You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2011/09/14 10:47:24 UTC
svn commit: r1170476 - in /httpd/site/trunk/docs/security:
vulnerabilities-oval.xml vulnerabilities_22.html
Author: mjc
Date: Wed Sep 14 08:47:24 2011
New Revision: 1170476
URL: http://svn.apache.org/viewvc?rev=1170476&view=rev
Log:
Clean up CVE-2011-3348
Modified:
httpd/site/trunk/docs/security/vulnerabilities-oval.xml
httpd/site/trunk/docs/security/vulnerabilities_22.html
Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=1170476&r1=1170475&r2=1170476&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Wed Sep 14 08:47:24 2011
@@ -12,8 +12,9 @@
<description>
A flaw was found when mod_proxy_ajp is used together with
mod_proxy_balancer. Given a specific configuration, a remote attacker
-could use unrecognized HTTP methods to mark ajp: balancer members in
-an error state. This could be used in a denial of service attack.</description>
+could send certain malformed HTTP requests, putting a backend server
+into an error state until the retry timeout expired.
+This could lead to a temporary denial of service.</description>
<apache_httpd_repository>
<public>20110914</public>
<reported>20110907</reported>
@@ -32,16 +33,6 @@ an error state. This could be used in a
<criterion test_ref="oval:org.apache.httpd:tst:2214" comment="the version of httpd is 2.2.14"/>
<criterion test_ref="oval:org.apache.httpd:tst:2213" comment="the version of httpd is 2.2.13"/>
<criterion test_ref="oval:org.apache.httpd:tst:2212" comment="the version of httpd is 2.2.12"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2211" comment="the version of httpd is 2.2.11"/>
-<criterion test_ref="oval:org.apache.httpd:tst:2210" comment="the version of httpd is 2.2.10"/>
-<criterion test_ref="oval:org.apache.httpd:tst:229" comment="the version of httpd is 2.2.9"/>
-<criterion test_ref="oval:org.apache.httpd:tst:228" comment="the version of httpd is 2.2.8"/>
-<criterion test_ref="oval:org.apache.httpd:tst:226" comment="the version of httpd is 2.2.6"/>
-<criterion test_ref="oval:org.apache.httpd:tst:225" comment="the version of httpd is 2.2.5"/>
-<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
-<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
-<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
-<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
</criteria>
</criteria>
</definition>
Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=1170476&r1=1170475&r2=1170476&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html [utf-8] Wed Sep 14 08:47:24 2011
@@ -109,8 +109,9 @@ Team</a>. </p>
<p>
A flaw was found when mod_proxy_ajp is used together with
mod_proxy_balancer. Given a specific configuration, a remote attacker
-could use unrecognized HTTP methods to mark ajp: balancer members in
-an error state. This could be used in a denial of service attack.</p>
+could send certain malformed HTTP requests, putting a backend server
+into an error state until the retry timeout expired.
+This could lead to a temporary denial of service.</p>
</dd>
<dd>
Reported to security team: 7th September 2011<br />
@@ -119,7 +120,7 @@ an error state. This could be used in a
</dd>
<dd>
Affected:
- 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
+ 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12<p />
</dd>
</dl>
</blockquote>