You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2010/08/02 15:03:04 UTC
svn commit: r981498 - in /httpd/site/trunk:
docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html
xdocs/security/vulnerabilities-httpd.xml
Author: jorton
Date: Mon Aug 2 13:03:04 2010
New Revision: 981498
URL: http://svn.apache.org/viewvc?rev=981498&view=rev
Log:
- add description of CVE-2010-2791
Modified:
httpd/site/trunk/docs/security/vulnerabilities-oval.xml
httpd/site/trunk/docs/security/vulnerabilities_22.html
httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=981498&r1=981497&r2=981498&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 13:03:04 2010
@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
</criteria>
</criteria>
</definition>
+<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
+<metadata>
+<title>Timeout detection flaw (mod_proxy_http)</title>
+<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
+<description>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms. Under certain timeout
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected. There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced. The simplest workaround is to
+globally configure:</description>
+<apache_httpd_repository>
+<public>20100723</public>
+<reported>20100723</reported>
+<released>20081031</released>
+<severity level="2">important</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:229" comment="the version of httpd is 2.2.9"/>
+</criteria>
+</criteria>
+</definition>
<definition id="oval:org.apache.httpd:def:20082364" version="1" class="vulnerability">
<metadata>
<title>mod_proxy_http DoS</title>
Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=981498&r1=981497&r2=981498&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Mon Aug 2 13:03:04 2010
@@ -560,6 +560,29 @@ processed by the pattern preparation eng
<blockquote>
<dl>
<dd>
+<b>important: </b>
+<b>
+<name name="CVE-2010-2791">Timeout detection flaw (mod_proxy_http)</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791">CVE-2010-2791</a>
+<p>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms. Under certain timeout
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected. There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced. The simplest workaround is to
+globally configure:</p>
+<p>SetEnv proxy-nokeepalive 1</p>
+</dd>
+<dd>
+ Update Released: 31st October 2008<br />
+</dd>
+<dd>
+ Affects:
+ 2.2.9<p />
+</dd>
+<dd>
<b>low: </b>
<b>
<name name="CVE-2008-2939">mod_proxy_ftp globbing XSS</name>
Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=981498&r1=981497&r2=981498&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml [utf-8] Mon Aug 2 13:03:04 2010
@@ -442,6 +442,23 @@ to cross-site scripting (XSS) attacks.</
<affects prod="httpd" version="2.2.0"/>
</issue>
+<issue fixed="2.2.10" reported="20100723" public="20100723" released="20081031">
+<cve name="CVE-2010-2791"/>
+<severity level="2">important</severity>
+<title>Timeout detection flaw (mod_proxy_http)</title>
+<description><p>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms. Under certain timeout
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected. There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced. The simplest workaround is to
+globally configure:</p>
+<p>SetEnv proxy-nokeepalive 1</p>
+</description>
+<affects prod="httpd" version="2.2.9"/>
+</issue>
+
<issue fixed="2.0.64-dev" reported="20090903" public="20090803" released="">
<cve name="CVE-2009-3095"/>
<severity level="4">low</severity>
Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml
docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml
Posted by Rainer Jung <ra...@kippdata.de>.
On 02.08.2010 15:47, Joe Orton wrote:
> On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote:
>>> --- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
>>> +++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 13:03:04 2010
>>> @@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
>>> </criteria>
>>> </criteria>
>>> </definition>
>>> +<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
>>> +<metadata>
>>> +<title>Timeout detection flaw (mod_proxy_http)</title>
>>> +<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
>>> +<description>
>>> +An information disclosure flaw was found in mod_proxy_http in version
>>> +2.2.9 only, on Unix platforms. Under certain timeout
>>> +conditions, the server could return a response intended for another user.
>>> +Only those configurations which trigger the use of proxy worker pools
>>> +are affected. There was no vulnerability on earlier versions, as
>>> +proxy pools were not yet introduced. The simplest workaround is to
>>> +globally configure:</description>
>>
>> It seems here is missing
>>
>> +<p>SetEnv proxy-nokeepalive 1</p>
>>
>> or similar.
>
> That's the OVAL. The XSLT is using value-of rather than apply-templates
> so only picks up the first<p> within the<description>. In fact the
> mitigation text there is not a description of the issue so would be
> better removed or marked up separately, and could probably be omitted
> from the OVAL either way.
Thanks for the explanation and sorry for the noise.
Rainer
Re: svn commit: r981498 - in /httpd/site/trunk:
docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html
xdocs/security/vulnerabilities-httpd.xml
Posted by Joe Orton <jo...@redhat.com>.
On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote:
> >--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
> >+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 13:03:04 2010
> >@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
> > </criteria>
> > </criteria>
> > </definition>
> >+<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
> >+<metadata>
> >+<title>Timeout detection flaw (mod_proxy_http)</title>
> >+<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
> >+<description>
> >+An information disclosure flaw was found in mod_proxy_http in version
> >+2.2.9 only, on Unix platforms. Under certain timeout
> >+conditions, the server could return a response intended for another user.
> >+Only those configurations which trigger the use of proxy worker pools
> >+are affected. There was no vulnerability on earlier versions, as
> >+proxy pools were not yet introduced. The simplest workaround is to
> >+globally configure:</description>
>
> It seems here is missing
>
> +<p>SetEnv proxy-nokeepalive 1</p>
>
> or similar.
That's the OVAL. The XSLT is using value-of rather than apply-templates
so only picks up the first <p> within the <description>. In fact the
mitigation text there is not a description of the issue so would be
better removed or marked up separately, and could probably be omitted
from the OVAL either way.
Regards, Joe
Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml
docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Joe,
On 02.08.2010 15:03, jorton@apache.org wrote:
> Author: jorton
> Date: Mon Aug 2 13:03:04 2010
> New Revision: 981498
>
> URL: http://svn.apache.org/viewvc?rev=981498&view=rev
> Log:
> - add description of CVE-2010-2791
>
> Modified:
> httpd/site/trunk/docs/security/vulnerabilities-oval.xml
> httpd/site/trunk/docs/security/vulnerabilities_22.html
> httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
>
> Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
> URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=981498&r1=981497&r2=981498&view=diff
> ==============================================================================
> --- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
> +++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 13:03:04 2010
> @@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
> </criteria>
> </criteria>
> </definition>
> +<definition id="oval:org.apache.httpd:def:20102791" version="1" class="vulnerability">
> +<metadata>
> +<title>Timeout detection flaw (mod_proxy_http)</title>
> +<reference source="CVE" ref_id="CVE-2010-2791" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
> +<description>
> +An information disclosure flaw was found in mod_proxy_http in version
> +2.2.9 only, on Unix platforms. Under certain timeout
> +conditions, the server could return a response intended for another user.
> +Only those configurations which trigger the use of proxy worker pools
> +are affected. There was no vulnerability on earlier versions, as
> +proxy pools were not yet introduced. The simplest workaround is to
> +globally configure:</description>
It seems here is missing
+<p>SetEnv proxy-nokeepalive 1</p>
or similar.
> +<apache_httpd_repository>
> +<public>20100723</public>
> +<reported>20100723</reported>
> +<released>20081031</released>
...
Regards,
Rainer