Bug 268154 (CVE-2009-1191)

Summary:

<www-servers/apache-2.2.11-r1 mod_proxy_ajp Information Disclosure (CVE-2009-1191)

Product:

Gentoo Security

Reporter:

Alex Legler (RETIRED) <a3li>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

minor

CC:

apache-bugs

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff

Whiteboard:

B4 [glsa]

Package list:

Runtime testing required:

---

Bug Depends on:

276589

Bug Blocks:

Attachments:

Description	Flags
Temporary patch from upstream	none

Description Alex Legler (RETIRED) archtester

2009-05-01 19:27:04 UTC

CVE-2009-1191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1191):
  mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server
  2.2.11 allows remote attackers to obtain sensitive response data,
  intended for a client that sent an earlier POST request with no
  request body, via an HTTP request.

Comment 1 Alex Legler (RETIRED) archtester

2009-05-01 19:29:16 UTC

Created attachment 190062 [details, diff]
Temporary patch from upstream

Upstream released a preliminary patch for this issue.

Comment 2 Benedikt Böhm (RETIRED) gentoo-dev

2009-07-05 16:13:23 UTC

patch added to 2.2.11-r1, stabilization should probably be done in a new bug, since multiple issues have been fixed with 2.2.11-r1

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2009-07-05 16:34:02 UTC

Thanks, stabilization handled in 276589.

Comment 4 Alex Legler (RETIRED) archtester

2009-07-12 15:23:36 UTC

GLSA 200907-04, thanks everyone.