You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2010/06/11 21:19:00 UTC
svn commit: r138 - in /release/httpd: binaries/win32/
patches/apply_to_2.2.15/ patches/apply_to_2.3.5/
Author: wrowe
Date: Fri Jun 11 19:18:59 2010
New Revision: 138
Log:
Publication of CVE-2010-2068
Added:
release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip (with props)
release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.asc (with props)
release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.md5 (with props)
release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.sha1 (with props)
release/httpd/patches/apply_to_2.2.15/
release/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch (with props)
release/httpd/patches/apply_to_2.3.5/
release/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch (with props)
Modified:
release/httpd/binaries/win32/README.html
Modified: release/httpd/binaries/win32/README.html
==============================================================================
--- release/httpd/binaries/win32/README.html (original)
+++ release/httpd/binaries/win32/README.html Fri Jun 11 19:18:59 2010
@@ -92,6 +92,11 @@
<h2><a name="released">The current stable release is Apache 2.2.15</a></h2>
+<p><strong>Notice:</strong> This release has a significant security issue
+if used on Windows (or Netware, or OS2) for mod_proxy_http worker pooling.
+Replace this module with the patched mod_proxy_http-CVE-2010-2068.zip
+flavor when using the 2.2.15 binary packages above.</p>
+
<p>Apache 2.2.15 offers tremendous improvements in authentication, proxy,
and cache features. The Apache HTTP Project encourages all Apache users
to migrate to the 2.2 series. Apache 2.2 is not compatable with modules
Added: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.asc
==============================================================================
--- release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.asc (added)
+++ release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.asc Fri Jun 11 19:18:59 2010
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (MingW32)
+
+iQIcBAABAgAGBQJMEojTAAoJEKNIuYR/chSnYDkP/0p/QYJ0q5QJf2gZEzD92Tvc
+3Hjrwdal4myBeiEASB774pktkTngDjUxadoTxbI3uVw2NNwsJl/ORHp+hPtzN86n
+OD+LM985ViGrzvJlNPdn/UXGUJ2ovZZAEC1goJonS5FCdEZyPb6GPkHaxhoNHI7e
+BOe5hMy2jDKmoRRweYeulm9ntHXht7pbicjdZayechUM2ZTk3R0JM1AaIgTEl9xC
+/g6QbiyGIrnTcCli3BP3N0sr+jZqlwnT5QeanwXZhdEjRbqalwGTxqfJimlA5gWT
+szhd2qOa4iIEa7kC85xltPu4GdbJqlomUjOz6fGkQGlRXq8LPsNOv2EwMKXQaqI2
+VUH1FJtNaTXLxxNRhwER/6A/eisDOg8ONIlPpiQV2OkDbD33Rzos7A5fm+lHrLZd
+/wL6k6dmjGI/xz2m7NaQO2LO/EhIjR57tJrlIec/MCpru/bdoEbaaHz27JPNuoj4
+PvN5c4LSvXTAnCtsbzJ8SJQI2a0Pi1RwfnKRuTis+gx+A+5zn0Ol4PpFAPBkUljt
+L7KSPDNh8T2b1pE1/8z2k4AK1MwG2xVBH0NT95emwRtsP867nI0IToS248nCOzK2
+8bnCh9zpH3TzIiJS7OTJJZ9muqWt7k3KkR0poIpbUIav7sRBn+B07RQet0Zd9aGz
+KjacDTjtDuoCDLIy8npB
+=/3Hz
+-----END PGP SIGNATURE-----
Propchange: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.asc
------------------------------------------------------------------------------
svn:eol-style = native
Added: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.md5
==============================================================================
--- release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.md5 (added)
+++ release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.md5 Fri Jun 11 19:18:59 2010
@@ -0,0 +1 @@
+03207411ea1e846bb9c52dca3f981614 *mod_proxy_http-CVE-2010-2068.zip
Propchange: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.md5
------------------------------------------------------------------------------
svn:eol-style = native
Added: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.sha1
==============================================================================
--- release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.sha1 (added)
+++ release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.sha1 Fri Jun 11 19:18:59 2010
@@ -0,0 +1 @@
+b48b750d712d91ac03d6bd89b2ec4b6bc30e9ffa *mod_proxy_http-CVE-2010-2068.zip
Propchange: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.sha1
------------------------------------------------------------------------------
svn:eol-style = native
Added: release/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch
==============================================================================
--- release/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch (added)
+++ release/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch Fri Jun 11 19:18:59 2010
@@ -0,0 +1,65 @@
+#
+# CVE-2010-2068; Timeout detection flaw causes proxied response to be sent
+# as the response to a different request, and potentially served
+# to a different client, from the HTTP proxy pool worker pipeline.
+# This may represent a confidential data revealing flaw.
+#
+# Only affects mod_proxy_http.c on Windows, Netware and OS2 platforms.
+#
+# Is only triggered by proxy pools configured for timeouts shorter than the
+# backend server response delay.
+#
+# Only affects httpd versions 2.2.9 through 2.2.15, 2.3.4-alpha, 2.3.5-alpha.
