httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r919678 - /httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
Date Sat, 06 Mar 2010 00:20:37 GMT
Author: wrowe
Date: Sat Mar  6 00:20:37 2010
New Revision: 919678

URL: http://svn.apache.org/viewvc?rev=919678&view=rev
Log:
Further incidents

Modified:
    httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=919678&r1=919677&r2=919678&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Sat Mar  6 00:20:37
2010
@@ -1,16 +1,23 @@
-<security updated="20100303">
+<security updated="20100302">
 
-<issue fixed="2.2.15-dev" reported="20091209" public="20091209" released="">
+
+<issue fixed="2.2.15" reported="20091209" public="20091209" released="20100305">
 <cve name="CVE-2010-0434"/>
 <severity level="4">low</severity>
-<title>Request header information leak</title>
+<title>Subrequest handling of request headers (mod_headers)</title>
 <description><p>
-A bug in the handling of headers in subrequests could lead to a reuse
-of memory.  In a multithreaded MPM this could possibly cause an
-information leak from other requests being handled by a different
-thread.
+Philip Pickett of VMware reported a flaw with a proposed fix to the core
+subrequest process code, to always provide a shallow copy of the headers_in
+array to the subrequest, instead of a pointer to the parent request's array
+as it had for requests without request bodies.  This meant all modules such
+as mod_headers which may manipulate the input headers for a subrequest would
+poison the parent request in two ways, one by modifying the parent request,
+which might not be intended, and second by leaving pointers to modified header
+fields in memory allocated to the subrequest scope, which could be freed
+before the main request processing was finished, resulting in a segfault or
+in revealing data from another request on threaded servers, such as the worker
+or winnt MPMs.
 </p></description>
-<!-- http://svn.apache.org/viewvc?view=revision&revision=917867 -->
 <affects prod="httpd" version="2.2.14"/>
 <affects prod="httpd" version="2.2.13"/>
 <affects prod="httpd" version="2.2.12"/>
@@ -25,15 +32,42 @@
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
-<issue fixed="2.2.15-dev" reported="20100202" public="20100302" released="">
+<issue fixed="2.2.15" reported="20100209" public="20100302" released="20100305">
+<cve name="CVE-2010-0425"/>
+<severity level="2">important</severity>
+<title>mod_isapi module unload flaw</title>
+<description><p>
+Brett Gervasoni of Sense of Security reported a flaw with proposed patch fix
+within mod_isapi, which would attempt to unload the ISAPI dll when it
+encountered various error states.  This could leave the callbacks in an
+undefined state and result in a segfault.  As the remote attacker could
+send a malicious request to trigger this issue, and win32 mpm runs only one
+process, this would result in a denial of service, and potentially allow
+for arbitrary code execution.
+</p></description>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="2.2.15" reported="20100202" public="20100302" released="20100305">
 <cve name="CVE-2010-0408"/>
 <severity level="3">moderate</severity>
 <title>mod_proxy_ajp DoS</title>
 <description><p>
-mod_proxy_ajp would return the wrong status code if it encountered
-an error causing a backend server to be put into an error state
-until the retry timeout expired.  A remote attacker could send 
-malicious requests to trigger this issue, resulting in a
+Niku Toivola reported with a proposed patch that mod_proxy_ajp would return
+the wrong status code if it encountered an error causing a backend server
+to be put into an error state until the retry timeout expired.  A remote
+attacker could send malicious requests to trigger this issue, resulting in
 denial of service.
 </p></description>
 <affects prod="httpd" version="2.2.14"/>
@@ -54,8 +88,7 @@
 <cve name="CVE-2009-2699"/>
 <severity level="3">moderate</severity>
 <title>Solaris pollset DoS</title>
-<description><p>
-Faulty error handling was found affecting Solaris pollset support
+<description><p>Faulty error handling was found affecting Solaris pollset support
 (Event Port backend) caused by a bug in APR.  A remote attacker
 could trigger this issue on Solaris servers which used prefork or
 event MPMs, resulting in a denial of service.



Mime
View raw message