Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 330195 (CVE-2010-1452) - <www-servers/apache-2.2.16: multiple vulnerabilites DoS (CVE-2010-{1452,2791})
Summary: <www-servers/apache-2.2.16: multiple vulnerabilites DoS (CVE-2010-{1452,2791})
Status: RESOLVED FIXED
Alias: CVE-2010-1452
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://httpd.apache.org/security/vuln...
Whiteboard: C3 [glsa]
Keywords:
: 336030 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-07-28 12:28 UTC by Marcin Mirosław
Modified: 2012-06-24 14:28 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Mirosław 2010-07-28 12:28:23 UTC
new version

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-07-28 13:06:24 UTC
From $URL:
A flaw was found in the handling of requests by mod_cache and mod_dav. A malicious remote attacker could send a carefully crafted request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the uncommon "CacheIgnoreURLSessionIdentifiers" directive, introduced in version 2.2.14, is used. 

The CVE-2010-2068 issue only affects Windows.

Rating C3 as the configuration needed for exploitation is quite specific.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-10 12:53:38 UTC
CVE-2010-1452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1452):
  The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server
  2.2.x before 2.2.16 allow remote attackers to cause a denial of
  service (process crash) via a request that lacks a path.

Comment 3 Milos Ivanovic 2010-08-11 13:46:16 UTC
Looks like it's time for a bump to stable.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-25 11:15:40 UTC
apache herd: please provide an updated ebuild.
Comment 5 Jarry 2010-08-27 17:55:55 UTC
My apache keeps crashing, targeted by some sort of dos-attack. I suspect it might be because of this vulnerability. Could we get please the new apache-version into portage? At least masked. 

It is more than month a new version has been released by Apache Software Foundation, and since this bug has been published. Probably exploits start running in the wild! I definitelly do not consider this as "minor severity"...
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2010-08-28 15:04:09 UTC
2.2.16 in cvs
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-30 11:08:26 UTC
Arches, please test and mark stable:
=www-servers/apache-2.2.16
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2010-08-30 11:37:10 UTC
amd64 done
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-30 15:39:37 UTC
@Hollow: It's ok to call arches yourself so that there is no delay with stabilization.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-30 19:30:48 UTC
Stable for PPC.
Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-31 05:05:34 UTC
x86 stable
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-03 21:48:19 UTC
CVE-2010-2791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2791):
  mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix,
  does not close the backend connection if a timeout occurs when
  reading a response from a persistent connection, which allows remote
  attackers to obtain a potentially sensitive response intended for a
  different client in opportunistic circumstances via a normal HTTP
  request.  NOTE: this is the same issue as CVE-2010-2068, but for a
  different OS and set of affected versions.

Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2010-09-04 16:22:59 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-04 21:32:31 UTC
*** Bug 336030 has been marked as a duplicate of this bug. ***
Comment 15 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:32:45 UTC
ppc64 done
Comment 16 Guy Martin (RETIRED) gentoo-dev 2010-09-19 17:41:38 UTC
stable on hppa
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2010-10-02 15:35:49 UTC
GLSA Vote: Yes, unauthenticated DoS in (what I think is) a common module.
Comment 18 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-03 00:04:37 UTC
GLSA together with #308049.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:28:45 UTC
This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).