+# Note that versions prior to 2.2.9 were not affected, including 1.3 and 2.0,
+# as the proxy worker pool feature was not yet introduced.
+#
+# No deliberate exploits are known at this time, however affected users are
+# cautioned to assume it may be maliciously exploited in the future.
+#
+# The straightforward workaround to disable mod_proxy_http's reuse of backend
+# connection pipelines is to set the following global directive;
+#
+# SetEnv proxy-nokeepalive 1
+#
+# This workaround bypasses all ProxyPass/ProxySet pool options which trigger
+# connection pipelines, allowing them to remain in the configuration file
+# until the patched module can be deployed.
+#
+# Binary versions of this patched module for Windows and Netware may be found
+# in the corresponding http://www.apache.org/dist/httpd/binaries/ platform
+# distribution tree, until new 2.2 and 2.3-alpha releases become available.
+#
+# Further details organized by httpd release may be available from;
+#
+# http://httpd.apache.org/security_report.html
+#
+#
+--- ../httpd-2.2.15/modules/proxy/mod_proxy_http.c Sat Feb 27 13:49:36 2010
++++ modules/proxy/mod_proxy_http.c Fri Jun 11 12:54:18 2010
+@@ -1401,7 +1401,7 @@
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r,
+ "proxy: error reading status line from remote "
+ "server %s", backend->hostname);
+- if (rc == APR_TIMEUP) {
++ if (APR_STATUS_IS_TIMEUP(rc)) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "proxy: read timeout");
+ }
+@@ -1417,7 +1417,7 @@
+ * we normally would handle timeouts
+ */
+ if (r->proxyreq == PROXYREQ_REVERSE && c->keepalives &&
+- rc != APR_TIMEUP) {
++ !APR_STATUS_IS_TIMEUP(rc)) {
+ apr_bucket *eos;
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+@@ -1449,6 +1449,8 @@
+ APR_BUCKET_INSERT_BEFORE(eos, e);
+ }
+ ap_pass_brigade(r->output_filters, bb);
++ /* Mark the backend connection for closing */
++ backend->close = 1;
+ /* Need to return OK to avoid sending an error message */
+ return OK;
+ }
Propchange: release/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch
------------------------------------------------------------------------------
svn:eol-style = native
Added: release/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch
==============================================================================
--- release/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch (added)
+++ release/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch Fri Jun 11 19:18:59 2010
@@ -0,0 +1,67 @@
+#
+# CVE-2010-2068; Timeout detection flaw causes proxied response to be sent
+# as the response to a different request, and potentially served
+# to a different client, from the HTTP proxy pool worker pipeline.
+# This may represent a confidential data revealing flaw.
+#
+# Only affects mod_proxy_http.c on Windows, Netware and OS2 platforms.
+#
+# Is only triggered by proxy pools configured for timeouts shorter than the
+# backend server response delay.
+#
+# Only affects httpd versions 2.2.9 through 2.2.15, 2.3.4-alpha, 2.3.5-alpha.
+# Note that versions prior to 2.2.9 were not affected, including 1.3 and 2.0,
+# as the proxy worker pool feature was not yet introduced.
+#
+# No deliberate exploits are known at this time, however affected users are
+# cautioned to assume it may be maliciously exploited in the future.
+#
+# The straightforward workaround to disable mod_proxy_http's reuse of backend
+# connection pipelines is to set the following global directive;
+#
+# SetEnv proxy-nokeepalive 1
+#
+# This workaround bypasses all ProxyPass/ProxySet pool options which trigger
+# connection pipelines, allowing them to remain in the configuration file
+# until the patched module can be deployed.
+#
+# Binary versions of this patched module for Windows and Netware may be found
+# in the corresponding http://www.apache.org/dist/httpd/binaries/ platform
+# distribution tree, until new 2.2 and 2.3-alpha releases become available.
+#
+# Further details organized by httpd release may be available from;
+#
+# http://httpd.apache.org/security_report.html
+#
+#
+Index: modules/proxy/mod_proxy_http.c
+===================================================================
+--- modules/proxy/mod_proxy_http.c (revision 953823)
++++ modules/proxy/mod_proxy_http.c (working copy)
+@@ -1396,7 +1396,7 @@
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r,
+ "proxy: error reading status line from remote "
+ "server %s", backend->hostname);
+- if (rc == APR_TIMEUP) {
++ if (APR_STATUS_IS_TIMEUP(rc)) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "proxy: read timeout");
+ }
+@@ -1412,7 +1412,7 @@
+ * we normally would handle timeouts
+ */
+ if (r->proxyreq == PROXYREQ_REVERSE && c->keepalives &&
+- rc != APR_TIMEUP) {
++ !APR_STATUS_IS_TIMEUP(rc)) {
+ apr_bucket *eos;
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+@@ -1444,6 +1444,8 @@
+ APR_BUCKET_INSERT_BEFORE(eos, e);
+ }
+ ap_pass_brigade(r->output_filters, bb);
++ /* Mark the backend connection for closing */
++ backend->close = 1;
+ /* Need to return OK to avoid sending an error message */
+ return OK;
+ }
Propchange: release/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch
------------------------------------------------------------------------------
svn:eol-style = native