httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml
Date Mon, 02 Aug 2010 14:31:46 GMT
On 02.08.2010 15:47, Joe Orton wrote:
> On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote:
>>> --- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
>>> +++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug  2 13:03:04
2010
>>> @@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
>>>   </criteria>
>>>   </criteria>
>>>   </definition>
>>> +<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
>>> +<metadata>
>>> +<title>Timeout detection flaw (mod_proxy_http)</title>
>>> +<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
>>> +<description>
>>> +An information disclosure flaw was found in mod_proxy_http in version
>>> +2.2.9 only, on Unix platforms.  Under certain timeout
>>> +conditions, the server could return a response intended for another user.
>>> +Only those configurations which trigger the use of proxy worker pools
>>> +are affected.  There was no vulnerability on earlier versions, as
>>> +proxy pools were not yet introduced.  The simplest workaround is to
>>> +globally configure:</description>
>>
>> It seems here is missing
>>
>> +<p>SetEnv proxy-nokeepalive 1</p>
>>
>> or similar.
>
> That's the OVAL.  The XSLT is using value-of rather than apply-templates
> so only picks up the first<p>  within the<description>.  In fact the
> mitigation text there is not a description of the issue so would be
> better removed or marked up separately, and could probably be omitted
> from the OVAL either way.

Thanks for the explanation and sorry for the noise.

Rainer

Mime
View raw message