Bug#655435: libapr1: apr_hash vulnerable to oCert-2011-003 style DOS attacks

Package: libapr1 Version: 1.4.5-1.1 Severity: important Tags: security APR's hash implementation is vulnerable to the same types of algorithmic complexity attacks disclosed in oCert-2011-003. Discussion of the problem on the apr-dev mailing list is available here: http://www.mail-archive.com/dev

Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes

This shouldn't be tagged as a grave security issue. The symlink tests in Apache are trivial to overcome with timing attacks and the Apache documentation explicitly states that the symlink tests should not be considered a security restriction. http://httpd.apache.org/docs/2.2/mod/core.html#options