Return-Path: 
 <announce-return-133-apmail-httpd-announce-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-announce-archive@www.apache.org
Received: (qmail 82241 invoked from network); 11 Jun 2010 19:53:36 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 11 Jun 2010 19:53:36 -0000
Received: (qmail 3976 invoked by uid 500); 11 Jun 2010 19:52:59 -0000
Delivered-To: apmail-httpd-announce-archive@httpd.apache.org
Received: (qmail 3839 invoked by uid 500); 11 Jun 2010 19:52:58 -0000
Mailing-List: contact announce-help@httpd.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:announce-help@httpd.apache.org>
list-unsubscribe: <mailto:announce-unsubscribe@httpd.apache.org>
List-Post: <mailto:announce@httpd.apache.org>
List-Id: <announce.httpd.apache.org>
Delivered-To: mailing list announce@httpd.apache.org
Delivered-To: moderator for announce@httpd.apache.org
Received: (qmail 99809 invoked by uid 99); 11 Jun 2010 19:50:13 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=TO_NO_BRKTS_DIRECT
X-Spam-Check-By: apache.org
Message-ID: <4C12933D.4060400@apache.org>
Date: Fri, 11 Jun 2010 14:49:17 -0500
From: "William A. Rowe Jr." <wrowe@apache.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
 rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: announce@httpd.apache.org
Subject: [advisory] httpd Timeout detection flaw (mod_proxy_http)
 CVE-2010-2068
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

Vulnerability; httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068

Classification; important

Description;

    A timeout detection flaw in the httpd mod_proxy_http module causes
    proxied response to be sent as the response to a different request,
    and potentially served to a different client, from the HTTP proxy
    pool worker pipeline.

    This may represent a confidential data revealing flaw.

    This affects only Netware, Windows or OS2 builds of httpd version
    2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha, when the proxy
    worker pools have been enabled.  Earlier 2.2, 2.0 and 1.3 releases
    were not affected.

Acknowledgements;

    We would like to thank Loren Anderson for the thorough research
    and reporting of this flaw.

Mitigation;

    Apply any one of the following mitigations to avert the possibility
    of confidential information disclosure.

    * Do not load mod_proxy_http.

    * Do not configure/enable any http proxy worker pools with ProxySet
      or ProxyPass optional arguments.

    * The straightforward workaround to disable mod_proxy_http's reuse
      of backend connection pipelines is to set the following global
      directive;

        SetEnv proxy-nokeepalive 1

    * Replace mod_proxy_http.so with a patched version, for source code
      see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or
      http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for
      binaries see the http://www.apache.org/dist/httpd/binaries/ tree
      for win32 or netware, as appropriate.

    * Upgrade to Apache httpd 2.2.16 or higher, once released.  There
      is no tentative release date scheduled.

Update Released; 11th June 2010