Return-Path:
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: (qmail 90546 invoked from network); 26 Jul 2010 08:57:14 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
by 140.211.11.9 with SMTP; 26 Jul 2010 08:57:14 -0000
Received: (qmail 30556 invoked by uid 500); 26 Jul 2010 08:57:13 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 30352 invoked by uid 500); 26 Jul 2010 08:57:11 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 30343 invoked by uid 99); 26 Jul 2010 08:57:10 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Jul 2010 08:57:10 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Jul 2010 08:57:06 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
id B608D23889B2; Mon, 26 Jul 2010 08:56:12 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: svn commit: r979202 - in /httpd/site/trunk:
docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html
xdocs/security/vulnerabilities-httpd.xml
Date: Mon, 26 Jul 2010 08:56:12 -0000
To: cvs@httpd.apache.org
From: mjc@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20100726085612.B608D23889B2@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
Author: mjc
Date: Mon Jul 26 08:56:12 2010
New Revision: 979202
URL: http://svn.apache.org/viewvc?rev=979202&view=rev
Log:
2.2.16 announcement went out so do a quick explanation of the flaw
Modified:
httpd/site/trunk/docs/security/vulnerabilities-oval.xml
httpd/site/trunk/docs/security/vulnerabilities_22.html
httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=979202&r1=979201&r2=979202&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Jul 26 08:56:12 2010
@@ -5,6 +5,48 @@
2005-10-12T18:13:45
+
+
+mod_cache and mod_dav DoS
+
+
+A flaw was found in the handling of requests by mod_cache and mod_dav.
+A malicious remote attacker could send a carefully crafted request and
+cause a httpd child process to crash. This crash would only
+be a denial of service if using the worker MPM. This issue is further
+mitigated as mod_dav is only affected by requests that are most likely
+to be authenticated, and mod_cache is only affected if the uncommon
+"CacheIgnoreURLSessionIdentifiers" directive, introduced in
+version 2.2.14, is used.
+
+This issue was reported by Mark Drayton.
+
+
+20100725
+20100504
+20100725
+low
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Timeout detection flaw (mod_proxy_http)
@@ -23,7 +65,7 @@ reporting of this issue.
2010060920100609
-20100611
+20100725important
@@ -3573,14 +3615,6 @@ a constant rate, since the attacker has
-
-
-
-
-
-
-
-
@@ -3637,6 +3671,14 @@ a constant rate, since the attacker has
+
+
+
+
+
+
+
+
@@ -3850,12 +3892,6 @@ a constant rate, since the attacker has
-
-2.3.5-alpha
-
-
-2.3.4-alpha
-2.2.15
@@ -3898,6 +3934,12 @@ a constant rate, since the attacker has
2.2.0
+
+2.3.5-alpha
+
+
+2.3.4-alpha
+2.0.63
Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=979202&r1=979201&r2=979202&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Mon Jul 26 08:56:12 2010
@@ -91,7 +91,7 @@ Team.
+low:
+
+mod_cache and mod_dav DoS
+
+CVE-2010-1452
+
+A flaw was found in the handling of requests by mod_cache and mod_dav.
+A malicious remote attacker could send a carefully crafted request and
+cause a httpd child process to crash. This crash would only
+be a denial of service if using the worker MPM. This issue is further
+mitigated as mod_dav is only affected by requests that are most likely
+to be authenticated, and mod_cache is only affected if the uncommon
+"CacheIgnoreURLSessionIdentifiers" directive, introduced in
+version 2.2.14, is used.
+
+
+
+
Acknowledgements:
+This issue was reported by Mark Drayton.
+
+A flaw was found in the handling of requests by mod_cache and mod_dav.
+A malicious remote attacker could send a carefully crafted request and
+cause a httpd child process to crash. This crash would only
+be a denial of service if using the worker MPM. This issue is further
+mitigated as mod_dav is only affected by requests that are most likely
+to be authenticated, and mod_cache is only affected if the uncommon
+"CacheIgnoreURLSessionIdentifiers" directive, introduced in
+version 2.2.14, is used.
+
+
+
+This issue was reported by Mark Drayton.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+importantTimeout detection flaw (mod_proxy_http)