httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml
Date Mon, 02 Aug 2010 13:03:04 GMT
Author: jorton
Date: Mon Aug  2 13:03:04 2010
New Revision: 981498

URL: http://svn.apache.org/viewvc?rev=981498&view=rev
Log:
- add description of CVE-2010-2791

Modified:
    httpd/site/trunk/docs/security/vulnerabilities-oval.xml
    httpd/site/trunk/docs/security/vulnerabilities_22.html
    httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=981498&r1=981497&r2=981498&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug  2 13:03:04 2010
@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
 </criteria>
 </criteria>
 </definition>
+<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
+<metadata>
+<title>Timeout detection flaw (mod_proxy_http)</title>
+<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
+<description>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms.  Under certain timeout 
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected.  There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced.  The simplest workaround is to
+globally configure:</description>
+<apache_httpd_repository>
+<public>20100723</public>
+<reported>20100723</reported>
+<released>20081031</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:229" comment="the version of httpd is 2.2.9"/>
+</criteria>
+</criteria>
+</definition>
 <definition id="oval:org.apache.httpd:def:20082364" version="1" class="vulnerability">
 <metadata>
 <title>mod_proxy_http DoS</title>

Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=981498&r1=981497&r2=981498&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Mon Aug  2 13:03:04 2010
@@ -560,6 +560,29 @@ processed by the pattern preparation eng
   <blockquote>
 <dl>
 <dd>
+<b>important: </b>
+<b>
+<name name="CVE-2010-2791">Timeout detection flaw (mod_proxy_http)</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791">CVE-2010-2791</a>
+<p>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms.  Under certain timeout 
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected.  There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced.  The simplest workaround is to
+globally configure:</p>
+<p>SetEnv proxy-nokeepalive 1</p>
+</dd>
+<dd>
+  Update Released: 31st October 2008<br />
+</dd>
+<dd>
+      Affects: 
+    2.2.9<p />
+</dd>
+<dd>
 <b>low: </b>
 <b>
 <name name="CVE-2008-2939">mod_proxy_ftp globbing XSS</name>

Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=981498&r1=981497&r2=981498&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Mon Aug  2 13:03:04
2010
@@ -442,6 +442,23 @@ to cross-site scripting (XSS) attacks.</
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
+<issue fixed="2.2.10" reported="20100723" public="20100723" released="20081031">
+<cve name="CVE-2010-2791"/>
+<severity level="2">important</severity>
+<title>Timeout detection flaw (mod_proxy_http)</title>
+<description><p>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms.  Under certain timeout 
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected.  There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced.  The simplest workaround is to
+globally configure:</p>
+<p>SetEnv proxy-nokeepalive 1</p>
+</description>
+<affects prod="httpd" version="2.2.9"/>
+</issue>
+
 <issue fixed="2.0.64-dev" reported="20090903" public="20090803" released="">
 <cve name="CVE-2009-3095"/>
 <severity level="4">low</severity>



Mime
View raw message