Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Jul 2010 16:15:09 +0100
From: Joe Orton <jorton@...hat.com>
To: dev@...pd.apache.org
Cc: jeremy@...zel.net, oss-security@...ts.openwall.com
Subject: CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only

Jeremy Sowden discovered an information leak in mod_proxy affecting 
httpd version 2.2.9 only.  If a timeout occurred reading a response from 
a backend on a persistent connection, the backend connection was not 
closed.  The response could subsequently be read and delivered to an 
unrelated client.

This issue has been assigned CVE name CVE-2010-2791, and is equivalent 
to CVE-2010-2068 (fixed in 2.2.16) but affects httpd on Unix.  The bug 
was fixed* in 2.2.10 but the security impact was not known at the time.

I'll update http://httpd.apache.org/security/vulnerabilities_22.html to 
reflect this shortly.

Regards, Joe

* fix for 2.2.x branch: http://svn.apache.org/viewvc?rev=699841&view=rev

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