Return-Path: 
 <cvs-return-36007-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: (qmail 90546 invoked from network); 26 Jul 2010 08:57:14 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 26 Jul 2010 08:57:14 -0000
Received: (qmail 30556 invoked by uid 500); 26 Jul 2010 08:57:13 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 30352 invoked by uid 500); 26 Jul 2010 08:57:11 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
List-Post: <mailto:cvs@httpd.apache.org>
List-Id: <cvs.httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 30343 invoked by uid 99); 26 Jul 2010 08:57:10 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Jul 2010 08:57:10 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Jul 2010 08:57:06 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
	id B608D23889B2; Mon, 26 Jul 2010 08:56:12 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: svn commit: r979202 - in /httpd/site/trunk:
 docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html
 xdocs/security/vulnerabilities-httpd.xml
Date: Mon, 26 Jul 2010 08:56:12 -0000
To: cvs@httpd.apache.org
From: mjc@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20100726085612.B608D23889B2@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: mjc
Date: Mon Jul 26 08:56:12 2010
New Revision: 979202

URL: http://svn.apache.org/viewvc?rev=979202&view=rev
Log:
2.2.16 announcement went out so do a quick explanation of the flaw

Modified:
    httpd/site/trunk/docs/security/vulnerabilities-oval.xml
    httpd/site/trunk/docs/security/vulnerabilities_22.html
    httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=979202&r1=979201&r2=979202&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Jul 26 08:56:12 2010
@@ -5,6 +5,48 @@
 <oval:timestamp>2005-10-12T18:13:45</oval:timestamp>
 </generator>
 <definitions>
+<definition id="oval:org.apache.httpd:def:20101452" version="1" class="vulnerability">
+<metadata>
+<title>mod_cache and mod_dav DoS</title>
+<reference source="CVE" ref_id="CVE-2010-1452" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452"/>
+<description>
+A flaw was found in the handling of requests by mod_cache and mod_dav.
+A malicious remote attacker could send a carefully crafted request and
+cause a httpd child process to crash.  This crash would only
+be a denial of service if using the worker MPM.  This issue is further
+mitigated as mod_dav is only affected by requests that are most likely
+to be authenticated, and mod_cache is only affected if the uncommon
+"CacheIgnoreURLSessionIdentifiers" directive, introduced in 
+version 2.2.14, is used.
+
+This issue was reported by Mark Drayton.
+</description>
+<apache_httpd_repository>
+<public>20100725</public>
+<reported>20100504</reported>
+<released>20100725</released>
+<severity level="4">low</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2215" comment="the version of httpd is 2.2.15"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2214" comment="the version of httpd is 2.2.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2213" comment="the version of httpd is 2.2.13"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2212" comment="the version of httpd is 2.2.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2211" comment="the version of httpd is 2.2.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2210" comment="the version of httpd is 2.2.10"/>
+<criterion test_ref="oval:org.apache.httpd:tst:229" comment="the version of httpd is 2.2.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:228" comment="the version of httpd is 2.2.8"/>
+<criterion test_ref="oval:org.apache.httpd:tst:226" comment="the version of httpd is 2.2.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:225" comment="the version of httpd is 2.2.5"/>
+<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+</criteria>
+</definition>
 <definition id="oval:org.apache.httpd:def:20102068" version="1" class="vulnerability">
 <metadata>
 <title>Timeout detection flaw (mod_proxy_http)</title>
@@ -23,7 +65,7 @@ reporting of this issue.
 <apache_httpd_repository>
 <public>20100609</public>
 <reported>20100609</reported>
-<released>20100611</released>
+<released>20100725</released>
 <severity level="2">important</severity>
 </apache_httpd_repository>
 </metadata>
@@ -3573,14 +3615,6 @@ a constant rate, since the attacker has 
 </definition>
 </definitions>
 <tests>
-<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:235-alpha" version="1" comment="the version of httpd is 2.3.5-alpha" check="at least one">
-<object object_ref="oval:org.apache.httpd:obj:1"/>
-<state state_ref="oval:org.apache.httpd:ste:235-alpha"/>
-</httpd_test>
-<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:234-alpha" version="1" comment="the version of httpd is 2.3.4-alpha" check="at least one">
-<object object_ref="oval:org.apache.httpd:obj:1"/>
-<state state_ref="oval:org.apache.httpd:ste:234-alpha"/>
-</httpd_test>
 <httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:2215" version="1" comment="the version of httpd is 2.2.15" check="at least one">
 <object object_ref="oval:org.apache.httpd:obj:1"/>
 <state state_ref="oval:org.apache.httpd:ste:2215"/>
@@ -3637,6 +3671,14 @@ a constant rate, since the attacker has 
 <object object_ref="oval:org.apache.httpd:obj:1"/>
 <state state_ref="oval:org.apache.httpd:ste:220"/>
 </httpd_test>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:235-alpha" version="1" comment="the version of httpd is 2.3.5-alpha" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:235-alpha"/>
+</httpd_test>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:234-alpha" version="1" comment="the version of httpd is 2.3.4-alpha" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:234-alpha"/>
+</httpd_test>
 <httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:2063" version="1" comment="the version of httpd is 2.0.63" check="at least one">
 <object object_ref="oval:org.apache.httpd:obj:1"/>
 <state state_ref="oval:org.apache.httpd:ste:2063"/>
@@ -3850,12 +3892,6 @@ a constant rate, since the attacker has 
 </httpd_object>
 </objects>
 <states>
-<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:235-alpha" version="1" comment="the version of httpd is 2.3.5-alpha">
-<version operation="equals" datatype="version">2.3.5-alpha</version>
-</httpd_state>
-<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:234-alpha" version="1" comment="the version of httpd is 2.3.4-alpha">
-<version operation="equals" datatype="version">2.3.4-alpha</version>
-</httpd_state>
 <httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2215" version="1" comment="the version of httpd is 2.2.15">
 <version operation="equals" datatype="version">2.2.15</version>
 </httpd_state>
@@ -3898,6 +3934,12 @@ a constant rate, since the attacker has 
 <httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:220" version="1" comment="the version of httpd is 2.2.0">
 <version operation="equals" datatype="version">2.2.0</version>
 </httpd_state>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:235-alpha" version="1" comment="the version of httpd is 2.3.5-alpha">
+<version operation="equals" datatype="version">2.3.5-alpha</version>
+</httpd_state>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:234-alpha" version="1" comment="the version of httpd is 2.3.4-alpha">
+<version operation="equals" datatype="version">2.3.4-alpha</version>
+</httpd_state>
 <httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2063" version="1" comment="the version of httpd is 2.0.63">
 <version operation="equals" datatype="version">2.0.63</version>
 </httpd_state>

Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=979202&r1=979201&r2=979202&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Mon Jul 26 08:56:12 2010
@@ -91,7 +91,7 @@ Team</a>.  </p>
  <tr>
  <td bgcolor="#525D76">
   <font color="#ffffff" face="arial,helvetica,sanserif">
-   <a name="2.2.16-dev"><strong>Fixed in Apache httpd 2.2.16-dev</strong></a>
+   <a name="2.2.16"><strong>Fixed in Apache httpd 2.2.16</strong></a>
   </font>
  </td>
  </tr>
@@ -136,12 +136,41 @@ reporting of this issue.
 </p>
 </dd>
 <dd>
-  Update Released: 11th June 2010<br />
+  Update Released: 25th July 2010<br />
 </dd>
 <dd>
       Affects: 
     2.3.5-alpha, 2.3.4-alpha, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9<p />
 </dd>
+<dd>
+<b>low: </b>
+<b>
+<name name="CVE-2010-1452">mod_cache and mod_dav DoS</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452">CVE-2010-1452</a>
+<p>
+A flaw was found in the handling of requests by mod_cache and mod_dav.
+A malicious remote attacker could send a carefully crafted request and
+cause a httpd child process to crash.  This crash would only
+be a denial of service if using the worker MPM.  This issue is further
+mitigated as mod_dav is only affected by requests that are most likely
+to be authenticated, and mod_cache is only affected if the uncommon
+"CacheIgnoreURLSessionIdentifiers" directive, introduced in 
+version 2.2.14, is used.
+</p>
+</dd>
+<dd>
+<p>Acknowledgements: 
+This issue was reported by Mark Drayton.
+</p>
+</dd>
+<dd>
+  Update Released: 25th July 2010<br />
+</dd>
+<dd>
+      Affects: 
+    2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
+</dd>
 </dl>
   </blockquote>
  </td></tr>

Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=979202&r1=979201&r2=979202&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Mon Jul 26 08:56:12 2010
@@ -1,7 +1,41 @@
-<security updated="20100311">
+<security updated="20100726">
+
+<issue fixed="2.2.16" reported="20100504" public="20100725" released="20100725">
+<cve name="CVE-2010-1452"/>
+<severity level="4">low</severity>
+<title>mod_cache and mod_dav DoS</title>
+<description><p>
+A flaw was found in the handling of requests by mod_cache and mod_dav.
+A malicious remote attacker could send a carefully crafted request and
+cause a httpd child process to crash.  This crash would only
+be a denial of service if using the worker MPM.  This issue is further
+mitigated as mod_dav is only affected by requests that are most likely
+to be authenticated, and mod_cache is only affected if the uncommon
+"CacheIgnoreURLSessionIdentifiers" directive, introduced in 
+version 2.2.14, is used.
+</p>
+</description>
+<acknowledgements>
+This issue was reported by Mark Drayton.
+</acknowledgements>
+<affects prod="httpd" version="2.2.15"/>
+<affects prod="httpd" version="2.2.14"/>
+<affects prod="httpd" version="2.2.13"/>
+<affects prod="httpd" version="2.2.12"/>
+<affects prod="httpd" version="2.2.11"/>
+<affects prod="httpd" version="2.2.10"/>
+<affects prod="httpd" version="2.2.9"/>
+<affects prod="httpd" version="2.2.8"/>
+<affects prod="httpd" version="2.2.6"/>
+<affects prod="httpd" version="2.2.5"/>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
 
 
-<issue fixed="2.2.16-dev" reported="20100609" public="20100609" released="20100611">
+<issue fixed="2.2.16" reported="20100609" public="20100609" released="20100725">
 <cve name="CVE-2010-2068"/>
 <severity level="2">important</severity>
 <title>Timeout detection flaw (mod_proxy_http)</title>