httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml
Date Mon, 02 Aug 2010 13:33:45 GMT
Hi Joe,

On 02.08.2010 15:03, jorton@apache.org wrote:
> Author: jorton
> Date: Mon Aug  2 13:03:04 2010
> New Revision: 981498
>
> URL: http://svn.apache.org/viewvc?rev=981498&view=rev
> Log:
> - add description of CVE-2010-2791
>
> Modified:
>      httpd/site/trunk/docs/security/vulnerabilities-oval.xml
>      httpd/site/trunk/docs/security/vulnerabilities_22.html
>      httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
>
> Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
> URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=981498&r1=981497&r2=981498&view=diff
> ==============================================================================
> --- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
> +++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug  2 13:03:04 2010
> @@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
>   </criteria>
>   </criteria>
>   </definition>
> +<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
> +<metadata>
> +<title>Timeout detection flaw (mod_proxy_http)</title>
> +<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
> +<description>
> +An information disclosure flaw was found in mod_proxy_http in version
> +2.2.9 only, on Unix platforms.  Under certain timeout
> +conditions, the server could return a response intended for another user.
> +Only those configurations which trigger the use of proxy worker pools
> +are affected.  There was no vulnerability on earlier versions, as
> +proxy pools were not yet introduced.  The simplest workaround is to
> +globally configure:</description>

It seems here is missing

+<p>SetEnv proxy-nokeepalive 1</p>

or similar.

> +<apache_httpd_repository>
> +<public>20100723</public>
> +<reported>20100723</reported>
> +<released>20081031</released>
...

Regards,

Rainer

Mime
View raw message