'The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the “len +=” statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607.'
ClearCenter does not consider resource exhaustion caused by .htaccess files to be a security defect.
This bug only affects systems that allow local command line access to users. Since those services are rarely accessed except by trusted admins, ClearCenter does not believe that this CVE constitutes a reasonable threat. Moreover, resource exhaustion via local access is not a threat in and of itself but rather a use of resources allocated to the process or user.