Impact
Mod_gnutls versions from 0.9.0 to 0.12.0 (including) did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation, consuming CPU resources. This could be exploited for denial of service attacks. If trace level logging was enabled, it would also produce an excessive amount of log output during the loop, consuming disk space.
Patches
The problem has been fixed in commit d7eec4e, please update to version 0.12.1.
Workarounds
There's no workaround, users who cannot update should apply the errno fix:
@@ -1003,7 +1008,7 @@ ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
&& APR_BRIGADE_EMPTY(ctxt->input_bb))
{
ctxt->input_rc = rc;
- gnutls_transport_set_errno(ctxt->session, EAGAIN);
+ gnutls_transport_set_errno(ctxt->session, ETIMEDOUT);
return -1;
}
References
There's a detailed analysis of the bug on the Debian bug tracker. Many thanks to Félix Arreola Rodríguez!
Impact
Mod_gnutls versions from 0.9.0 to 0.12.0 (including) did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation, consuming CPU resources. This could be exploited for denial of service attacks. If trace level logging was enabled, it would also produce an excessive amount of log output during the loop, consuming disk space.
Patches
The problem has been fixed in commit d7eec4e, please update to version 0.12.1.
Workarounds
There's no workaround, users who cannot update should apply the errno fix:
References
There's a detailed analysis of the bug on the Debian bug tracker. Many thanks to Félix Arreola Rodríguez!