You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by jo...@apache.org on 2010/08/02 15:03:04 UTC

svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml

Author: jorton
Date: Mon Aug  2 13:03:04 2010
New Revision: 981498

URL: http://svn.apache.org/viewvc?rev=981498&view=rev
Log:
- add description of CVE-2010-2791

Modified:
    httpd/site/trunk/docs/security/vulnerabilities-oval.xml
    httpd/site/trunk/docs/security/vulnerabilities_22.html
    httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=981498&r1=981497&r2=981498&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug  2 13:03:04 2010
@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
 </criteria>
 </criteria>
 </definition>
+<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
+<metadata>
+<title>Timeout detection flaw (mod_proxy_http)</title>
+<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
+<description>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms.  Under certain timeout 
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected.  There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced.  The simplest workaround is to
+globally configure:</description>
+<apache_httpd_repository>
+<public>20100723</public>
+<reported>20100723</reported>
+<released>20081031</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:229" comment="the version of httpd is 2.2.9"/>
+</criteria>
+</criteria>
+</definition>
 <definition id="oval:org.apache.httpd:def:20082364" version="1" class="vulnerability">
 <metadata>
 <title>mod_proxy_http DoS</title>

Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=981498&r1=981497&r2=981498&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Mon Aug  2 13:03:04 2010
@@ -560,6 +560,29 @@ processed by the pattern preparation eng
   <blockquote>
 <dl>
 <dd>
+<b>important: </b>
+<b>
+<name name="CVE-2010-2791">Timeout detection flaw (mod_proxy_http)</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791">CVE-2010-2791</a>
+<p>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms.  Under certain timeout 
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected.  There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced.  The simplest workaround is to
+globally configure:</p>
+<p>SetEnv proxy-nokeepalive 1</p>
+</dd>
+<dd>
+  Update Released: 31st October 2008<br />
+</dd>
+<dd>
+      Affects: 
+    2.2.9<p />
+</dd>
+<dd>
 <b>low: </b>
 <b>
 <name name="CVE-2008-2939">mod_proxy_ftp globbing XSS</name>

Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=981498&r1=981497&r2=981498&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Mon Aug  2 13:03:04 2010
@@ -442,6 +442,23 @@ to cross-site scripting (XSS) attacks.</
 <affects prod="httpd" version="2.2.0"/>
 </issue>
 
+<issue fixed="2.2.10" reported="20100723" public="20100723" released="20081031">
+<cve name="CVE-2010-2791"/>
+<severity level="2">important</severity>
+<title>Timeout detection flaw (mod_proxy_http)</title>
+<description><p>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms.  Under certain timeout 
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected.  There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced.  The simplest workaround is to
+globally configure:</p>
+<p>SetEnv proxy-nokeepalive 1</p>
+</description>
+<affects prod="httpd" version="2.2.9"/>
+</issue>
+
 <issue fixed="2.0.64-dev" reported="20090903" public="20090803" released="">
 <cve name="CVE-2009-3095"/>
 <severity level="4">low</severity>

Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml

Posted by Rainer Jung <ra...@kippdata.de>.

On 02.08.2010 15:47, Joe Orton wrote:
> On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote:
>>> --- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
>>> +++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug  2 13:03:04 2010
>>> @@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
>>>   </criteria>
>>>   </criteria>
>>>   </definition>
>>> +<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
>>> +<metadata>
>>> +<title>Timeout detection flaw (mod_proxy_http)</title>
>>> +<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
>>> +<description>
>>> +An information disclosure flaw was found in mod_proxy_http in version
>>> +2.2.9 only, on Unix platforms.  Under certain timeout
>>> +conditions, the server could return a response intended for another user.
>>> +Only those configurations which trigger the use of proxy worker pools
>>> +are affected.  There was no vulnerability on earlier versions, as
>>> +proxy pools were not yet introduced.  The simplest workaround is to
>>> +globally configure:</description>
>>
>> It seems here is missing
>>
>> +<p>SetEnv proxy-nokeepalive 1</p>
>>
>> or similar.
>
> That's the OVAL.  The XSLT is using value-of rather than apply-templates
> so only picks up the first<p>  within the<description>.  In fact the
> mitigation text there is not a description of the issue so would be
> better removed or marked up separately, and could probably be omitted
> from the OVAL either way.

Thanks for the explanation and sorry for the noise.

Rainer

Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml

Posted by Joe Orton <jo...@redhat.com>.

On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote:
> >--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
> >+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug  2 13:03:04 2010
> >@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
> >  </criteria>
> >  </criteria>
> >  </definition>
> >+<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
> >+<metadata>
> >+<title>Timeout detection flaw (mod_proxy_http)</title>
> >+<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
> >+<description>
> >+An information disclosure flaw was found in mod_proxy_http in version
> >+2.2.9 only, on Unix platforms.  Under certain timeout
> >+conditions, the server could return a response intended for another user.
> >+Only those configurations which trigger the use of proxy worker pools
> >+are affected.  There was no vulnerability on earlier versions, as
> >+proxy pools were not yet introduced.  The simplest workaround is to
> >+globally configure:</description>
> 
> It seems here is missing
> 
> +<p>SetEnv proxy-nokeepalive 1</p>
> 
> or similar.

That's the OVAL.  The XSLT is using value-of rather than apply-templates 
so only picks up the first <p> within the <description>.  In fact the 
mitigation text there is not a description of the issue so would be 
better removed or marked up separately, and could probably be omitted 
from the OVAL either way.

Regards, Joe

Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml

Posted by Rainer Jung <ra...@kippdata.de>.

Hi Joe,

On 02.08.2010 15:03, jorton@apache.org wrote:
> Author: jorton
> Date: Mon Aug  2 13:03:04 2010
> New Revision: 981498
>
> URL: http://svn.apache.org/viewvc?rev=981498&view=rev
> Log:
> - add description of CVE-2010-2791
>
> Modified:
>      httpd/site/trunk/docs/security/vulnerabilities-oval.xml
>      httpd/site/trunk/docs/security/vulnerabilities_22.html
>      httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
>
> Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
> URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=981498&r1=981497&r2=981498&view=diff
> ==============================================================================
> --- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
> +++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug  2 13:03:04 2010
> @@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
>   </criteria>
>   </criteria>
>   </definition>
> +<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
> +<metadata>
> +<title>Timeout detection flaw (mod_proxy_http)</title>
> +<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
> +<description>
> +An information disclosure flaw was found in mod_proxy_http in version
> +2.2.9 only, on Unix platforms.  Under certain timeout
> +conditions, the server could return a response intended for another user.
> +Only those configurations which trigger the use of proxy worker pools
> +are affected.  There was no vulnerability on earlier versions, as
> +proxy pools were not yet introduced.  The simplest workaround is to
> +globally configure:</description>

It seems here is missing

+<p>SetEnv proxy-nokeepalive 1</p>

or similar.

> +<apache_httpd_repository>
> +<public>20100723</public>
> +<reported>20100723</reported>
> +<released>20081031</released>
...

Regards,

Rainer