漏洞描述

Apache HTTP Server是一款流行的Web服务器。

如果配置了反向代理的话，在Apache HTTP Server的mod_proxy模块中，mod_proxy_http.c的stream_reqbody_cl函数没有正确地处理数量超过了 Content-Length值的流数据。远程攻击者可以通过向受影响的代理进程发送特制的请求导致耗尽大量的CPU资源。

解决方法
以下是各Linux/Unix发行版系统针对此漏洞发布的安全公告，可以参考对应系统的安全公告修复该漏洞:

Ubuntu
----------------
USN-802-1: [USN-802-1] Apache vulnerabilities
链接: https://www.ubuntu.com/usn/usn-802-1

Red Hat Enterprise Linux
----------------
链接: https://access.redhat.com/security/cve/CVE-2009-1890

CentOS
----------------
CESA-2009:1148: CESA-2009:1148 Important CentOS 5 i386 httpd Update
链接: https://lists.centos.org/pipermail/centos-announce/2009-July/016028.html
CESA-2009:1148: CESA-2009:1148 Important CentOS 5 x86_64 httpd Update
链接: https://lists.centos.org/pipermail/centos-announce/2009-July/016029.html

Gentoo
----------------
GLSA-200907-04: Apache: Multiple vulnerabilities
链接: https://security.gentoo.org/glsa/200907-04

FreeBSD
----------------
e15f2356-9139-11de-8f42-001aa0166822: apache22 -- several vulnerabilities
链接: http://vuxml.freebsd.org/freebsd/e15f2356-9139-11de-8f42-001aa0166822.html

Slackware
----------------
SSA:2009-214-01: [slackware-security] httpd (SSA:2009-214-01)
链接: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.566124

openSUSE
----------------
SUSE-SA:2009:050: SUSE Security Announcement: Apache and libapr (SUSE-SA:2009:050)
链接: https://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html

Fedora
----------------
FEDORA-2009-8812: Fedora 11 Update: httpd-2.2.13-1.fc11
链接: https://lists.fedoraproject.org/pipermail/package-announce/2009-August/028633.html

Oracle Linux
----------------
链接: https://linux.oracle.com/cve/CVE-2009-1890.html

Debian
----------------
DSA-1834: DSA-1834-1 apache2 -- denial of service
链接: https://www.debian.org/security/2009/dsa-1834