Gentoo Full Text Bug Listing

Bug 227111 - www-servers/apache <2.2.9 CSRF and DoS (CVE-2007-6420,CVE-2008-2364)

Bug#: 227111	Product: Gentoo Security	Version: unspecified	Platform: All
OS/Version: Linux	Status: RESOLVED	Severity: normal	Priority: P2
Resolution: FIXED	Assigned To: security@gentoo.org	Reported By: limanski@narod.ru
Component: Vulnerabilities
URL: http://www.apache.org/dist/httpd/CHANGES_2.2.9
Summary: www-servers/apache <2.2.9 CSRF and DoS (CVE-2007-6420,CVE-2008-2364)
Keywords:
Status Whiteboard: A3 [glsa]
Opened: 2008-06-15 10:33 0000

Description:

Opened: 2008-06-15 10:33 0000

Apache httpd 2.2.9 was released. It's bugfix release, some bugs are sequrity
related.

Reproducible: Always

Steps to Reproduce:

------- Comment #1 From Carsten Lohrke 2008-06-15 14:58:39 0000 -------

  *) SECURITY: CVE-2008-2364 (cve.mitre.org)
     mod_proxy_http: Better handling of excessive interim responses
     from origin server to prevent potential denial of service and high
     memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
     Joe Orton, Jim Jagielski]

  *) SECURITY: CVE-2007-6420 (cve.mitre.org)
     mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager
     interface.  [Joe Orton]

------- Comment #2 From Carsten Lohrke 2008-06-15 15:23:57 0000 -------

Eh, assign...

------- Comment #3 From Benedikt Böhm 2008-06-15 16:10:14 0000 -------

2.2.9 in cvs, ready for stabilization

------- Comment #4 From Robert Buchholz 2008-06-15 17:54:49 0000 -------

Arches, please test and mark stable:
=www-servers/apache-2.2.9
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc
x86"

------- Comment #5 From Tobias Scherbaum 2008-06-15 19:00:13 0000 -------

ppc stable

------- Comment #6 From Jeroen Roovers 2008-06-16 00:35:18 0000 -------

Stable for HPPA.

------- Comment #7 From Christian Faulhammer 2008-06-16 07:23:02 0000 -------

x86 stable

------- Comment #8 From Benedikt Böhm 2008-06-16 11:42:29 0000 -------

amd64 stable

------- Comment #9 From Raúl Porcel 2008-06-16 13:32:30 0000 -------

alpha/ia64/sparc stable

------- Comment #10 From Brent Baude 2008-06-16 16:16:54 0000 -------

ppc64 done

------- Comment #11 From Peter Volkov 2008-06-16 16:49:02 0000 -------

Fixed in release snapshot.

------- Comment #12 From Robert Buchholz 2008-07-09 22:01:14 0000 -------

GLSA 200807-06