httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml
Date Mon, 02 Aug 2010 13:47:14 GMT
On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote:
> >--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
> >+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug  2 13:03:04 2010
> >@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
> >  </criteria>
> >  </criteria>
> >  </definition>
> >+<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
> >+<metadata>
> >+<title>Timeout detection flaw (mod_proxy_http)</title>
> >+<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
> >+<description>
> >+An information disclosure flaw was found in mod_proxy_http in version
> >+2.2.9 only, on Unix platforms.  Under certain timeout
> >+conditions, the server could return a response intended for another user.
> >+Only those configurations which trigger the use of proxy worker pools
> >+are affected.  There was no vulnerability on earlier versions, as
> >+proxy pools were not yet introduced.  The simplest workaround is to
> >+globally configure:</description>
> 
> It seems here is missing
> 
> +<p>SetEnv proxy-nokeepalive 1</p>
> 
> or similar.

That's the OVAL.  The XSLT is using value-of rather than apply-templates 
so only picks up the first <p> within the <description>.  In fact the 
mitigation text there is not a description of the issue so would be 
better removed or marked up separately, and could probably be omitted 
from the OVAL either way.

Regards, Joe

Mime
View raw message