You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2010/06/11 21:19:00 UTC

svn commit: r138 - in /release/httpd: binaries/win32/ patches/apply_to_2.2.15/ patches/apply_to_2.3.5/

Author: wrowe
Date: Fri Jun 11 19:18:59 2010
New Revision: 138

Log:
Publication of CVE-2010-2068

Added:
    release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip   (with props)
    release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.asc   (with props)
    release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.md5   (with props)
    release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.sha1   (with props)
    release/httpd/patches/apply_to_2.2.15/
    release/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch   (with props)
    release/httpd/patches/apply_to_2.3.5/
    release/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch   (with props)
Modified:
    release/httpd/binaries/win32/README.html

Modified: release/httpd/binaries/win32/README.html
==============================================================================
--- release/httpd/binaries/win32/README.html (original)
+++ release/httpd/binaries/win32/README.html Fri Jun 11 19:18:59 2010
@@ -92,6 +92,11 @@
 
 <h2><a name="released">The current stable release is Apache 2.2.15</a></h2>
 
+<p><strong>Notice:</strong> This release has a significant security issue
+if used on Windows (or Netware, or OS2) for mod_proxy_http worker pooling.
+Replace this module with the patched mod_proxy_http-CVE-2010-2068.zip 
+flavor when using the 2.2.15 binary packages above.</p>
+
 <p>Apache 2.2.15 offers tremendous improvements in authentication, proxy, 
    and cache features.  The Apache HTTP Project encourages all Apache users
    to migrate to the 2.2 series.  Apache 2.2 is not compatable with modules

Added: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip
==============================================================================
Binary file - no diff available.

Propchange: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.asc
==============================================================================
--- release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.asc (added)
+++ release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.asc Fri Jun 11 19:18:59 2010
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (MingW32)
+
+iQIcBAABAgAGBQJMEojTAAoJEKNIuYR/chSnYDkP/0p/QYJ0q5QJf2gZEzD92Tvc
+3Hjrwdal4myBeiEASB774pktkTngDjUxadoTxbI3uVw2NNwsJl/ORHp+hPtzN86n
+OD+LM985ViGrzvJlNPdn/UXGUJ2ovZZAEC1goJonS5FCdEZyPb6GPkHaxhoNHI7e
+BOe5hMy2jDKmoRRweYeulm9ntHXht7pbicjdZayechUM2ZTk3R0JM1AaIgTEl9xC
+/g6QbiyGIrnTcCli3BP3N0sr+jZqlwnT5QeanwXZhdEjRbqalwGTxqfJimlA5gWT
+szhd2qOa4iIEa7kC85xltPu4GdbJqlomUjOz6fGkQGlRXq8LPsNOv2EwMKXQaqI2
+VUH1FJtNaTXLxxNRhwER/6A/eisDOg8ONIlPpiQV2OkDbD33Rzos7A5fm+lHrLZd
+/wL6k6dmjGI/xz2m7NaQO2LO/EhIjR57tJrlIec/MCpru/bdoEbaaHz27JPNuoj4
+PvN5c4LSvXTAnCtsbzJ8SJQI2a0Pi1RwfnKRuTis+gx+A+5zn0Ol4PpFAPBkUljt
+L7KSPDNh8T2b1pE1/8z2k4AK1MwG2xVBH0NT95emwRtsP867nI0IToS248nCOzK2
+8bnCh9zpH3TzIiJS7OTJJZ9muqWt7k3KkR0poIpbUIav7sRBn+B07RQet0Zd9aGz
+KjacDTjtDuoCDLIy8npB
+=/3Hz
+-----END PGP SIGNATURE-----

Propchange: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.asc
------------------------------------------------------------------------------
    svn:eol-style = native

Added: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.md5
==============================================================================
--- release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.md5 (added)
+++ release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.md5 Fri Jun 11 19:18:59 2010
@@ -0,0 +1 @@
+03207411ea1e846bb9c52dca3f981614 *mod_proxy_http-CVE-2010-2068.zip

Propchange: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.md5
------------------------------------------------------------------------------
    svn:eol-style = native

Added: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.sha1
==============================================================================
--- release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.sha1 (added)
+++ release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.sha1 Fri Jun 11 19:18:59 2010
@@ -0,0 +1 @@
+b48b750d712d91ac03d6bd89b2ec4b6bc30e9ffa *mod_proxy_http-CVE-2010-2068.zip

Propchange: release/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip.sha1
------------------------------------------------------------------------------
    svn:eol-style = native

