CVE-2012-0021

Publication date 27 January 2012

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value.

Read the notes from the security team

Status

Package Ubuntu Release Status
apache2 11.10 oneiric
Fixed 2.2.20-1ubuntu1.2
11.04 natty
Fixed 2.2.17-1ubuntu1.5
10.10 maverick
Not affected
10.04 LTS lucid
Not affected
8.04 LTS hardy
Not affected

Notes

tyhicks

apache2-mpm-worker is likely the only apache2-mpm affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
apache2

References

Related Ubuntu Security Notices (USN)

    • USN-1368-1
    • Apache HTTP Server vulnerabilities
    • 16 February 2012

Other references