entry: http://blogs.oracle.com/sunsecurity/entry/cve_2011_3192_and_cve
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627182
  http://lists.debian.org/debian-security-announce/2011/msg00108.html
  http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061177.html
  http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061183.html
  http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00011.html
  http://mail-archives.apache.org/mod_mbox/httpd-announce/201105.mbox/%[email protected]%3E
  http://www.ibm.com/support/docview.wss?uid=swg1PM38826
  https://issues.apache.org/bugzilla/show_bug.cgi?id=51219
• Vendor Specific Advisory URL: http://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_apache_portable
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03011498
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03280632
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03517954
  http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02997184
  http://support.apple.com/kb/HT5002
  http://www.fujitsu.com/global/support/software/security/products-f/interstage-201104e.html
  http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2013-02-846&viewMode=view
  http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-11-767
  http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
  http://www.ubuntu.com/usn/usn-1134-1/
  http://www.xerox.com/download/security/security-bulletin/1284333-14afb-4baadb5bccb00/cert_XRX12-002_v1.1.pdf
  https://blogs.oracle.com/sunsecurity/entry/cve_2011_0419_denial_of
  https://downloads.avaya.com/css/P8/documents/100141102
  https://hermes.opensuse.org/messages/10420089
  https://hermes.opensuse.org/messages/9594430
  https://hermes.opensuse.org/messages/9594629
• Other Advisory URL: http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%[email protected]%3e
  http://openwall.com/lists/oss-security/2011/05/19/10
  http://openwall.com/lists/oss-security/2011/05/19/5
• Packet Storm: http://packetstormsecurity.org/files/111915/HP-Security-Bulletin-HPSBMU02764-SSRT100827.html
  http://packetstormsecurity.org/files/112043/HP-Security-Bulletin-HPSBMU02764-SSRT100827-2.html
• Mail List Post: http://seclists.org/bugtraq/2011/May/165
  http://seclists.org/bugtraq/2011/Sep/154
  http://seclists.org/bugtraq/2011/Sep/190
  http://seclists.org/bugtraq/2012/Apr/112
  http://seclists.org/bugtraq/2012/Apr/159
• RedHat RHSA: https://rhn.redhat.com/errata/RHSA-2011-0844.html

Unknown or Incomplete