Added: release/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch
==============================================================================
--- release/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch (added)
+++ release/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch Fri Jun 11 19:18:59 2010
@@ -0,0 +1,65 @@
+#
+# CVE-2010-2068; Timeout detection flaw causes proxied response to be sent
+#                as the response to a different request, and potentially served
+#                to a different client, from the HTTP proxy pool worker pipeline.
+#                This may represent a confidential data revealing flaw.
+#
+# Only affects mod_proxy_http.c on Windows, Netware and OS2 platforms.
+#
+# Is only triggered by proxy pools configured for timeouts shorter than the 
+# backend server response delay.
+#
+# Only affects httpd versions 2.2.9 through 2.2.15, 2.3.4-alpha, 2.3.5-alpha.
+# Note that versions prior to 2.2.9 were not affected, including 1.3 and 2.0,
+# as the proxy worker pool feature was not yet introduced.
+#
+# No deliberate exploits are known at this time, however affected users are 
+# cautioned to assume it may be maliciously exploited in the future.
+#
+# The straightforward workaround to disable mod_proxy_http's reuse of backend
+# connection pipelines is to set the following global directive;
+#
+#  SetEnv proxy-nokeepalive 1
+#
+# This workaround bypasses all ProxyPass/ProxySet pool options which trigger
+# connection pipelines, allowing them to remain in the configuration file
+# until the patched module can be deployed.
+#
+# Binary versions of this patched module for Windows and Netware may be found 
+# in the corresponding http://www.apache.org/dist/httpd/binaries/ platform
+# distribution tree, until new 2.2 and 2.3-alpha releases become available.
+#
+# Further details organized by httpd release may be available from;
+#
+#   http://httpd.apache.org/security_report.html
+#
+#
+--- ../httpd-2.2.15/modules/proxy/mod_proxy_http.c	Sat Feb 27 13:49:36 2010
++++ modules/proxy/mod_proxy_http.c	Fri Jun 11 12:54:18 2010
+@@ -1401,7 +1401,7 @@
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r,
+                           "proxy: error reading status line from remote "
+                           "server %s", backend->hostname);
+-            if (rc == APR_TIMEUP) {
++            if (APR_STATUS_IS_TIMEUP(rc)) {
+                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                               "proxy: read timeout");
+             }
+@@ -1417,7 +1417,7 @@
+              * we normally would handle timeouts
+              */
+             if (r->proxyreq == PROXYREQ_REVERSE && c->keepalives &&
+-                rc != APR_TIMEUP) {
++                !APR_STATUS_IS_TIMEUP(rc)) {
+                 apr_bucket *eos;
+ 
+                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+@@ -1449,6 +1449,8 @@
+                     APR_BUCKET_INSERT_BEFORE(eos, e);
+                 }
+                 ap_pass_brigade(r->output_filters, bb);
++                /* Mark the backend connection for closing */
++                backend->close = 1;
+                 /* Need to return OK to avoid sending an error message */
+                 return OK;
+             }

Propchange: release/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch
------------------------------------------------------------------------------
    svn:eol-style = native

Added: release/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch
==============================================================================
--- release/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch (added)
+++ release/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch Fri Jun 11 19:18:59 2010
@@ -0,0 +1,67 @@
+#
+# CVE-2010-2068; Timeout detection flaw causes proxied response to be sent
+#                as the response to a different request, and potentially served
+#                to a different client, from the HTTP proxy pool worker pipeline.
+#                This may represent a confidential data revealing flaw.
+#
+# Only affects mod_proxy_http.c on Windows, Netware and OS2 platforms.
+#
+# Is only triggered by proxy pools configured for timeouts shorter than the 
+# backend server response delay.
+#
+# Only affects httpd versions 2.2.9 through 2.2.15, 2.3.4-alpha, 2.3.5-alpha.
+# Note that versions prior to 2.2.9 were not affected, including 1.3 and 2.0,
+# as the proxy worker pool feature was not yet introduced.
+#
+# No deliberate exploits are known at this time, however affected users are 
+# cautioned to assume it may be maliciously exploited in the future.
+#
+# The straightforward workaround to disable mod_proxy_http's reuse of backend
+# connection pipelines is to set the following global directive;
+#
+#  SetEnv proxy-nokeepalive 1
+#
+# This workaround bypasses all ProxyPass/ProxySet pool options which trigger
+# connection pipelines, allowing them to remain in the configuration file
+# until the patched module can be deployed.
+#
+# Binary versions of this patched module for Windows and Netware may be found 
+# in the corresponding http://www.apache.org/dist/httpd/binaries/ platform
+# distribution tree, until new 2.2 and 2.3-alpha releases become available.
+#
+# Further details organized by httpd release may be available from;
+#
+#   http://httpd.apache.org/security_report.html
+#
+#
+Index: modules/proxy/mod_proxy_http.c
+===================================================================
+--- modules/proxy/mod_proxy_http.c	(revision 953823)
++++ modules/proxy/mod_proxy_http.c	(working copy)
+@@ -1396,7 +1396,7 @@
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r,
+                           "proxy: error reading status line from remote "
+                           "server %s", backend->hostname);
+-            if (rc == APR_TIMEUP) {
++            if (APR_STATUS_IS_TIMEUP(rc)) {
+                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                               "proxy: read timeout");
+             }
+@@ -1412,7 +1412,7 @@
+              * we normally would handle timeouts
+              */
+             if (r->proxyreq == PROXYREQ_REVERSE && c->keepalives &&
+-                rc != APR_TIMEUP) {
++                !APR_STATUS_IS_TIMEUP(rc)) {
+                 apr_bucket *eos;
+ 
+                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+@@ -1444,6 +1444,8 @@
+                     APR_BUCKET_INSERT_BEFORE(eos, e);
+                 }
+                 ap_pass_brigade(r->output_filters, bb);
++                /* Mark the backend connection for closing */
++                backend->close = 1;
+                 /* Need to return OK to avoid sending an error message */
+                 return OK;
+             }

Propchange: release/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch
------------------------------------------------------------------------------
    svn:eol-style = native