new version Reproducible: Always
From $URL: A flaw was found in the handling of requests by mod_cache and mod_dav. A malicious remote attacker could send a carefully crafted request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the uncommon "CacheIgnoreURLSessionIdentifiers" directive, introduced in version 2.2.14, is used. The CVE-2010-2068 issue only affects Windows. Rating C3 as the configuration needed for exploitation is quite specific.
CVE-2010-1452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1452): The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path.
Looks like it's time for a bump to stable.
apache herd: please provide an updated ebuild.
My apache keeps crashing, targeted by some sort of dos-attack. I suspect it might be because of this vulnerability. Could we get please the new apache-version into portage? At least masked. It is more than month a new version has been released by Apache Software Foundation, and since this bug has been published. Probably exploits start running in the wild! I definitelly do not consider this as "minor severity"...
2.2.16 in cvs
Arches, please test and mark stable: =www-servers/apache-2.2.16 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 done
@Hollow: It's ok to call arches yourself so that there is no delay with stabilization.
Stable for PPC.
x86 stable
CVE-2010-2791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2791): mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.
alpha/arm/ia64/s390/sh/sparc stable
*** Bug 336030 has been marked as a duplicate of this bug. ***
ppc64 done
stable on hppa
GLSA Vote: Yes, unauthenticated DoS in (what I think is) a common module.
GLSA together with #308049.
This issue was resolved and addressed in GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml by GLSA coordinator Tobias Heinlein (keytoaster).