httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r953841 - /httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
Date Fri, 11 Jun 2010 19:13:37 GMT
Author: wrowe
Date: Fri Jun 11 19:13:36 2010
New Revision: 953841

Publication of CVE-2010-2068


Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Fri Jun 11 19:13:36
@@ -1,6 +1,48 @@
 <security updated="20100311">
+<issue fixed="2.2.16-dev" reported="20100609" public="20100609" released="20100611">
+<cve name="CVE-2010-2068"/>
+<severity level="2">important</severity>
+<title>Subrequest handling of request headers (mod_headers)</title>
+An information disclosure flaw was found in mod_proxy_http in versions
+2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha.  Under certain timeout 
+conditions, the server could return a response intended for another user.
+Only Windows, Netware and OS2 operating systems are affected.  Only those
+configurations which trigger the use of proxy worker pools are affected.
+There was no vulnerability on earlier versions, as proxy pools were not 
+yet introduced.  The simplest workaround is to globally configure;</p>
+<p>SetEnv proxy-nokeepalive 1</p>
+<p>Source code patches are at;</p>
+<li><a href=""
+<li><a href=""
+<p>Binary replacement modules are at</p>
+<li><a href=""
+We would like to thank Loren Anderson for the detailed analysis and 
+reporting of this issue.
+<affects prod="httpd" version="2.3.5-alpha"/>
+<affects prod="httpd" version="2.3.4-alpha"/>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
 <issue fixed="2.2.15" reported="20091209" public="20091209" released="20100305">
 <cve name="CVE-2010-0434"/>
 <severity level="4">low</severity>

View raw message