The recent APR update DSA-2237-1 introduced a regression that could lead to an endless loop in the apr_fnmatch function, causing a denial of service. This update fixes this problem . For reference, the description of the original DSA, which fixed CVE-2011-0419: A flaw was found in the APR library, which could be exploited through Apache HTTPD"s mod_autoindex. If a directory indexed by mod_autoindex contained files with sufficiently long names, a remote attacker could send a carefully crafted request which would cause excessive CPU usage. This could be used in a denial of service attack.