Summary: | <www-servers/apache-2.2.15 multiple vulnerabilites (CVE-2010-{0408,0434}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | apache-bugs, hanno |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ajp.c?r1=917876&r2=917875&pathrev=917876 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-03-06 15:38:49 UTC
CVE-2010-0434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434): The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request. 2.2.15 in cvs To really fix the ssl renegotiation issue, 2.2.15 should depend on openssl 0.9.8m and we should stabilize it together. (In reply to comment #3) > To really fix the ssl renegotiation issue, 2.2.15 should depend on openssl > 0.9.8m and we should stabilize it together. i've updated the dependencies in 2.2.15 Archs, please stabilize. x86 stable amd64/arm stable ppc done ppc64 done alpha/arm/ia64/s390/sh/sparc stable hppa stable Guy, please don't close security bugs. GLSA vote: YES. Yes, too, glsa request filed. This issue was resolved and addressed in GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml by GLSA coordinator Tobias Heinlein (keytoaster). |