httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject svn commit: r1170476 - in /httpd/site/trunk/docs/security: vulnerabilities-oval.xml vulnerabilities_22.html
Date Wed, 14 Sep 2011 08:47:24 GMT
Author: mjc
Date: Wed Sep 14 08:47:24 2011
New Revision: 1170476

URL: http://svn.apache.org/viewvc?rev=1170476&view=rev
Log:
Clean up CVE-2011-3348

Modified:
    httpd/site/trunk/docs/security/vulnerabilities-oval.xml
    httpd/site/trunk/docs/security/vulnerabilities_22.html

Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=1170476&r1=1170475&r2=1170476&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Wed Sep 14 08:47:24 2011
@@ -12,8 +12,9 @@
 <description>
 A flaw was found when mod_proxy_ajp is used together with
 mod_proxy_balancer.  Given a specific configuration, a remote attacker
-could use unrecognized HTTP methods to mark ajp: balancer members in
-an error state.  This could be used in a denial of service attack.</description>
+could send certain malformed HTTP requests, putting a backend server
+into an error state until the retry timeout expired.
+This could lead to a temporary denial of service.</description>
 <apache_httpd_repository>
 <public>20110914</public>
 <reported>20110907</reported>
@@ -32,16 +33,6 @@ an error state.  This could be used in a
 <criterion test_ref="oval:org.apache.httpd:tst:2214" comment="the version of httpd is
2.2.14"/>
 <criterion test_ref="oval:org.apache.httpd:tst:2213" comment="the version of httpd is
2.2.13"/>
 <criterion test_ref="oval:org.apache.httpd:tst:2212" comment="the version of httpd is
2.2.12"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2211" comment="the version of httpd is
2.2.11"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2210" comment="the version of httpd is
2.2.10"/>
-<criterion test_ref="oval:org.apache.httpd:tst:229" comment="the version of httpd is 2.2.9"/>
-<criterion test_ref="oval:org.apache.httpd:tst:228" comment="the version of httpd is 2.2.8"/>
-<criterion test_ref="oval:org.apache.httpd:tst:226" comment="the version of httpd is 2.2.6"/>
-<criterion test_ref="oval:org.apache.httpd:tst:225" comment="the version of httpd is 2.2.5"/>
-<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
-<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
-<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
-<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
 </criteria>
 </criteria>
 </definition>

Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=1170476&r1=1170475&r2=1170476&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Wed Sep 14 08:47:24 2011
@@ -109,8 +109,9 @@ Team</a>.  </p>
 <p>
 A flaw was found when mod_proxy_ajp is used together with
 mod_proxy_balancer.  Given a specific configuration, a remote attacker
-could use unrecognized HTTP methods to mark ajp: balancer members in
-an error state.  This could be used in a denial of service attack.</p>
+could send certain malformed HTTP requests, putting a backend server
+into an error state until the retry timeout expired.
+This could lead to a temporary denial of service.</p>
 </dd>
 <dd>
   Reported to security team: 7th September 2011<br />
@@ -119,7 +120,7 @@ an error state.  This could be used in a
 </dd>
 <dd>
       Affected: 
-    2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10,
2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
+    2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12<p />
 </dd>
 </dl>
   </blockquote>



Mime
View raw message