308049 – (CVE-2010-0408) <www-servers/apache-2.2.15 multiple vulnerabilites (CVE-2010-{0408,0434})

Bug 308049 (CVE-2010-0408) - <www-servers/apache-2.2.15 multiple vulnerabilites (CVE-2010-{0408,0434})

Summary: <www-servers/apache-2.2.15 multiple vulnerabilites (CVE-2010-{0408,0434})

Status:	RESOLVED FIXED

Alias:	CVE-2010-0408

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://svn.apache.org/viewvc/httpd/ht...
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-03-06 15:38 UTC by Stefan Behte (RETIRED)
Modified:	2012-06-24 14:28 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2010-03-06 15:38:49 UTC

CVE-2010-0408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0408):
  The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp
  in the Apache HTTP Server 2.2.x before 2.2.15 does not properly
  handle certain situations in which a client sends no request body,
  which allows remote attackers to cause a denial of service (backend
  server outage) via a crafted request, related to use of a 500 error
  code instead of the appropriate 400 error code.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2010-03-06 15:47:23 UTC

CVE-2010-0434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434):
  The ap_read_request function in server/protocol.c in the Apache HTTP
  Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does
  not properly handle headers in subrequests in certain circumstances
  involving a parent request that has a body, which might allow remote
  attackers to obtain sensitive information via a crafted request that
  triggers access to memory locations associated with an earlier
  request.

Comment 2 Benedikt Böhm (RETIRED) gentoo-dev

2010-03-07 11:48:57 UTC

2.2.15 in cvs

Comment 3 Hanno Böck gentoo-dev

2010-03-07 16:14:24 UTC

To really fix the ssl renegotiation issue, 2.2.15 should depend on openssl 0.9.8m and we should stabilize it together.

Comment 4 Benedikt Böhm (RETIRED) gentoo-dev

2010-03-07 16:20:22 UTC

(In reply to comment #3)
> To really fix the ssl renegotiation issue, 2.2.15 should depend on openssl
> 0.9.8m and we should stabilize it together.

i've updated the dependencies in 2.2.15

Comment 5 Hanno Böck gentoo-dev

2010-03-27 18:23:37 UTC

Archs, please stabilize.

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev

2010-03-29 14:04:43 UTC

x86 stable

Comment 7 Markus Meier gentoo-dev

2010-03-29 21:52:06 UTC

amd64/arm stable

Comment 8 Brent Baude (RETIRED) gentoo-dev

2010-03-31 14:49:21 UTC

ppc done

Comment 9 Brent Baude (RETIRED) gentoo-dev

2010-03-31 14:51:23 UTC

ppc64 done

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2010-03-31 18:44:02 UTC

alpha/arm/ia64/s390/sh/sparc stable

Comment 11 Guy Martin (RETIRED) gentoo-dev

2010-04-04 09:43:23 UTC

hppa stable

Comment 12 Alex Legler (RETIRED) archtester

2010-04-04 10:01:59 UTC

Guy, please don't close security bugs.

GLSA vote: YES.

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2010-07-14 18:12:28 UTC

Yes, too, glsa request filed.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2012-06-24 14:28:42 UTC

This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).